Firewall-troubleshooting
Hi
I need help understanding what goes wrong in this script. I cannot ping
anyone and cannot resolve as well. In fact I believe the only thing I can
get is an ip address from my isp's dhcp server.
Best Regards
kc
## FIREWALL ##
## Symbolic Constants
CONNECTION_TRACKING="1"
LOCAL="eth0"
INTERNET="eth1"
LOOPBACK_INTERFACE="lo"
MY_ISP="24.0.0.0/8"
LOOPBACK="127.0.0.0/8"
IPADDR=`ifconfig eth1|awk '/inet/{print $2}'|awk -F ':' '{print $2}'`
INTERNAL_IP=`ifconfig eth0|awk '/inet/{print $2}'|awk -F ':' '{print $2}'`
LOCAL_NET="192.168.3.0/24"
BROADCAST_SRC="0.0.0.0"
BROADCAST_DEST="255.255.255.255"
PRIVPORTS="0:1023"
UNPRIVPORTS="1024:65535"
SUBNET_BASE="192.168.3.0"
SUBNET_BROADCAST="192.168.3.255"
## Hosts
DESKTOP="host2"
DESKTOP2="host"
WWW="host3"
#MAIL="192.168.2.5"
#IRC="192.168.2.40"
#IMAP_CLIENTS="continued... "
TIME_SERVER="time.server.address"
HOSTS_PING="isp subnet"
NAMESERVER="nameserver1"
DHCP_SERVER="dhcp-server1"
## PORTS
IRC_PORT="6667"
WEB_PORT="80"
SSL_PORT="443"
SSH_PORTS="445"
DK_PORT="4660"
XWINDOW_PORTS="6000:6063"
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"
## Private Class Networks
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
## Flush the chains of all rules
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
echo "Flushed rules for all chains"
## Show Internal and External Addresses and enable forwarding
echo "External IP " $IPADDR
echo "Internal IP " $INTERNAL_IP
#echo "1" > /proc/sys/net/ipv4/ip_forward
## Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
## Disable Source Routed Packets
for p in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $p
done
## Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
## Disable ICMP Redirect Acceptance
# A redirect message SHOULD be silently discarded if the new gateway
address it specifies is not on the same subnet that it came from.
for p in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $p
done
## Don't send redirect Messages
for p in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $p
done
## Drop Spoofed Packets coming in on an interface, to which a reply would
result in going out a different interface.
for p in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $p
done
## Log packets with impossible addresses.
for p in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $p
done
## Unlimited traffic on the loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
##### POLICY #####
## Default Policy
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP
iptables -t nat --policy PREROUTING DROP
iptables -t nat --policy OUTPUT DROP
iptables -t nat --policy POSTROUTING DROP
iptables -t mangle --policy PREROUTING DROP
iptables -t mangle --policy OUTPUT DROP
iptables --delete-chain
iptables -t nat --delete-chain
iptables -t mangle --delete-chain
# DNS
iptables -A OUTPUT -o $INTERNET -p udp -s $IPADDR --sport $UNPRIVPORTS -d
$NAMESERVER --dport 53 -j ACCEPT
iptables -A INPUT -i $INTERNET -p udp -s $NAMESERVER --sport 53 -d $IPADDR
--dport $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $INTERNET -tcp -s $IPADDR --sport $UNPRIVPORTS -d
$NAMESERVER --dport 53 -j ACCEPT
iptables -A INPUT -i $INTERNET -p tcp ! --syn -s $NAMESERVER --sport 53 -d
$IPADDR --dport $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $INTERNET -p udp -s $IPADDR --sport 53 -d $NAMESERVER
--dport 53 -j ACCEPT
iptables -A INPUT -i $INTERNET -p udp -s $NAMESERVER --sport 53 -d $IPADDR
--dport 53 -j ACCEPT
### STEALTH SCAN POLICY ###
# All of the bits are cleared
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# SYN and FIN are both set
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# SYN and RST are both set
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# FIN and RST are both set
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
# FIN is the only bit set, without the expected accompanying ACK
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
# PSH is the only bit set, without the expected accompanying ACK
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
# URG is the only bit set, without the expected accompanying ACK
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
## Refuse packets from the following ban list
## example
iptables -I INPUT -i $INTERNET -s 72.21.42.186 -j DROP
#iptables -I INPUT -i $INTERNET -s address/mask -j DROP
## Packet State Validation
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state INVALID -j LOG --log-prefix "INVALID
input: "
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix "INVALID
output: "
iptables -A OUTPUT -m state --state INVALID -j DROP
fi
## DROP spoofed packets pretending to be from your external IP address
iptables -A INPUT -i $INTERNET -s $IPADDR -j DROP
## Accessing Remote Web Sites as a client -- with Parental Control --
if [ "CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $INTERNET -p tcp -s $IPADDR --sport $UNPRIVPORTS
--dport 80 -m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o $INTERNET -p tcp -s $IPADDR --sport $UNPRIVPORTS
--dport 80 -j ACCEPT
iptables -A INPUT -i $INTERNET -p tcp ! --syn --sport 80 -d $IPADDR --dport
$UNPRIVPORTS -j ACCEPT
## Allowing Remote Access to a Local Webserver
if [ "CONNECTION_TRACKING" = "1" ]; then
iptables -A INPUT -i $INTERNET -p tcp --sport $UNPRIVPORTS -d $IPADDR
--dport 80 -m state --state NEW -j ACCEPT
fi
iptables -A INPUT -i $INTERNET -p tcp --sport $UNPRIVPORTS -d $IPADDR
--dport 80 -j ACCEPT
iptables -A OUTPUT -o $INTERNET -p tcp ! --syn -s $IPADDR --sport 80
--dport $UNPRIVPORTS -j ACCEPT
## Refuse packets coming from private networks...
iptables -A INPUT -i $INTERNET -s $CLASS_A -j DROP
iptables -A INPUT -i $INTERNET -s $CLASS_B -j DROP
iptables -A INPUT -i $INTERNET -s $CLASS_C -j DROP
## Refuse packets from loopback interface
iptables -A INPUT -i $INTERNET -s $LOOPBACK -j DROP
## Refuse broadcast packets
# block for internal network later
iptables -A INPUT -i $INTERNET -s $BROADCAST_DEST -j LOG
iptables -A INPUT -i $INTERNET -s $BROADCAST_DEST -j DROP
iptables -A INPUT -i $INTERNET -d $BROADCAST_SRC -j LOG
iptables -A INPUT -i $INTERNET -d $BROADCAST_SRC -j DROP
## Refuse directed broadcasts
# block for internal network later
iptables -A INPUT -i $INTERNET -d $SUBNET_BASE -j DROP
iptables -A INPUT -i $INTERNET -d $SUBNET_BROADCAST -j DROP
## Refuse Limited Broadcasts
iptables -A INPUT -i $INTERNET -d $BROADCAST_DEST -j DROP
## Refuse Class D multicast addresses
iptables -A INPUT -i $INTERNET -s $CLASS_D_MULTICAST -j DROP
iptables -A INPUT -i $INTERNET -p ! udp -d $CLASS_D_MULTICAST -j DROP
iptables -A INPUT -i $INTERNET -p udp -d $CLASS_D_MULTICAST -j ACCEPT
## Refuse Class E reserved IP addresses
iptables -A INPUT -i $INTERNET -s $CLASS_E_RESERVED_NET -j DROP
## Refuse addresses defined as reserved by IANA
iptables -A INPUT -i $INTERNET -s 0.0.0.0/8 -j DROP
# above rule creates difficulty with DHCP
iptables -A INPUT -i $INTERNET -s 169.254.0.0/16 -j DROP
iptables -A INPUT -i $INTERNET -s 192.0.2.0/24 -j DROP
## Blocking incoming connections to X-Window server
iptables -A INPUT -i $INTERNET -p tcp ! --syn --destination-port
$XWINDOW_PORTS -j DROP
## DNS Requests (Lookup)
echo " DNS lookup"
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $INTERNET -p udp -s $IPADDR --sport $UNPRIVPORTS -d
$NAMESERVER --dport 53 -m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o $INTERNET -p udp -s $IPADDR --sport $UNPRIVPORTS -d
$NAMESERVER --dport 53 -j ACCEPT
iptables -A INPUT -i $INTERNET -p udp -s $NAMESERVER --sport 53 -d $IPADDR
--dport $UNPRIVPORTS -j ACCEPT
## Local SMTP sending and receiving mail
echo " Local SMTP "
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $INTERNET -p tcp -s $IPADDR --sport $UNPRIVPORTS
--dport 25 -m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o $INTERNET -p tcp -s $IPADDR --sport $UNPRIVPORTS
--dport 25 -j ACCEPT
iptables -A INPUT -i $INTERNET -p tcp ! --syn --sport 25 -d $IPADDR --dport
$UNPRIVPORTS -j ACCEPT
if [ "CONNECTION_TRACKING" = "1" ]; then
iptables -A INPUT -i $INTERNET -p tcp --sport $UNPRIVPORTS -d $IPADDR
--dport 25 -m state --state NEW -j ACCEPT
fi
iptables -A INPUT -i $INTERNET -p tcp --sport $UNPRIVPORTS -d $IPADDR
--dport 25 -j ACCEPT
iptables -A OUTPUT -o $INTERNET -p tcp ! --syn -s $IPADDR --sport 25
--dport $UNPRIVPORTS -j ACCEPT
## Local IMAP server
echo " IMAP server"
#if [ "CONNECTION_TRACKING" = "1" ]; then
# iptables -A INPUT -i $INTERNET -p tcp -s $IMAP_CLIENTS --sport
$UNPRIVPORTS -d $IPADDR --dport 143 -m state --state NEW -j ACCEPT
#fi
#iptables -A INPUT -i $INTERNET -p tcp -s $IMAP_CLIENTS --sport
$UNPRIVPORTS -d $IPADDR --dport 143 -j ACCEPT
#iptables -A OUTPUT -o $INTERNET -p tcp ! --syn -s $IPADDR --sport 143 -d
$IMAP_CLIENTS --dport $UNPRIVPORTS -j ACCEPT
## SSH ACCESS -- use tcpwrappers -- change destination port
#if [ "CONNECTION_TRACKING" = "1" ]; then
#iptables -A INPUT -i $INTERNET -p tcp --sport $SSH_PORTS -d $IPADDR
--dport 22 -m state --state NEW -j ACCEPT
#fi
#iptables -A INPUT -i $INTERNET -p tcp --sport $SSH_PORTS -d $IPADDR
--dport 22 -j ACCEPT
#iptables -A OUTPUT -o $INTERNET -p tcp ! --syn -s $IPADDR --sport 22
--dport $SSH_PORTS -j ACCEPT
#if [ "CONNECTION_TRACKING" = "1"]; then
# iptables -A OUTPUT -o $INTERNET -p tcp -s $IPADDR --sport $SSH_PORTS
-dports 22 -m state --state NEW -j ACCEPT
#fi
#iptables -A OUTPUT -o $INTERNET -p tcp -s $IPADDR --sport $SSH_PORTS
--dport 22 -j ACCEPT
#iptables -A INPUT -i $INTERNET -p tcp ! --syn --sport 22 -d $IPADDR
--dport $SSH_PORTS -j ACCEPT
## Accessing Remote Web Sites over SSL or TLS as a Client
echo " ACCESS to SSL or TLS"
if [ "CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $INTERNET -p tcp -s $IPADDR --sport $UNPRIVPORTS
--dport 443 -m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o $INTERNET -p tcp -s $IPADDR --sport $UNPRIVPORTS
--dport 443 -j ACCEPT
iptables -A INPUT -i $INTERNET -p tcp ! --syn --sport 443 -d $IPADDR
--dport $UNPRIVPORTS -j ACCEPT
## Allowing Remote Access to a Local SSL or TLS Web Server
if [ "CONNECTION_TRACKING" = "1" ]; then
iptables -A INPUT -i $INTERNET -p tcp --sport $UNPRIVPORTS -d $IPADDR
--dport 443 -m state --state NEW -j ACCEPT
fi
iptables -A INPUT -i $INTERNET -p tcp --sport $UNPRIVPORTS -d $IPADDR
--dport 443 -j ACCEPT
iptables -A OUTPUT -o $INTERNET -p tcp ! --syn -s $IPADDR --sport 443
--dport $UNPRIVPORTS -j ACCEPT
## Allowing whois
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $INTERNET -p tcp -s $IPADDR --sport $UNPRIVPORTS
--dport 43 -m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o $INTERNET -p tcp -s $IPADDR --sport $UNPRIVPORTS
--dport 43 -j ACCEPT
iptables -A INPUT -i $INTERNET -p tcp ! --syn --sport 43 -d $IPADDR --dport
$UNPRIVPORTS -j ACCEPT
## Enable outgoing traceroute requests
iptables -A OUTPUT -o $INTERNET -p udp -s $IPADDR --sport
$TRACEROUTE_SRC_PORTS --dport $TRACEROUTE_DEST_PORTS -j ACCEPT
## DHCP client to remote server
# Initialization or rebinding - no lease or least time expired
iptables -A OUTPUT -o $INTERNET -p udp -s $BROADCAST_SRC --sport 68 -d
$BROADCAST_DEST --dport 67 -j ACCEPT
# Incoming DHCPOFFER from DHCP servers
iptables -A INPUT -i $INTERNET -p udp -s $BROADCAST_SRC --sport 67 -d
$BROADCAST_DEST --dport 68 -j ACCEPT
# reconfirm ip address
iptables -A OUTPUT -o $INTERNET -p udp -s $BROADCAST_SRC --sport 68 -d
$DHCP_SERVER --dport 67 -j ACCEPT
iptables -A INPUT -i $INTERNET -p udp -s $DHCP_SERVER --sport 67 -d
$BROADCAST_DEST --dport 68 -j ACCEPT
# allow incoming packets destined to subnet address
iptables -A INPUT -i $INTERNET -p udp -s $DHCP_SERVER --sport 67 --dport 68
-j ACCEPT
# Lease renewal
iptables -A OUTPUT -o $INTERNET -p udp -s $IPADDR --sport 68 -d
$DHCP_SERVER --dport 67 -j ACCEPT
iptables -A INPUT -i $INTERNET -p udp -s $DHCP_SERVER --sport 67 -d $IPADDR
--dport 68 -j ACCEPT
## NTP access
echo " NTP ACCESS"
if [ "CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $INTERNET -p udp -s $IPADDR --sport $UNPRIVPORTS -d
$TIME_SERVER --dport 123 -m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o $INTERNET -p udp -s $IPADDR --sport $UNPRIVPORTS -d
$TIME_SERVER --dport 123 -j ACCEPT
iptables -A INPUT -i $INTERNET -p udp -s $TIME_SERVER --sport 123 -d
$IPADDR --dport $UNPRIVPORTS -j ACCEPT
## drop fragmented icmp messages
echo "ICMP FILTERING"
iptables -A INPUT -i $INTERNET --fragment -p icmp -j LOG --log-prefix
"Fragmented ICMP: "
iptables -A INPUT -i $INTERNET --fragment -p icmp -j DROP
## Accept Source Quench control Type 4
iptables -A INPUT -i $INTERNET -p icmp --icmp-type source-quench -d $IPADDR
-j ACCEPT
iptables -A OUTPUT -o $INTERNET -p icmp -s $IPADDR --icmp-type
source-quench -j ACCEPT
## Pramater problem status Type 12
iptables -A INPUT -i $INTERNET -p icmp --icmp-type parameter-problem -d
$IPADDR -j ACCEPT
iptables -A OUTPUT -o $INTERNET -p icmp -s $IPADDR --icmp-type
parameter-problem -j ACCEPT
## Destination Unreachable Error Type 3
iptables -A INPUT -i $INTERNET -p icmp --icmp-type destination-unreachable
-d $IPADDR -j ACCEPT
iptables -A OUTPUT -o $INTERNET -p icmp -s $IPADDR --icmp-type
fragmentation-needed -j ACCEPT
iptables -A OUTPUT -o $INTERNET -p icmp -s $IPADDR --icmp-type
destination-unreachable -j DROP
iptables -A INPUT -i $INTERNET -p icmp --icmp-type time-exceeded -d $IPADDR
-j ACCEPT
## Outgoing ping to Remote hosts
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $INTERNET -p icmp --icmp-type echo-request -m state
--state NEW -j ACCEPT
fi
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
## Allowing incoming pings from trusted hosts
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A INPUT -i $INTERNET -p icmp -s $HOSTS_PING --icmp-type
echo-request -d $IPADDR -m state --state NEW -j ACCEPT
fi
iptables -A INPUT -i $INTERNET -p icmp -s $HOSTS_PING --icmp-type
echo-request -d $IPADDR -j ACCEPT
iptables -A OUTPUT -o $INTERNET -p icmp -s $IPADDR --icmp-type echo-reply
-d $HOSTS_PING -j ACCEPT
#### LOGS @@@@@@
echo " STARTING LOGS"
iptables -A INPUT -i $INTERNET -j LOG
iptables -A INPUT -i $INTERNET -p icmp --icmp-type ! 8 -d $IPADDR -j LOG
--log-prefix "ICMP input: "
iptables -A INPUT -i $INTERNET -p tcp -d $IPADDR --dport $PRIVPORTS -j LOG
--log-prefix "Private input: "
iptables -A INPUT -i $INTERNET -p tcp -d $IPADDR --dport 20:460 -j LOG
--log-prefix "Active input: "
iptables -A OUTPUT -o $INTERNET -j LOG --log-prefix "All output: "
echo "Starting to LOG "
#echo "Enabling ARP Caching"
#echo "0" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/conf/eth0/proxy_arp
#echo "1" > /proc/sys/net/ipv4/conf/eth1/proxy_arp
echo "Enable TCP Explicit Congestion Notification"
echo "1" > /proc/sys/net/ipv4/tcp_ecn
#disable packets with routing information
#echo "Disabling source routing"
#for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
# echo "0" > $i;
#done
#echo "Enabling Invalid Packet Rejection"
#for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
# echo "1" > $i;
#done
#echo "Setting up ICMP Stuff"
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo "0" > /proc/sys/net/ipv4/conf/eth1/accept_redirects
#echo "Enabling SYN Cookies"
#echo "1" > /proc/sys/net/ipv4/tcp_syncookies
#reduce timeout to kill stale connections (prevent DOS)
#echo "Setting connection timeouts"
#echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
#echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
#echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
#echo 0 > /proc/sys/net/ipv4/tcp_sack
#echo "Enabling AntiPortscanning Rules"
#echo "*NULL Scan"
#iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
#echo "*NMAP FIN/URG/PSH (Xmas scan)"
#iptables -t nat -A PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
#echo "*SYN/RST Scan"
#iptables -t nat -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
#echo "*SYN/FIN Scan"
#iptables -t nat -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
#iptables -t nat -A PREROUTING -p tcp --tcp-flags ALL FIN -j DROP
#iptables -A FORWARD -s 192.168.3.0/24 -d 0/0 -i $LOCAL -j ACCEPT
#iptables -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE
#iptables -t nat -A PREROUTING -p tcp -d $EXTERNAL_IP --dport 80 -j DNAT
--to $WWW:80
#iptables -t nat -A PREROUTING -p tcp -d $EXTERNAL_IP --dport 6112 -j DNAT
--to $WWW:22
#iptables -t nat -A PREROUTING -p udp -d $EXTERNAL_IP --dport 4660 -j DNAT
--to $DESKTOP:4660
#iptables -t nat -A PREROUTING -p tcp -d $EXTERNAL_IP --dport 4660 -j DNAT
--to $DESKTOP:4660
#iptables -t nat -A PREROUTING -p tcp -d $EXTERNAL_IP --dport 4661 -j DNAT
--to $DESKTOP2:4661
#iptables -t nat -A PREROUTING -p udp -d $EXTERNAL_IP --dport 4661 -j DNAT
--to $DESKTOP2:4661
#iptables -t nat -A PREROUTING -p tcp -d $EXTERNAL_IP --dport 81 -j DNAT
--to $DESKTOP:22
#iptables -t nat -A PREROUTING -p tcp -d $EXTERNAL_IP --dport 6667 -j DNAT
--to $IRC:6667
#iptables -t nat -A PREROUTING -p tcp -d $EXTERNAL_IP --dport 215 -j DNAT
--to $DESKTOP:22
#hosts deni
#iptables -A INPUT -p tcp --dport 6667 -j DENY
#iptables -A INPUT -s 24.112.11.162 -p tcp --dport 6667 -j ACCEPT
#iptables -A INPUT -s
Reply to: