Re: iptables question

To: debian-user@lists.debian.org
Subject: Re: iptables question
From: deloptes <deloptes@gmail.com>
Date: Sun, 13 Nov 2016 16:05:40 +0100
Message-id: <[🔎] o09vg1$r8r$1@blaine.gmane.org>
Reply-to: deloptes@gmail.com
References: <[🔎] o080pt$ok8$1@blaine.gmane.org> <[🔎] 20161112223216.2c7cf605@jresid.jretrading.com> <[🔎] o08bim$b11$1@blaine.gmane.org> <[🔎] 31009623-6fd0-6806-9d15-ae34c4e6cc66@gmail.com>

Michael Milliman wrote:

> Again, posting the exact ruleset would be helpful.

These are the rules - a friend created this like 10y ago. I added few rules
to forward ports from outside to the intranet and to be able to handle VPN.
You can ignore  192.168.60.1 on eth2 - not used.

Another important information perhaps is that the modem is configured to
have a DMZ with 10.0.0.1.

Devices 10.0.0.6 and 10.0.0.7 which I want to connect from 192.... do not
have any firewalls - they are mobile phones.

I will really appreciate your help - perhaps reviewing the rules and
suggesting improvements as well.

thank you in advance

regards

# Generated by iptables-save v1.4.14 on Sun Nov 13 15:57:01 2016
*nat
:PREROUTING ACCEPT [26000:2533530]
:POSTROUTING ACCEPT [87:4966]
:OUTPUT ACCEPT [28:2038]
-A PREROUTING -s 127.0.0.0/8 -j ACCEPT
-A PREROUTING -d 10.0.0.1/32 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.40.40:80
-A PREROUTING -d 10.0.0.1/32 -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.40.40:443
-A PREROUTING -d 10.0.0.1/32 -i eth0 -p tcp -m tcp --dport 22222 -j DNAT --to-destination 192.168.40.40:22222
-A PREROUTING -d 10.0.0.1/32 -i eth0 -p tcp -m tcp --dport 64371 -j DNAT --to-destination 192.168.40.40:11371
-A POSTROUTING -s 192.168.40.0/24 -o eth0 -j SNAT --to-source 10.0.0.1
-A POSTROUTING -s 192.168.60.0/24 -o eth0 -j SNAT --to-source 10.0.0.1
-A POSTROUTING -o lo -j ACCEPT
-A POSTROUTING -s 127.0.0.0/8 -o eth1 -j ACCEPT
-A POSTROUTING -s 127.0.0.0/8 -o eth2 -j ACCEPT
COMMIT
# Completed on Sun Nov 13 15:57:01 2016
# Generated by iptables-save v1.4.14 on Sun Nov 13 15:57:01 2016
*mangle
:PREROUTING ACCEPT [234697:66952234]
:INPUT ACCEPT [12588:1180664]
:FORWARD ACCEPT [222077:65769320]
:OUTPUT ACCEPT [11465:1137886]
:POSTROUTING ACCEPT [233484:66847418]
COMMIT
# Completed on Sun Nov 13 15:57:01 2016
# Generated by iptables-save v1.4.14 on Sun Nov 13 15:57:01 2016
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:ifilter - [0:0]
:ofilter - [0:0]
-A INPUT -j ifilter
-A FORWARD -j ifilter
-A FORWARD -j ofilter
-A OUTPUT -j ofilter
-A ifilter -i lo -j ACCEPT
-A ifilter -s 127.0.0.0/8 -i eth1 -j ACCEPT
-A ifilter -s 127.0.0.0/8 -i eth2 -j ACCEPT
-A ifilter -s 127.0.0.0/8 ! -i lo -m limit --limit 3/min -j LOG --log-prefix " -- BLOCK ( int -> lo) -- "
-A ifilter -s 127.0.0.0/8 ! -i lo -j DROP
-A ifilter -s 0.0.0.0/8 -i eth0 -j DROP
-A ifilter -s 127.0.0.0/8 -i eth0 -j DROP
-A ifilter -s 224.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 224.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 224.0.0.0/8 -j DROP
-A ifilter -s 225.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 225.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 225.0.0.0/8 -j DROP
-A ifilter -s 226.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 226.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 226.0.0.0/8 -j DROP
-A ifilter -s 227.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 227.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 227.0.0.0/8 -j DROP
-A ifilter -s 228.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 228.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 228.0.0.0/8 -j DROP
-A ifilter -s 229.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 229.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 229.0.0.0/8 -j DROP
-A ifilter -s 230.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 230.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 230.0.0.0/8 -j DROP
-A ifilter -s 231.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 231.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 231.0.0.0/8 -j DROP
-A ifilter -s 232.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 232.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 232.0.0.0/8 -j DROP
-A ifilter -s 233.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 233.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 233.0.0.0/8 -j DROP
-A ifilter -s 234.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 234.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 234.0.0.0/8 -j DROP
-A ifilter -s 235.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 235.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 235.0.0.0/8 -j DROP
-A ifilter -s 236.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 236.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 236.0.0.0/8 -j DROP
-A ifilter -s 237.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 237.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 237.0.0.0/8 -j DROP
-A ifilter -s 238.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 238.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 238.0.0.0/8 -j DROP
-A ifilter -s 239.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 239.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 239.0.0.0/8 -j DROP
-A ifilter -s 240.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 240.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 240.0.0.0/8 -j DROP
-A ifilter -s 241.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 241.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 241.0.0.0/8 -j DROP
-A ifilter -s 242.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 242.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 242.0.0.0/8 -j DROP
-A ifilter -s 243.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 243.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 243.0.0.0/8 -j DROP
-A ifilter -s 244.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 244.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 244.0.0.0/8 -j DROP
-A ifilter -s 245.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 245.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 245.0.0.0/8 -j DROP
-A ifilter -s 246.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 246.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 246.0.0.0/8 -j DROP
-A ifilter -s 247.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 247.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 247.0.0.0/8 -j DROP
-A ifilter -s 248.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 248.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 248.0.0.0/8 -j DROP
-A ifilter -s 249.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 249.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 249.0.0.0/8 -j DROP
-A ifilter -s 250.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 250.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 250.0.0.0/8 -j DROP
-A ifilter -s 251.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 251.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 251.0.0.0/8 -j DROP
-A ifilter -s 252.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 252.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 252.0.0.0/8 -j DROP
-A ifilter -s 253.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 253.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 253.0.0.0/8 -j DROP
-A ifilter -s 254.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 254.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 254.0.0.0/8 -j DROP
-A ifilter -s 255.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 255.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 255.0.0.0/8 -j DROP
-A ifilter -d 192.168.40.40/32 -i eth0 -o eth1 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A ifilter -d 192.168.40.40/32 -i eth0 -o eth1 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A ifilter -d 192.168.40.40/32 -i eth0 -o eth1 -p tcp -m state --state NEW -m tcp --dport 22222 -j ACCEPT
-A ifilter -d 192.168.40.40/32 -i eth0 -o eth1 -p tcp -m state --state NEW -m tcp --dport 11371 -j ACCEPT
-A ifilter -d 10.0.0.1/32 -i eth0 -p tcp -m tcp --dport 8080 -j ACCEPT
-A ifilter -i tun0 -j ACCEPT
-A ifilter -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ifilter -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A ifilter -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A ifilter -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A ifilter -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A ifilter -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A ifilter -m limit --limit 1/min -j LOG --log-prefix " -- FORWARD: "
-A ifilter -i eth1 -m state --state NEW -j ACCEPT
-A ifilter -i eth2 -m state --state NEW -j ACCEPT
-A ifilter -m limit --limit 3/min -j LOG --log-prefix " -- BLOCK (EXT-PKG) -- "
-A ifilter -j DROP
-A ofilter -s 192.168.40.0/24 -o eth0 -m state --state NEW -j ACCEPT
-A ofilter -s 192.168.60.0/24 -o eth0 -m state --state NEW -j ACCEPT
-A ofilter -o lo -j ACCEPT
-A ofilter -d 127.0.0.0/8 -o eth1 -j ACCEPT
-A ofilter -d 127.0.0.0/8 -o eth2 -j ACCEPT
-A ofilter ! -s 127.0.0.0/8 -i eth1 -j LOG --log-prefix " -- BLOCK (int->lo) -- " --log-level 6
-A ofilter ! -s 127.0.0.0/8 -i eth1 -j DROP
-A ofilter ! -s 127.0.0.0/8 -i eth2 -j LOG --log-prefix " -- BLOCK (int2->lo) -- " --log-level 6
-A ofilter ! -s 127.0.0.0/8 -i eth2 -j DROP
-A ofilter -d 172.16.0.0/12 -o eth0 -m limit --limit 3/min -j LOG --log-prefix " -- BLOCK (ROUTING) --"
-A ofilter -d 172.16.0.0/12 -o eth0 -j REJECT --reject-with icmp-port-unreachable
-A ofilter -d 169.254.0.0/16 -o eth0 -m limit --limit 3/min -j LOG --log-prefix " -- BLOCK (ROUTING) --"
-A ofilter -d 169.254.0.0/16 -o eth0 -j REJECT --reject-with icmp-port-unreachable
-A ofilter -d 192.0.2.0/24 -o eth0 -m limit --limit 3/min -j LOG --log-prefix " -- BLOCK (ROUTING) --"
-A ofilter -d 192.0.2.0/24 -o eth0 -j REJECT --reject-with icmp-port-unreachable
-A ofilter -d 198.0.0.0/8 -o eth0 -m limit --limit 3/min -j LOG --log-prefix " -- BLOCK (ROUTING) --"
-A ofilter -d 198.0.0.0/8 -o eth0 -j REJECT --reject-with icmp-port-unreachable
-A ofilter -d 192.168.0.0/16 -o eth0 -m limit --limit 3/min -j LOG --log-prefix " -- BLOCK (ROUTING) --"
-A ofilter -d 192.168.0.0/16 -o eth0 -j REJECT --reject-with icmp-port-unreachable
-A ofilter -d 127.0.0.0/8 -o eth0 -m limit --limit 3/min -j LOG --log-prefix " -- BLOCK (ROUTING) --"
-A ofilter -d 127.0.0.0/8 -o eth0 -j REJECT --reject-with icmp-port-unreachable
-A ofilter -d 172.16.0.0/12 -i eth0 -j LOG --log-prefix " -- REJECT (IF/IP 1) -- "
-A ofilter -d 172.16.0.0/12 -i eth0 -j REJECT --reject-with icmp-port-unreachable
-A ofilter -d 169.254.0.0/16 -i eth0 -j LOG --log-prefix " -- REJECT (IF/IP 1) -- "
-A ofilter -d 169.254.0.0/16 -i eth0 -j REJECT --reject-with icmp-port-unreachable
-A ofilter -d 192.0.2.0/24 -i eth0 -j LOG --log-prefix " -- REJECT (IF/IP 1) -- "
-A ofilter -d 192.0.2.0/24 -i eth0 -j REJECT --reject-with icmp-port-unreachable
-A ofilter -d 198.0.0.0/8 -i eth0 -j LOG --log-prefix " -- REJECT (IF/IP 1) -- "
-A ofilter -d 198.0.0.0/8 -i eth0 -j REJECT --reject-with icmp-port-unreachable
-A ofilter -d 192.168.0.0/16 -i eth0 -j LOG --log-prefix " -- REJECT (IF/IP 1) -- "
-A ofilter -d 192.168.0.0/16 -i eth0 -j REJECT --reject-with icmp-port-unreachable
-A ofilter -d 127.0.0.0/8 -i eth0 -j LOG --log-prefix " -- REJECT (IF/IP 1) -- "
-A ofilter -d 127.0.0.0/8 -i eth0 -j REJECT --reject-with icmp-port-unreachable
-A ofilter -d 224.0.0.0/4 -i eth0 -j LOG --log-prefix " -- REJECT (IF/IP 1) -- "
-A ofilter -d 224.0.0.0/4 -i eth0 -j REJECT --reject-with icmp-port-unreachable
-A ofilter ! -d 10.0.0.1/32 -i eth0 -m limit --limit 3/min -j LOG --log-prefix " -- BLOCK (IF/IP 2) -- "
-A ofilter ! -d 10.0.0.1/32 -i eth0 -j DROP
-A ofilter -o tun0 -j ACCEPT
-A ofilter -i eth0 -p udp -m udp --dport 7 -j DROP
-A ofilter -i eth0 -p tcp -m tcp --dport 7 -j DROP
-A ofilter -o eth0 -p tcp -m tcp --dport 137:139 -j REJECT --reject-with icmp-port-unreachable
-A ofilter -o eth0 -p udp -m udp --dport 137:139 -j REJECT --reject-with icmp-port-unreachable
-A ofilter -o eth0 -p tcp -m tcp --dport 445 -j REJECT --reject-with icmp-port-unreachable
-A ofilter -o eth0 -p udp -m udp --dport 445 -j REJECT --reject-with icmp-port-unreachable
-A ofilter ! -s 192.168.40.40/32 -o eth0 -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable
-A ofilter -o eth0 -p tcp -m tcp --dport 111 -j REJECT --reject-with icmp-port-unreachable
-A ofilter -o eth0 -p udp -m udp --dport 111 -j REJECT --reject-with icmp-port-unreachable
-A ofilter -o eth0 -p tcp -m tcp --dport 2049 -j REJECT --reject-with icmp-port-unreachable
-A ofilter -o eth0 -p udp -m udp --dport 2049 -j REJECT --reject-with icmp-port-unreachable
-A ofilter ! -s 192.168.40.0/24 -i eth1 -m limit --limit 3/min -j LOG --log-prefix "OUTFILTER not our IP: " --log-level 6
-A ofilter ! -s 192.168.40.0/24 -i eth1 -j DROP
-A ofilter ! -s 192.168.60.1/32 -i eth2 -m limit --limit 3/min -j LOG --log-prefix "OUTFILTER not our IP: " --log-level 6
-A ofilter ! -s 192.168.60.1/32 -i eth2 -j DROP
-A ofilter -j ACCEPT
COMMIT
# Completed on Sun Nov 13 15:57:01 2016

Reply to:

Follow-Ups:
- Re: iptables question
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>

References:
- iptables question
  - From: deloptes <deloptes@gmail.com>
- Re: iptables question
  - From: Joe <joe@jretrading.com>
- Re: iptables question
  - From: deloptes <deloptes@gmail.com>
- Re: iptables question
  - From: Michael Milliman <michael.e.milliman@gmail.com>

Prev by Date: Re: Invoking ddrescue
Next by Date: Re: Not Resolved: no sound again!
Previous by thread: Re: iptables question
Next by thread: Re: iptables question
Index(es):
- Date
- Thread