Firewall - Debian
This is a discussion on Firewall - Debian ; Hello,
new to this place, so Hi everyone.
I run a few servers on my network and am having problems with my firewall.
I am finishing up my imap server but I can't connect to it, the error my
firewall ...
-
Firewall
Hello,
new to this place, so Hi everyone.
I run a few servers on my network and am having problems with my firewall.
I am finishing up my imap server but I can't connect to it, the error my
firewall spits out is that it is a
spoofed mac address (on the server side), I can connect to the local
address' but will not anywhere where it has to go through my fw
I run Debian 3.01(sarge) with Exim4, Dovecot imap w/maildir, also I have
4 virtual IPs on this server, for intra(extra)nets.
My firewall is Astaro Security Linux 6.
My question is what is a good firewall these days, because I have about
had it with this one.
Thanx
Chris
--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
-
Re: Firewall
On Fri, 2006-07-21 at 00:55 -0600, Chris Davies wrote:
> Hello,
> new to this place, so Hi everyone.
>
> I run a few servers on my network and am having problems with my firewall.
> I am finishing up my imap server but I can't connect to it, the error my
> firewall spits out is that it is a
> spoofed mac address (on the server side), I can connect to the local
> address' but will not anywhere where it has to go through my fw
> I run Debian 3.01(sarge) with Exim4, Dovecot imap w/maildir, also I have
> 4 virtual IPs on this server, for intra(extra)nets.
> My firewall is Astaro Security Linux 6.
> My question is what is a good firewall these days, because I have about
> had it with this one.
Maybe have a look at firehol? Ive been using it for a year or so and it
works pretty well.
cheers
Shane
--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
-
Re: Firewall
The output of the command "iptables-save" would be useful to us. As
would an "ip addr" or "ifconfig -a", on BOTH the server and the firewall.
The actual error messages would be useful as well.
If you don't want to fix it, which would be contrary to the fact that
you told us all about it, there are a number of other Linux or
FreeBSD/OpenBSD firewall projects -- google can help you find the way.
If you want to go commercial, Juniper/Netscreen, Cisco ASA/PIX, and
checkpoint are quite common. I don't care for Watchguard, SonicWall, or
other firewall vendors much.
Chris Davies wrote:
> Hello,
> new to this place, so Hi everyone.
>
> I run a few servers on my network and am having problems with my firewall.
> I am finishing up my imap server but I can't connect to it, the error my
> firewall spits out is that it is a
> spoofed mac address (on the server side), I can connect to the local
> address' but will not anywhere where it has to go through my fw
> I run Debian 3.01(sarge) with Exim4, Dovecot imap w/maildir, also I have
> 4 virtual IPs on this server, for intra(extra)nets.
> My firewall is Astaro Security Linux 6.
> My question is what is a good firewall these days, because I have about
> had it with this one.
>
> Thanx
> Chris
>
>
--
# Jesse Molina
# Mail = jesse@opendreams.net
# Page = page-jesse@opendreams.net
# Cell = 1.602.323.7608
# Web = http://www.opendreams.net/jesse/
--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
-
Re: Firewall
Jesse Molina wrote:
>
> The output of the command "iptables-save" would be useful to us. As
> would an "ip addr" or "ifconfig -a", on BOTH the server and the firewall.
>
> The actual error messages would be useful as well.
>
> If you don't want to fix it, which would be contrary to the fact that
> you told us all about it, there are a number of other Linux or
> FreeBSD/OpenBSD firewall projects -- google can help you find the way.
> If you want to go commercial, Juniper/Netscreen, Cisco ASA/PIX, and
> checkpoint are quite common. I don't care for Watchguard, SonicWall,
> or other firewall vendors much.
>
>
>
> Chris Davies wrote:
>> Hello,
>> new to this place, so Hi everyone.
>>
>> I run a few servers on my network and am having problems with my
>> firewall.
>> I am finishing up my imap server but I can't connect to it, the error my
>> firewall spits out is that it is a
>> spoofed mac address (on the server side), I can connect to the local
>> address' but will not anywhere where it has to go through my fw
>> I run Debian 3.01(sarge) with Exim4, Dovecot imap w/maildir, also I have
>> 4 virtual IPs on this server, for intra(extra)nets.
>> My firewall is Astaro Security Linux 6.
>> My question is what is a good firewall these days, because I have about
>> had it with this one.
>>
>> Thanx
>> Chris
>>
>>
>
Message from log --->
2006:07:21-00:42:52 ulogd[1782]: IP-SPOOFING DROP: IN=eth0 OUT=
MAC=00:01:02:66:65:9a:00:11:09:84:f3:2c:08:00 SRC=192.168.2.105
DST=69.20.153.137 LEN=60 TOS=10 PREC=0x00 TTL=64 ID=42174 CE DF
PROTO=TCP SPT=59941 DPT=143 SEQ=1895368652 ACK=0 WINDOW=5840 SYN URGP=0
# Generated by iptables-save v1.3.1 on Fri Jul 21 01:30:07 2006
*nat
:AUTO_OUTPUT - [0:0]
:AUTO_POST - [0:0]
:AUTO_PRE - [0:0]
:PREROUTING ACCEPT [684764:90790281]
:POSTROUTING ACCEPT [810702:54559262]
:OUTPUT ACCEPT [38180:5648519]
:USR_OUTPUT - [0:0]
:USR_POST - [0:0]
:USR_PRE - [0:0]
-A PREROUTING -j AUTO_PRE
-A PREROUTING -j USR_PRE
-A POSTROUTING -j AUTO_POST
-A POSTROUTING -j USR_POST
-A OUTPUT -j AUTO_OUTPUT
-A OUTPUT -j USR_OUTPUT
-A USR_OUTPUT -d 69.20.153.137 -p tcp -m tcp --sport 1024:65535 --dport
80 -j DNAT --to-destination 192.168.1.110
-A USR_OUTPUT -d 69.20.153.128/255.255.255.240 -p tcp -m tcp --sport
1:65535 --dport 4441 -j DNAT --to-destination 192.168.2.50
-A USR_OUTPUT -d 69.20.153.128/255.255.255.240 -p udp -m udp --sport
1:65535 --dport 4441 -j DNAT --to-destination 192.168.2.50
-A USR_OUTPUT -d 69.20.153.137 -p tcp -m tcp --sport 1:65535 --dport 25
-j DNAT --to-destination 192.168.1.100
-A USR_OUTPUT -d 69.20.153.137 -p tcp -m tcp --sport 1:65535 --dport
6881 -j DNAT --to-destination 192.168.2.105
-A USR_OUTPUT -d 69.20.153.137 -p udp -m udp --sport 1:65535 --dport
6881 -j DNAT --to-destination 192.168.2.105
-A USR_OUTPUT -d 69.20.153.137 -p udp -m udp --sport 1:65535 --dport
4444 -j DNAT --to-destination 192.168.2.105
-A USR_POST -s 192.168.1.0/255.255.255.0 -o eth2 -j MASQUERADE
-A USR_POST -s 192.168.2.0/255.255.255.0 -o eth2 -j MASQUERADE
-A USR_PRE -d 69.20.153.137 -p tcp -m tcp --sport 1024:65535 --dport 80
-j DNAT --to-destination 192.168.1.110
-A USR_PRE -d 69.20.153.128/255.255.255.240 -p tcp -m tcp --sport
1:65535 --dport 4441 -j DNAT --to-destination 192.168.2.50
-A USR_PRE -d 69.20.153.128/255.255.255.240 -p udp -m udp --sport
1:65535 --dport 4441 -j DNAT --to-destination 192.168.2.50
-A USR_PRE -d 69.20.153.137 -p tcp -m tcp --sport 1:65535 --dport 25 -j
DNAT --to-destination 192.168.1.100
-A USR_PRE -d 69.20.153.137 -p tcp -m tcp --sport 1:65535 --dport 6881
-j DNAT --to-destination 192.168.2.105
-A USR_PRE -d 69.20.153.137 -p udp -m udp --sport 1:65535 --dport 6881
-j DNAT --to-destination 192.168.2.105
-A USR_PRE -d 69.20.153.137 -p udp -m udp --sport 1:65535 --dport 4444
-j DNAT --to-destination 192.168.2.105
COMMIT
# Completed on Fri Jul 21 01:30:07 2006
# Generated by iptables-save v1.3.1 on Fri Jul 21 01:30:07 2006
*ips
:PREROUTING ACCEPT [85268420:58804227617]
:INPUT ACCEPT [71920:73703193]
:FORWARD ACCEPT [18409:10865526]
:OUTPUT ACCEPT [51149:7744091]
:POSTROUTING ACCEPT [85257053:58524784864]
COMMIT
# Completed on Fri Jul 21 01:30:07 2006
# Generated by iptables-save v1.3.1 on Fri Jul 21 01:30:07 2006
*mangle
:INVALID_PKT - [0:0]
:POLICY_ROUTING_OUT - [0:0]
:POLICY_ROUTING_PRE - [0:0]
:PREROUTING ACCEPT [85268432:58804228448]
:INPUT ACCEPT [6933573:1948839077]
:FORWARD ACCEPT [78333312:56855205229]
:OUTPUT ACCEPT [7027235:1676138656]
:POSTROUTING ACCEPT [67282614:56180797304]
:SET_PRIO_HIGH - [0:0]
:SET_PRIO_LOW - [0:0]
-A INVALID_PKT -j ULOG --ulog-prefix "INVALID_PKT: " --ulog-cprange 40
--ulog-qthreshold 50
-A INVALID_PKT -j DROP
-A PREROUTING -p icmp -m length --length 20:21 -j INVALID_PKT
-A PREROUTING -p icmp -m icmp --icmp-type 5 -j ULOG --ulog-prefix "ICMP
REDIRECT: " --ulog-cprange 40 --ulog-qthreshold 50
-A PREROUTING -j POLICY_ROUTING_PRE
-A PREROUTING -p tcp -m length --length 20:39 -j INVALID_PKT
-A PREROUTING -p udp -m length --length 20:27 -j INVALID_PKT
-A PREROUTING -p icmp -m length --length 20:21 -j INVALID_PKT
-A PREROUTING -m state --state RELATED -m helper --helper "ftp" -j ULOG
--ulog-prefix "FTP_DATA: " --ulog-cprange 40 --ulog-qthreshold 50
-A PREROUTING -s ! 127.0.0.0/255.0.0.0 -d ! 127.0.0.0/255.0.0.0 -p udp
-m udp --sport 53:65535 --dport 53 -m u32 --u32
0x0>>0x16&0x3c@0x8>>0xf&0x1=0x0 -j ULOG --ulog-prefix "DNS_REQUEST: "
--ulog-cprange 40 --ulog-qthreshold 50
-A PREROUTING -s ! 127.0.0.0/255.0.0.0 -d ! 127.0.0.0/255.0.0.0 -p tcp
-m tcp --sport 53:65535 --dport 53 -m u32 --u32
0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x0>>0xf&0x1=0x0 -j ULOG --ulog-prefix
"DNS_REQUEST: " --ulog-cprange 40 --ulog-qthreshold 50
-A OUTPUT -j POLICY_ROUTING_OUT
-A POSTROUTING -o lo -j ACCEPT
-A POSTROUTING -p tcp -m tcp --tcp-flags ACK ACK -m length --length
50:100 -j SET_PRIO_HIGH
-A POSTROUTING -m tos --tos Minimize-Delay -j SET_PRIO_HIGH
-A POSTROUTING -p icmp -j SET_PRIO_HIGH
-A SET_PRIO_HIGH -j CLASSIFY --set-class 0000:0008
-A SET_PRIO_HIGH -j ACCEPT
-A SET_PRIO_LOW -j CLASSIFY --set-class 0000:0005
-A SET_PRIO_LOW -j ACCEPT
COMMIT
# Completed on Fri Jul 21 01:30:07 2006
# Generated by iptables-save v1.3.1 on Fri Jul 21 01:30:07 2006
*raw
:ICMP_FLOOD - [0:0]
:ICMP_FLOOD_DROP - [0:0]
:ICMP_FLOOD_DST - [0:0]
:ICMP_FLOOD_SRC - [0:0]
:LOCAL_TRAFFIC - [0:0]
:PREROUTING ACCEPT [144:6172]
:OUTPUT ACCEPT [913592:160544115]
:SYN_FLOOD - [0:0]
:SYN_FLOOD_DROP - [0:0]
:SYN_FLOOD_DST - [0:0]
:SYN_FLOOD_SRC - [0:0]
:UDP_FLOOD - [0:0]
:UDP_FLOOD_DROP - [0:0]
:UDP_FLOOD_DST - [0:0]
:UDP_FLOOD_SRC - [0:0]
-A ICMP_FLOOD -j ICMP_FLOOD_SRC
-A ICMP_FLOOD_DROP -m limit --limit 5/sec -j ULOG --ulog-prefix
"ICMP_FLOOD: " --ulog-cprange 40 --ulog-qthreshold 50
-A ICMP_FLOOD_DROP -j DROP
-A ICMP_FLOOD_DST -m hashlimit --hashlimit 5/sec --hashlimit-burst 2
--hashlimit-mode dstip --hashlimit-name ICMP_FLOOD_DST -j ACCEPT
-A ICMP_FLOOD_DST -j ICMP_FLOOD_DROP
-A ICMP_FLOOD_SRC -m hashlimit --hashlimit 5/sec --hashlimit-burst 2
--hashlimit-mode srcip --hashlimit-name ICMP_FLOOD_SRC -j ICMP_FLOOD_DST
-A ICMP_FLOOD_SRC -j ICMP_FLOOD_DROP
-A LOCAL_TRAFFIC -j NOTRACK
-A LOCAL_TRAFFIC -j ACCEPT
-A LOCAL_TRAFFIC -j NOTRACK
-A LOCAL_TRAFFIC -j ACCEPT
-A PREROUTING -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -j LOCAL_TRAFFIC
-A PREROUTING -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -j LOCAL_TRAFFIC
-A PREROUTING -p tcp -j SYN_FLOOD
-A PREROUTING -p udp -j UDP_FLOOD
-A PREROUTING -p icmp -j ICMP_FLOOD
-A OUTPUT -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -j LOCAL_TRAFFIC
-A OUTPUT -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -j LOCAL_TRAFFIC
-A SYN_FLOOD -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A SYN_FLOOD -j SYN_FLOOD_SRC
-A SYN_FLOOD_DROP -m limit --limit 5/sec -j ULOG --ulog-prefix
"SYN_FLOOD: " --ulog-cprange 40 --ulog-qthreshold 50
-A SYN_FLOOD_DROP -j DROP
-A SYN_FLOOD_DST -m hashlimit --hashlimit 200/sec --hashlimit-burst 30
--hashlimit-mode dstip --hashlimit-name SYN_FLOOD_DST -j ACCEPT
-A SYN_FLOOD_DST -j SYN_FLOOD_DROP
-A SYN_FLOOD_SRC -m hashlimit --hashlimit 100/sec --hashlimit-burst 30
--hashlimit-mode srcip --hashlimit-name SYN_FLOOD_SRC -j SYN_FLOOD_DST
-A SYN_FLOOD_SRC -j SYN_FLOOD_DROP
-A UDP_FLOOD -j UDP_FLOOD_SRC
-A UDP_FLOOD_DROP -m limit --limit 5/sec -j ULOG --ulog-prefix
"UDP_FLOOD: " --ulog-cprange 40 --ulog-qthreshold 50
-A UDP_FLOOD_DROP -j DROP
-A UDP_FLOOD_DST -m hashlimit --hashlimit 303/sec --hashlimit-burst 60
--hashlimit-mode dstip --hashlimit-name UDP_FLOOD_DST -j ACCEPT
-A UDP_FLOOD_DST -j UDP_FLOOD_DROP
-A UDP_FLOOD_SRC -m hashlimit --hashlimit 200/sec --hashlimit-burst 60
--hashlimit-mode srcip --hashlimit-name UDP_FLOOD_SRC -j UDP_FLOOD_DST
-A UDP_FLOOD_SRC -j UDP_FLOOD_DROP
COMMIT
# Completed on Fri Jul 21 01:30:07 2006
# Generated by iptables-save v1.3.1 on Fri Jul 21 01:30:07 2006
*filter
:AUTO_FORWARD - [0:0]
:AUTO_INPUT - [0:0]
:AUTO_OUTPUT - [0:0]
:HA - [0:0]
:INPUT DROP [3:534]
:FORWARD DROP [0:0]
:INVALID_PKT - [0:0]
:LOGACCEPT - [0:0]
:LOGDROP - [0:0]
:LOGREJECT - [0:0]
:OUTPUT DROP [4:224]
:PSD_ACTION - [0:0]
:PSD_MATCH - [0:0]
:SANITY_CHECKS - [0:0]
:SPOOFING_PROTECTION - [0:0]
:SPOOF_DROP - [0:0]
:STRICT_TCP_STATE - [0:0]
:USR_FORWARD - [0:0]
:USR_INPUT - [0:0]
:USR_OUTPUT - [0:0]
-A AUTO_FORWARD -p icmp -m icmp --icmp-type 8/0 -j CONFIRMED
-A AUTO_FORWARD -p icmp -m icmp --icmp-type 0/0 -j CONFIRMED
-A AUTO_INPUT -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport 1:65535
--dport 22 -j CONFIRMED
-A AUTO_INPUT -p tcp -m tcp --sport 1:65535 --dport 22 -j LOGDROP
-A AUTO_INPUT -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
1024:65535 --dport 443 -j CONFIRMED
-A AUTO_INPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -j LOGDROP
-A AUTO_INPUT -p tcp -m tcp --sport 53:65535 --dport 53 -j CONFIRMED
-A AUTO_INPUT -p udp -m udp --sport 53:65535 --dport 53 -j CONFIRMED
-A AUTO_INPUT -p tcp -m tcp --sport 1:65535 --dport 25 -j LOGDROP
-A AUTO_INPUT -p tcp -m tcp --sport 1:65535 --dport 3840 -j CONFIRMED
-A AUTO_OUTPUT -d 216.180.176.3 -p tcp -m tcp --sport 53:65535 --dport
53 -m owner --cmd-owner named -j CONFIRMED
-A AUTO_OUTPUT -d 216.180.176.3 -p udp -m udp --sport 53:65535 --dport
53 -m owner --cmd-owner named -j CONFIRMED
-A AUTO_OUTPUT -d 69.20.128.5 -p tcp -m tcp --sport 53:65535 --dport 53
-m owner --cmd-owner named -j CONFIRMED
-A AUTO_OUTPUT -d 69.20.128.5 -p udp -m udp --sport 53:65535 --dport 53
-m owner --cmd-owner named -j CONFIRMED
-A AUTO_OUTPUT -d 69.20.129.5 -p tcp -m tcp --sport 53:65535 --dport 53
-m owner --cmd-owner named -j CONFIRMED
-A AUTO_OUTPUT -d 69.20.129.5 -p udp -m udp --sport 53:65535 --dport 53
-m owner --cmd-owner named -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 25 -m owner
--cmd-owner exim -j CONFIRMED
-A AUTO_OUTPUT -d 192.168.1.100 -p udp -m udp --sport 1:65535 --dport
514 -m owner --cmd-owner syslog-ng -j CONFIRMED
-A AUTO_OUTPUT -p udp -m udp --sport 1024:65535 --dport 33000:34000 -m
owner --cmd-owner netselect -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 80 -m owner
--cmd-owner aus -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 443 -m owner
--cmd-owner aus -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 80 -m owner
--cmd-owner pattern_aus -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 443 -m owner
--cmd-owner pattern_aus -j CONFIRMED
-A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 21 -m owner
--cmd-owner wget -j CONFIRMED
-A INPUT -i lo -j ACCEPT
-A INPUT -m confirmed ERROR: UNKNOWN CONNMARK MATCH MODE -j ACCEPT
-A INPUT -m state --state RELATED -j CONFIRMED
-A INPUT -j SPOOFING_PROTECTION
-A INPUT -j HA
-A INPUT -j PSD_MATCH
-A INPUT -j SANITY_CHECKS
-A INPUT -j AUTO_INPUT
-A INPUT -j USR_INPUT
-A INPUT -j LOGDROP
-A FORWARD -m confirmed ERROR: UNKNOWN CONNMARK MATCH MODE -j ACCEPT
-A FORWARD -m state --state RELATED -j CONFIRMED
-A FORWARD -j SPOOFING_PROTECTION
-A FORWARD -j PSD_MATCH
-A FORWARD -j SANITY_CHECKS
-A FORWARD -j AUTO_FORWARD
-A FORWARD -j USR_FORWARD
-A FORWARD -j LOGDROP
-A INVALID_PKT -j ULOG --ulog-prefix "INVALID_PKT: " --ulog-cprange 40
--ulog-qthreshold 50
-A INVALID_PKT -j DROP
-A LOGACCEPT -j ULOG --ulog-prefix "ACCEPT: " --ulog-cprange 40
--ulog-qthreshold 50
-A LOGACCEPT -j CONFIRMED
-A LOGDROP -j ULOG --ulog-prefix "DROP: " --ulog-cprange 40
--ulog-qthreshold 50
-A LOGDROP -j DROP
-A LOGREJECT -j ULOG --ulog-prefix "REJECT: " --ulog-cprange 40
--ulog-qthreshold 50
-A LOGREJECT -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m confirmed ERROR: UNKNOWN CONNMARK MATCH MODE -j ACCEPT
-A OUTPUT -m state --state RELATED -j CONFIRMED
-A OUTPUT -j HA
-A OUTPUT -j SANITY_CHECKS
-A OUTPUT -j AUTO_OUTPUT
-A OUTPUT -j USR_OUTPUT
-A OUTPUT -j LOGDROP
-A PSD_ACTION -j ULOG --ulog-prefix "PORTSCAN: " --ulog-cprange 40
--ulog-qthreshold 50
-A PSD_ACTION -j DROP
-A PSD_MATCH -m psd --psd-weight-threshold 21 --psd-delay-threshold 300
--psd-lo-ports-weight 3 --psd-hi-ports-weight 1 -j PSD_ACTION
-A SANITY_CHECKS -p tcp -m tcp --sport 21 --dport 1:65535 --tcp-flags
SYN,RST,ACK RST -m state --state INVALID -j ACCEPT
-A SANITY_CHECKS -p tcp -m state --state NEW -j STRICT_TCP_STATE
-A SANITY_CHECKS -p tcp -m tcp --sport 1:65535 --dport 21 -m state
--state INVALID -j REJECT --reject-with tcp-reset
-A SANITY_CHECKS -p tcp -m state --state INVALID -j INVALID_PKT
-A SPOOFING_PROTECTION -s 192.168.2.5 -i eth0 -j SPOOF_DROP
-A SPOOFING_PROTECTION -d 192.168.2.5 -i ! eth0 -j SPOOF_DROP
-A SPOOFING_PROTECTION -s 192.168.1.0/255.255.255.0 -i eth0 -j SPOOF_DROP
-A SPOOFING_PROTECTION -s 69.20.153.128/255.255.255.240 -i eth0 -j
SPOOF_DROP
-A SPOOFING_PROTECTION -s 192.168.1.1 -i eth1 -j SPOOF_DROP
-A SPOOFING_PROTECTION -d 192.168.1.1 -i ! eth1 -j SPOOF_DROP
-A SPOOFING_PROTECTION -s 192.168.2.0/255.255.255.0 -i eth1 -j SPOOF_DROP
-A SPOOFING_PROTECTION -s 69.20.153.128/255.255.255.240 -i eth1 -j
SPOOF_DROP
-A SPOOFING_PROTECTION -s 69.20.153.137 -i eth2 -j SPOOF_DROP
-A SPOOFING_PROTECTION -d 69.20.153.137 -i ! eth2 -j SPOOF_DROP
-A SPOOFING_PROTECTION -s 192.168.2.0/255.255.255.0 -i eth2 -j SPOOF_DROP
-A SPOOFING_PROTECTION -s 192.168.1.0/255.255.255.0 -i eth2 -j SPOOF_DROP
-A SPOOF_DROP -j ULOG --ulog-prefix "IP-SPOOFING DROP: " --ulog-cprange
40 --ulog-qthreshold 50
-A SPOOF_DROP -j DROP
-A STRICT_TCP_STATE -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN
-A STRICT_TCP_STATE -p tcp -j INVALID_PKT
-A STRICT_TCP_STATE -p tcp -j DROP
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
1024:65535 --dport 80 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
1024:65535 --dport 20:21 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
1024:65535 --dport 21 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
1024:65535 --dport 443 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
1:65535 --dport 110 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
1:65535 --dport 25 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
1024:65535 --dport 23 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.100 -p tcp -m
tcp --sport 1024:65535 --dport 143 -j CONFIRMED
-A USR_FORWARD -p tcp -m tcp --sport 1:65535 --dport 53 -j CONFIRMED
-A USR_FORWARD -p udp -m udp --sport 1:65535 --dport 53 -j CONFIRMED
-A USR_FORWARD -d 192.168.1.100 -p tcp -m tcp --sport 1:65535 --dport 25
-j CONFIRMED
-A USR_FORWARD -s 192.168.1.100 -p tcp -m tcp --sport 1:65535 --dport 25
-j CONFIRMED
-A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
1:65535 --dport 110 -j CONFIRMED
-A USR_FORWARD -d 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
1:65535 --dport 110 -j CONFIRMED
-A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
1:65535 --dport 2703 -j CONFIRMED
-A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p udp -m udp --sport
1:65535 --dport 2703 -j CONFIRMED
-A USR_FORWARD -d 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
1:65535 --dport 2703 -j CONFIRMED
-A USR_FORWARD -d 192.168.1.0/255.255.255.0 -p udp -m udp --sport
1:65535 --dport 2703 -j CONFIRMED
-A USR_FORWARD -d 192.168.1.100 -p tcp -m tcp --sport 1024:65535 --dport
143 -j CONFIRMED
-A USR_FORWARD -s 192.168.1.100 -p tcp -m tcp --sport 1024:65535 --dport
143 -j CONFIRMED
-A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
1024:65535 --dport 80 -j CONFIRMED
-A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
1024:65535 --dport 20:21 -j CONFIRMED
-A USR_FORWARD -d 192.168.1.110 -p tcp -m tcp --sport 1024:65535 --dport
80 -j CONFIRMED
-A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
1024:65535 --dport 443 -j CONFIRMED
-A USR_FORWARD -d 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
1024:65535 --dport 443 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p tcp -m tcp --dport 22 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p tcp -m tcp --sport 1:65535 --dport 25 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p tcp -m tcp --sport 1:65535 --dport 10000 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p udp -m udp --sport 1:65535 --dport 10000 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p tcp -m tcp --sport 1024:65535 --dport 80 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p tcp -m tcp --sport 1:65535 --dport 8000:8999 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p udp -m udp --sport 1:65535 --dport 8000:8999 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p tcp -m tcp --sport 1:65535 --dport 5500:5502 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p udp -m udp --sport 1:65535 --dport 5500:5502 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p tcp -m tcp --sport 1:65535 --dport 3306 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p udp -m udp --sport 1:65535 --dport 3306 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.105 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.105 -p udp -m udp --sport 1:65535 --dport
4444 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 3001:3305 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 3001:3305 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 4441 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 4441 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 1:65535 --dport
4242 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 1:65535 --dport
4242 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 1:65535 --dport
4441 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 1:65535 --dport
4441 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 2100:2702 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 2100:2702 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 3307:3999 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 3307:3999 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 1024:2099 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 1024:2099 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 2704:2999 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 2704:2999 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 3001:3305 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 3001:3305 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 4441 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 4441 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 1:65535 --dport
4242 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 1:65535 --dport
4242 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 1:65535 --dport
4441 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 1:65535 --dport
4441 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 2100:2702 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 2100:2702 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 3307:3999 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 3307:3999 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 1024:2099 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 1024:2099 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 2704:2999 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 2704:2999 --dport
1:65535 -j CONFIRMED
-A USR_FORWARD -p tcp -m tcp --sport 123 --dport 123 -j CONFIRMED
-A USR_FORWARD -p udp -m udp --sport 123 --dport 123 -j CONFIRMED
-A USR_FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.2.0/255.255.255.0
-p tcp -m tcp --sport 1:65535 --dport 2049 -j CONFIRMED
-A USR_FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.2.0/255.255.255.0
-p udp -m udp --sport 1:65535 --dport 2049 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p tcp -m tcp --sport 1:65535 --dport 2049 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p udp -m udp --sport 1:65535 --dport 2049 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p tcp -m tcp --sport 1:65535 --dport 514 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p udp -m udp --sport 1:65535 --dport 514 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p tcp -m tcp --sport 1:65535 --dport 5000 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p udp -m udp --sport 1:65535 --dport 5000 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p udp -m udp --sport 1:65535 --dport 514 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p tcp -m tcp --sport 1024:65535 --dport 389 -j CONFIRMED
-A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
-p udp -m udp --sport 1024:65535 --dport 389 -j CONFIRMED
-A USR_INPUT -d 192.168.2.255 -j DROP
-A USR_INPUT -d 192.168.1.255 -j DROP
-A USR_INPUT -d 255.255.255.255 -j DROP
COMMIT
# Completed on Fri Jul 21 01:30:07 2006
ip addr --->
1: lo: mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:01:02:66:65:9a brd ff:ff:ff:ff:ff:ff
inet 192.168.2.5/24 brd 192.168.2.255 scope global eth0
3: eth1: mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:08:c7:5b:26:09 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1
4: eth2: mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:50:8b:0e:07:a2 brd ff:ff:ff:ff:ff:ff
inet 69.20.153.137/28 brd 69.20.153.143 scope global eth2
********* end
ifconfig -a ----->
eth0 Link encap:Ethernet HWaddr 00:01:02:66:65:9A
inet addr:192.168.2.5 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:43248768 errors:4 dropped:0 overruns:0 frame:4
TX packets:35972974 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3994495514 (3809.4 Mb) TX bytes:2463271557 (2349.1 Mb)
Interrupt:169 Base address:0xdc00
eth1 Link encap:Ethernet HWaddr 00:08:C7:5B:26:09
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6956097 errors:0 dropped:0 overruns:0 frame:0
TX packets:10514182 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:111359643 (106.2 Mb) TX bytes:2215921769 (2113.2 Mb)
eth2 Link encap:Ethernet HWaddr 00:50:8B:0E:07:A2
inet addr:69.20.153.137 Bcast:69.20.153.143 Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:30327796 errors:0 dropped:0 overruns:0 frame:0
TX packets:32818577 errors:0 dropped:0 overruns:0 carrier:0
collisions:294358 txqueuelen:1000
RX bytes:2949179609 (2812.5 Mb) TX bytes:1976098120 (1884.5 Mb)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:6116295 errors:0 dropped:0 overruns:0 frame:0
TX packets:6116295 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1516135054 (1445.8 Mb) TX bytes:1516135054 (1445.8 Mb)
*************end
The purpose of listing my current config was to give anyone else an idea
of what i am now using (like to suggest just a iptables based solution
vs a larger cisco pix box, of witch would be over kill for my use) I
would like to switch to a different one but I would like some opinions
of what you have used and are happy with Vs getting a beta and having
security breaches, or if you could help me fix this one I would be very
appreciative.
Chris
--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
-
Re: Firewall
On 07/21/2006 8:49:50 AM +0100
Chris Davies said:
> The purpose of listing my current config was to give anyone else an idea
> of what i am now using (like to suggest just a iptables based solution
> vs a larger cisco pix box, of witch would be over kill for my use)
I don't believe a Cisco box is overkill for an ISP - why do you think that?
> I
> would like to switch to a different one but I would like some opinions
> of what you have used and are happy with
If you want to create a firewall on a Linux system, I'd (strongly)
recommend Shorewall. You might want to use the version in Testing, which
will install cleanly on a Stable system.
Keith
--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
-
Re: Firewall
I would recommend looking at a Nokia Checkpoint solution.
Your config is getting to the point of becoming too complicated to have
a complete overview.
I would also definitely stay away from Cisco PIX - Access lists on these
boxes are just as complicated as IP tables.
Andrew
Chris Davies wrote:
> Jesse Molina wrote:
>
>
> The purpose of listing my current config was to give anyone else an idea
> of what i am now using (like to suggest just a iptables based solution
> vs a larger cisco pix box, of witch would be over kill for my use) I
> would like to switch to a different one but I would like some opinions
> of what you have used and are happy with Vs getting a beta and having
> security breaches, or if you could help me fix this one I would be very
> appreciative.
>
>
--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
-
Re: Firewall
This is very very useful information here.
The error message tells us detailed info that we need to know about what
packet was dropped, that you did not want it dropped, and we have the
iptables configuration.
Here is the important part of the error message details;
IP-SPOOFING DROP: IN=eth0
SRC=192.168.2.105
DST=69.20.153.137
PROTO=TCP SPT=59941 DPT=143
Okay, now here is the configuration that generated this iptables packet
drop, and chain it came from;
-A SPOOF_DROP -j ULOG --ulog-prefix "IP-SPOOFING DROP: " --ulog-cprange
40 --ulog-qthreshold 50
-A SPOOF_DROP -j DROP
-A SPOOFING_PROTECTION -s 192.168.2.5 -i eth0 -j SPOOF_DROP
-A SPOOFING_PROTECTION -d 192.168.2.5 -i ! eth0 -j SPOOF_DROP
-A SPOOFING_PROTECTION -s 192.168.1.0/255.255.255.0 -i eth0 -j SPOOF_DROP
-A SPOOFING_PROTECTION -s 69.20.153.128/255.255.255.240 -i eth0 -j
SPOOF_DROP
-A SPOOFING_PROTECTION -s 192.168.1.1 -i eth1 -j SPOOF_DROP
-A SPOOFING_PROTECTION -d 192.168.1.1 -i ! eth1 -j SPOOF_DROP
-A SPOOFING_PROTECTION -s 192.168.2.0/255.255.255.0 -i eth1 -j SPOOF_DROP
-A SPOOFING_PROTECTION -s 69.20.153.128/255.255.255.240 -i eth1 -j
SPOOF_DROP
-A SPOOFING_PROTECTION -s 69.20.153.137 -i eth2 -j SPOOF_DROP
-A SPOOFING_PROTECTION -d 69.20.153.137 -i ! eth2 -j SPOOF_DROP
-A SPOOFING_PROTECTION -s 192.168.2.0/255.255.255.0 -i eth2 -j SPOOF_DROP
-A SPOOFING_PROTECTION -s 192.168.1.0/255.255.255.0 -i eth2 -j SPOOF_DROP
Finally, here is the offending line that our packet matches, which is
causing it to be dropped;
"-A SPOOFING_PROTECTION -d 69.20.153.137 -i ! eth2 -j SPOOF_DROP"
Yep, that packet is coming in on eth0, going to 69.20.153.137. That's
perfectly sane, but the iptables rules are not. I think they assume
that the 192.168.2.0/24 network will access the firewall host only on
the same network interface, which is NOT a good assumption. Your IMAP
server has it's DNS entry to use it's public facing port.
You need to remove the offending rule and your problems may go away.
That said, make sure to go through your firewall UI to do it -- don't
mess with iptables directly unless the firewall vendor/project says you
may do so, or you want to just use iptables in the future.
Also, you may have other issues due to the NAT/MASQ you have going on
there. I don't know if the firewall trying to talk to itself through a
NAT/MASQ session is going to work.
Another option that might resolve your problems is to have a split DNS
between the Internet and your inside networks (I don't like this
particular solution myself, but it's what many might do).
My condolences on your complicated problem. You are going to need to
meditate on this one to get it figured out. Good luck though. It can
be done.
Chris Davies wrote:
> Jesse Molina wrote:
>> The output of the command "iptables-save" would be useful to us. As
>> would an "ip addr" or "ifconfig -a", on BOTH the server and the firewall.
>>
>> The actual error messages would be useful as well.
>>
>> If you don't want to fix it, which would be contrary to the fact that
>> you told us all about it, there are a number of other Linux or
>> FreeBSD/OpenBSD firewall projects -- google can help you find the way.
>> If you want to go commercial, Juniper/Netscreen, Cisco ASA/PIX, and
>> checkpoint are quite common. I don't care for Watchguard, SonicWall,
>> or other firewall vendors much.
>>
>>
>>
>> Chris Davies wrote:
>>> Hello,
>>> new to this place, so Hi everyone.
>>>
>>> I run a few servers on my network and am having problems with my
>>> firewall.
>>> I am finishing up my imap server but I can't connect to it, the error my
>>> firewall spits out is that it is a
>>> spoofed mac address (on the server side), I can connect to the local
>>> address' but will not anywhere where it has to go through my fw
>>> I run Debian 3.01(sarge) with Exim4, Dovecot imap w/maildir, also I have
>>> 4 virtual IPs on this server, for intra(extra)nets.
>>> My firewall is Astaro Security Linux 6.
>>> My question is what is a good firewall these days, because I have about
>>> had it with this one.
>>>
>>> Thanx
>>> Chris
>>>
>>>
> Message from log --->
> 2006:07:21-00:42:52 ulogd[1782]: IP-SPOOFING DROP: IN=eth0 OUT=
> MAC=00:01:02:66:65:9a:00:11:09:84:f3:2c:08:00 SRC=192.168.2.105
> DST=69.20.153.137 LEN=60 TOS=10 PREC=0x00 TTL=64 ID=42174 CE DF
> PROTO=TCP SPT=59941 DPT=143 SEQ=1895368652 ACK=0 WINDOW=5840 SYN URGP=0
>
> # Generated by iptables-save v1.3.1 on Fri Jul 21 01:30:07 2006
> *nat
> :AUTO_OUTPUT - [0:0]
> :AUTO_POST - [0:0]
> :AUTO_PRE - [0:0]
> :PREROUTING ACCEPT [684764:90790281]
> :POSTROUTING ACCEPT [810702:54559262]
> :OUTPUT ACCEPT [38180:5648519]
> :USR_OUTPUT - [0:0]
> :USR_POST - [0:0]
> :USR_PRE - [0:0]
> -A PREROUTING -j AUTO_PRE
> -A PREROUTING -j USR_PRE
> -A POSTROUTING -j AUTO_POST
> -A POSTROUTING -j USR_POST
> -A OUTPUT -j AUTO_OUTPUT
> -A OUTPUT -j USR_OUTPUT
> -A USR_OUTPUT -d 69.20.153.137 -p tcp -m tcp --sport 1024:65535 --dport
> 80 -j DNAT --to-destination 192.168.1.110
> -A USR_OUTPUT -d 69.20.153.128/255.255.255.240 -p tcp -m tcp --sport
> 1:65535 --dport 4441 -j DNAT --to-destination 192.168.2.50
> -A USR_OUTPUT -d 69.20.153.128/255.255.255.240 -p udp -m udp --sport
> 1:65535 --dport 4441 -j DNAT --to-destination 192.168.2.50
> -A USR_OUTPUT -d 69.20.153.137 -p tcp -m tcp --sport 1:65535 --dport 25
> -j DNAT --to-destination 192.168.1.100
> -A USR_OUTPUT -d 69.20.153.137 -p tcp -m tcp --sport 1:65535 --dport
> 6881 -j DNAT --to-destination 192.168.2.105
> -A USR_OUTPUT -d 69.20.153.137 -p udp -m udp --sport 1:65535 --dport
> 6881 -j DNAT --to-destination 192.168.2.105
> -A USR_OUTPUT -d 69.20.153.137 -p udp -m udp --sport 1:65535 --dport
> 4444 -j DNAT --to-destination 192.168.2.105
> -A USR_POST -s 192.168.1.0/255.255.255.0 -o eth2 -j MASQUERADE
> -A USR_POST -s 192.168.2.0/255.255.255.0 -o eth2 -j MASQUERADE
> -A USR_PRE -d 69.20.153.137 -p tcp -m tcp --sport 1024:65535 --dport 80
> -j DNAT --to-destination 192.168.1.110
> -A USR_PRE -d 69.20.153.128/255.255.255.240 -p tcp -m tcp --sport
> 1:65535 --dport 4441 -j DNAT --to-destination 192.168.2.50
> -A USR_PRE -d 69.20.153.128/255.255.255.240 -p udp -m udp --sport
> 1:65535 --dport 4441 -j DNAT --to-destination 192.168.2.50
> -A USR_PRE -d 69.20.153.137 -p tcp -m tcp --sport 1:65535 --dport 25 -j
> DNAT --to-destination 192.168.1.100
> -A USR_PRE -d 69.20.153.137 -p tcp -m tcp --sport 1:65535 --dport 6881
> -j DNAT --to-destination 192.168.2.105
> -A USR_PRE -d 69.20.153.137 -p udp -m udp --sport 1:65535 --dport 6881
> -j DNAT --to-destination 192.168.2.105
> -A USR_PRE -d 69.20.153.137 -p udp -m udp --sport 1:65535 --dport 4444
> -j DNAT --to-destination 192.168.2.105
> COMMIT
> # Completed on Fri Jul 21 01:30:07 2006
> # Generated by iptables-save v1.3.1 on Fri Jul 21 01:30:07 2006
> *ips
> :PREROUTING ACCEPT [85268420:58804227617]
> :INPUT ACCEPT [71920:73703193]
> :FORWARD ACCEPT [18409:10865526]
> :OUTPUT ACCEPT [51149:7744091]
> :POSTROUTING ACCEPT [85257053:58524784864]
> COMMIT
> # Completed on Fri Jul 21 01:30:07 2006
> # Generated by iptables-save v1.3.1 on Fri Jul 21 01:30:07 2006
> *mangle
> :INVALID_PKT - [0:0]
> :POLICY_ROUTING_OUT - [0:0]
> :POLICY_ROUTING_PRE - [0:0]
> :PREROUTING ACCEPT [85268432:58804228448]
> :INPUT ACCEPT [6933573:1948839077]
> :FORWARD ACCEPT [78333312:56855205229]
> :OUTPUT ACCEPT [7027235:1676138656]
> :POSTROUTING ACCEPT [67282614:56180797304]
> :SET_PRIO_HIGH - [0:0]
> :SET_PRIO_LOW - [0:0]
> -A INVALID_PKT -j ULOG --ulog-prefix "INVALID_PKT: " --ulog-cprange 40
> --ulog-qthreshold 50
> -A INVALID_PKT -j DROP
> -A PREROUTING -p icmp -m length --length 20:21 -j INVALID_PKT
> -A PREROUTING -p icmp -m icmp --icmp-type 5 -j ULOG --ulog-prefix "ICMP
> REDIRECT: " --ulog-cprange 40 --ulog-qthreshold 50
> -A PREROUTING -j POLICY_ROUTING_PRE
> -A PREROUTING -p tcp -m length --length 20:39 -j INVALID_PKT
> -A PREROUTING -p udp -m length --length 20:27 -j INVALID_PKT
> -A PREROUTING -p icmp -m length --length 20:21 -j INVALID_PKT
> -A PREROUTING -m state --state RELATED -m helper --helper "ftp" -j ULOG
> --ulog-prefix "FTP_DATA: " --ulog-cprange 40 --ulog-qthreshold 50
> -A PREROUTING -s ! 127.0.0.0/255.0.0.0 -d ! 127.0.0.0/255.0.0.0 -p udp
> -m udp --sport 53:65535 --dport 53 -m u32 --u32
> 0x0>>0x16&0x3c@0x8>>0xf&0x1=0x0 -j ULOG --ulog-prefix "DNS_REQUEST: "
> --ulog-cprange 40 --ulog-qthreshold 50
> -A PREROUTING -s ! 127.0.0.0/255.0.0.0 -d ! 127.0.0.0/255.0.0.0 -p tcp
> -m tcp --sport 53:65535 --dport 53 -m u32 --u32
> 0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x0>>0xf&0x1=0x0 -j ULOG --ulog-prefix
> "DNS_REQUEST: " --ulog-cprange 40 --ulog-qthreshold 50
> -A OUTPUT -j POLICY_ROUTING_OUT
> -A POSTROUTING -o lo -j ACCEPT
> -A POSTROUTING -p tcp -m tcp --tcp-flags ACK ACK -m length --length
> 50:100 -j SET_PRIO_HIGH
> -A POSTROUTING -m tos --tos Minimize-Delay -j SET_PRIO_HIGH
> -A POSTROUTING -p icmp -j SET_PRIO_HIGH
> -A SET_PRIO_HIGH -j CLASSIFY --set-class 0000:0008
> -A SET_PRIO_HIGH -j ACCEPT
> -A SET_PRIO_LOW -j CLASSIFY --set-class 0000:0005
> -A SET_PRIO_LOW -j ACCEPT
> COMMIT
> # Completed on Fri Jul 21 01:30:07 2006
> # Generated by iptables-save v1.3.1 on Fri Jul 21 01:30:07 2006
> *raw
> :ICMP_FLOOD - [0:0]
> :ICMP_FLOOD_DROP - [0:0]
> :ICMP_FLOOD_DST - [0:0]
> :ICMP_FLOOD_SRC - [0:0]
> :LOCAL_TRAFFIC - [0:0]
> :PREROUTING ACCEPT [144:6172]
> :OUTPUT ACCEPT [913592:160544115]
> :SYN_FLOOD - [0:0]
> :SYN_FLOOD_DROP - [0:0]
> :SYN_FLOOD_DST - [0:0]
> :SYN_FLOOD_SRC - [0:0]
> :UDP_FLOOD - [0:0]
> :UDP_FLOOD_DROP - [0:0]
> :UDP_FLOOD_DST - [0:0]
> :UDP_FLOOD_SRC - [0:0]
> -A ICMP_FLOOD -j ICMP_FLOOD_SRC
> -A ICMP_FLOOD_DROP -m limit --limit 5/sec -j ULOG --ulog-prefix
> "ICMP_FLOOD: " --ulog-cprange 40 --ulog-qthreshold 50
> -A ICMP_FLOOD_DROP -j DROP
> -A ICMP_FLOOD_DST -m hashlimit --hashlimit 5/sec --hashlimit-burst 2
> --hashlimit-mode dstip --hashlimit-name ICMP_FLOOD_DST -j ACCEPT
> -A ICMP_FLOOD_DST -j ICMP_FLOOD_DROP
> -A ICMP_FLOOD_SRC -m hashlimit --hashlimit 5/sec --hashlimit-burst 2
> --hashlimit-mode srcip --hashlimit-name ICMP_FLOOD_SRC -j ICMP_FLOOD_DST
> -A ICMP_FLOOD_SRC -j ICMP_FLOOD_DROP
> -A LOCAL_TRAFFIC -j NOTRACK
> -A LOCAL_TRAFFIC -j ACCEPT
> -A LOCAL_TRAFFIC -j NOTRACK
> -A LOCAL_TRAFFIC -j ACCEPT
> -A PREROUTING -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -j LOCAL_TRAFFIC
> -A PREROUTING -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -j LOCAL_TRAFFIC
> -A PREROUTING -p tcp -j SYN_FLOOD
> -A PREROUTING -p udp -j UDP_FLOOD
> -A PREROUTING -p icmp -j ICMP_FLOOD
> -A OUTPUT -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -j LOCAL_TRAFFIC
> -A OUTPUT -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -j LOCAL_TRAFFIC
> -A SYN_FLOOD -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> -A SYN_FLOOD -j SYN_FLOOD_SRC
> -A SYN_FLOOD_DROP -m limit --limit 5/sec -j ULOG --ulog-prefix
> "SYN_FLOOD: " --ulog-cprange 40 --ulog-qthreshold 50
> -A SYN_FLOOD_DROP -j DROP
> -A SYN_FLOOD_DST -m hashlimit --hashlimit 200/sec --hashlimit-burst 30
> --hashlimit-mode dstip --hashlimit-name SYN_FLOOD_DST -j ACCEPT
> -A SYN_FLOOD_DST -j SYN_FLOOD_DROP
> -A SYN_FLOOD_SRC -m hashlimit --hashlimit 100/sec --hashlimit-burst 30
> --hashlimit-mode srcip --hashlimit-name SYN_FLOOD_SRC -j SYN_FLOOD_DST
> -A SYN_FLOOD_SRC -j SYN_FLOOD_DROP
> -A UDP_FLOOD -j UDP_FLOOD_SRC
> -A UDP_FLOOD_DROP -m limit --limit 5/sec -j ULOG --ulog-prefix
> "UDP_FLOOD: " --ulog-cprange 40 --ulog-qthreshold 50
> -A UDP_FLOOD_DROP -j DROP
> -A UDP_FLOOD_DST -m hashlimit --hashlimit 303/sec --hashlimit-burst 60
> --hashlimit-mode dstip --hashlimit-name UDP_FLOOD_DST -j ACCEPT
> -A UDP_FLOOD_DST -j UDP_FLOOD_DROP
> -A UDP_FLOOD_SRC -m hashlimit --hashlimit 200/sec --hashlimit-burst 60
> --hashlimit-mode srcip --hashlimit-name UDP_FLOOD_SRC -j UDP_FLOOD_DST
> -A UDP_FLOOD_SRC -j UDP_FLOOD_DROP
> COMMIT
> # Completed on Fri Jul 21 01:30:07 2006
> # Generated by iptables-save v1.3.1 on Fri Jul 21 01:30:07 2006
> *filter
> :AUTO_FORWARD - [0:0]
> :AUTO_INPUT - [0:0]
> :AUTO_OUTPUT - [0:0]
> :HA - [0:0]
> :INPUT DROP [3:534]
> :FORWARD DROP [0:0]
> :INVALID_PKT - [0:0]
> :LOGACCEPT - [0:0]
> :LOGDROP - [0:0]
> :LOGREJECT - [0:0]
> :OUTPUT DROP [4:224]
> :PSD_ACTION - [0:0]
> :PSD_MATCH - [0:0]
> :SANITY_CHECKS - [0:0]
> :SPOOFING_PROTECTION - [0:0]
> :SPOOF_DROP - [0:0]
> :STRICT_TCP_STATE - [0:0]
> :USR_FORWARD - [0:0]
> :USR_INPUT - [0:0]
> :USR_OUTPUT - [0:0]
> -A AUTO_FORWARD -p icmp -m icmp --icmp-type 8/0 -j CONFIRMED
> -A AUTO_FORWARD -p icmp -m icmp --icmp-type 0/0 -j CONFIRMED
> -A AUTO_INPUT -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport 1:65535
> --dport 22 -j CONFIRMED
> -A AUTO_INPUT -p tcp -m tcp --sport 1:65535 --dport 22 -j LOGDROP
> -A AUTO_INPUT -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
> 1024:65535 --dport 443 -j CONFIRMED
> -A AUTO_INPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -j LOGDROP
> -A AUTO_INPUT -p tcp -m tcp --sport 53:65535 --dport 53 -j CONFIRMED
> -A AUTO_INPUT -p udp -m udp --sport 53:65535 --dport 53 -j CONFIRMED
> -A AUTO_INPUT -p tcp -m tcp --sport 1:65535 --dport 25 -j LOGDROP
> -A AUTO_INPUT -p tcp -m tcp --sport 1:65535 --dport 3840 -j CONFIRMED
> -A AUTO_OUTPUT -d 216.180.176.3 -p tcp -m tcp --sport 53:65535 --dport
> 53 -m owner --cmd-owner named -j CONFIRMED
> -A AUTO_OUTPUT -d 216.180.176.3 -p udp -m udp --sport 53:65535 --dport
> 53 -m owner --cmd-owner named -j CONFIRMED
> -A AUTO_OUTPUT -d 69.20.128.5 -p tcp -m tcp --sport 53:65535 --dport 53
> -m owner --cmd-owner named -j CONFIRMED
> -A AUTO_OUTPUT -d 69.20.128.5 -p udp -m udp --sport 53:65535 --dport 53
> -m owner --cmd-owner named -j CONFIRMED
> -A AUTO_OUTPUT -d 69.20.129.5 -p tcp -m tcp --sport 53:65535 --dport 53
> -m owner --cmd-owner named -j CONFIRMED
> -A AUTO_OUTPUT -d 69.20.129.5 -p udp -m udp --sport 53:65535 --dport 53
> -m owner --cmd-owner named -j CONFIRMED
> -A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 25 -m owner
> --cmd-owner exim -j CONFIRMED
> -A AUTO_OUTPUT -d 192.168.1.100 -p udp -m udp --sport 1:65535 --dport
> 514 -m owner --cmd-owner syslog-ng -j CONFIRMED
> -A AUTO_OUTPUT -p udp -m udp --sport 1024:65535 --dport 33000:34000 -m
> owner --cmd-owner netselect -j CONFIRMED
> -A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 80 -m owner
> --cmd-owner aus -j CONFIRMED
> -A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 443 -m owner
> --cmd-owner aus -j CONFIRMED
> -A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 80 -m owner
> --cmd-owner pattern_aus -j CONFIRMED
> -A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 443 -m owner
> --cmd-owner pattern_aus -j CONFIRMED
> -A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 21 -m owner
> --cmd-owner wget -j CONFIRMED
> -A INPUT -i lo -j ACCEPT
> -A INPUT -m confirmed ERROR: UNKNOWN CONNMARK MATCH MODE -j ACCEPT
> -A INPUT -m state --state RELATED -j CONFIRMED
> -A INPUT -j SPOOFING_PROTECTION
> -A INPUT -j HA
> -A INPUT -j PSD_MATCH
> -A INPUT -j SANITY_CHECKS
> -A INPUT -j AUTO_INPUT
> -A INPUT -j USR_INPUT
> -A INPUT -j LOGDROP
> -A FORWARD -m confirmed ERROR: UNKNOWN CONNMARK MATCH MODE -j ACCEPT
> -A FORWARD -m state --state RELATED -j CONFIRMED
> -A FORWARD -j SPOOFING_PROTECTION
> -A FORWARD -j PSD_MATCH
> -A FORWARD -j SANITY_CHECKS
> -A FORWARD -j AUTO_FORWARD
> -A FORWARD -j USR_FORWARD
> -A FORWARD -j LOGDROP
> -A INVALID_PKT -j ULOG --ulog-prefix "INVALID_PKT: " --ulog-cprange 40
> --ulog-qthreshold 50
> -A INVALID_PKT -j DROP
> -A LOGACCEPT -j ULOG --ulog-prefix "ACCEPT: " --ulog-cprange 40
> --ulog-qthreshold 50
> -A LOGACCEPT -j CONFIRMED
> -A LOGDROP -j ULOG --ulog-prefix "DROP: " --ulog-cprange 40
> --ulog-qthreshold 50
> -A LOGDROP -j DROP
> -A LOGREJECT -j ULOG --ulog-prefix "REJECT: " --ulog-cprange 40
> --ulog-qthreshold 50
> -A LOGREJECT -j REJECT --reject-with icmp-port-unreachable
> -A OUTPUT -o lo -j ACCEPT
> -A OUTPUT -m confirmed ERROR: UNKNOWN CONNMARK MATCH MODE -j ACCEPT
> -A OUTPUT -m state --state RELATED -j CONFIRMED
> -A OUTPUT -j HA
> -A OUTPUT -j SANITY_CHECKS
> -A OUTPUT -j AUTO_OUTPUT
> -A OUTPUT -j USR_OUTPUT
> -A OUTPUT -j LOGDROP
> -A PSD_ACTION -j ULOG --ulog-prefix "PORTSCAN: " --ulog-cprange 40
> --ulog-qthreshold 50
> -A PSD_ACTION -j DROP
> -A PSD_MATCH -m psd --psd-weight-threshold 21 --psd-delay-threshold 300
> --psd-lo-ports-weight 3 --psd-hi-ports-weight 1 -j PSD_ACTION
> -A SANITY_CHECKS -p tcp -m tcp --sport 21 --dport 1:65535 --tcp-flags
> SYN,RST,ACK RST -m state --state INVALID -j ACCEPT
> -A SANITY_CHECKS -p tcp -m state --state NEW -j STRICT_TCP_STATE
> -A SANITY_CHECKS -p tcp -m tcp --sport 1:65535 --dport 21 -m state
> --state INVALID -j REJECT --reject-with tcp-reset
> -A SANITY_CHECKS -p tcp -m state --state INVALID -j INVALID_PKT
> -A SPOOFING_PROTECTION -s 192.168.2.5 -i eth0 -j SPOOF_DROP
> -A SPOOFING_PROTECTION -d 192.168.2.5 -i ! eth0 -j SPOOF_DROP
> -A SPOOFING_PROTECTION -s 192.168.1.0/255.255.255.0 -i eth0 -j SPOOF_DROP
> -A SPOOFING_PROTECTION -s 69.20.153.128/255.255.255.240 -i eth0 -j
> SPOOF_DROP
> -A SPOOFING_PROTECTION -s 192.168.1.1 -i eth1 -j SPOOF_DROP
> -A SPOOFING_PROTECTION -d 192.168.1.1 -i ! eth1 -j SPOOF_DROP
> -A SPOOFING_PROTECTION -s 192.168.2.0/255.255.255.0 -i eth1 -j SPOOF_DROP
> -A SPOOFING_PROTECTION -s 69.20.153.128/255.255.255.240 -i eth1 -j
> SPOOF_DROP
> -A SPOOFING_PROTECTION -s 69.20.153.137 -i eth2 -j SPOOF_DROP
> -A SPOOFING_PROTECTION -d 69.20.153.137 -i ! eth2 -j SPOOF_DROP
> -A SPOOFING_PROTECTION -s 192.168.2.0/255.255.255.0 -i eth2 -j SPOOF_DROP
> -A SPOOFING_PROTECTION -s 192.168.1.0/255.255.255.0 -i eth2 -j SPOOF_DROP
> -A SPOOF_DROP -j ULOG --ulog-prefix "IP-SPOOFING DROP: " --ulog-cprange
> 40 --ulog-qthreshold 50
> -A SPOOF_DROP -j DROP
> -A STRICT_TCP_STATE -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN
> -A STRICT_TCP_STATE -p tcp -j INVALID_PKT
> -A STRICT_TCP_STATE -p tcp -j DROP
> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
> 1024:65535 --dport 80 -j CONFIRMED
> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
> 1024:65535 --dport 20:21 -j CONFIRMED
> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
> 1024:65535 --dport 21 -j CONFIRMED
> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
> 1024:65535 --dport 443 -j CONFIRMED
> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
> 1:65535 --dport 110 -j CONFIRMED
> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
> 1:65535 --dport 25 -j CONFIRMED
> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
> 1024:65535 --dport 23 -j CONFIRMED
> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.100 -p tcp -m
> tcp --sport 1024:65535 --dport 143 -j CONFIRMED
> -A USR_FORWARD -p tcp -m tcp --sport 1:65535 --dport 53 -j CONFIRMED
> -A USR_FORWARD -p udp -m udp --sport 1:65535 --dport 53 -j CONFIRMED
> -A USR_FORWARD -d 192.168.1.100 -p tcp -m tcp --sport 1:65535 --dport 25
> -j CONFIRMED
> -A USR_FORWARD -s 192.168.1.100 -p tcp -m tcp --sport 1:65535 --dport 25
> -j CONFIRMED
> -A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
> 1:65535 --dport 110 -j CONFIRMED
> -A USR_FORWARD -d 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
> 1:65535 --dport 110 -j CONFIRMED
> -A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
> 1:65535 --dport 2703 -j CONFIRMED
> -A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p udp -m udp --sport
> 1:65535 --dport 2703 -j CONFIRMED
> -A USR_FORWARD -d 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
> 1:65535 --dport 2703 -j CONFIRMED
> -A USR_FORWARD -d 192.168.1.0/255.255.255.0 -p udp -m udp --sport
> 1:65535 --dport 2703 -j CONFIRMED
> -A USR_FORWARD -d 192.168.1.100 -p tcp -m tcp --sport 1024:65535 --dport
> 143 -j CONFIRMED
> -A USR_FORWARD -s 192.168.1.100 -p tcp -m tcp --sport 1024:65535 --dport
> 143 -j CONFIRMED
> -A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
> 1024:65535 --dport 80 -j CONFIRMED
> -A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
> 1024:65535 --dport 20:21 -j CONFIRMED
> -A USR_FORWARD -d 192.168.1.110 -p tcp -m tcp --sport 1024:65535 --dport
> 80 -j CONFIRMED
> -A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
> 1024:65535 --dport 443 -j CONFIRMED
> -A USR_FORWARD -d 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
> 1024:65535 --dport 443 -j CONFIRMED
> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
> -p tcp -m tcp --dport 22 -j CONFIRMED
> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
> -p tcp -m tcp --sport 1:65535 --dport 25 -j CONFIRMED
> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
> -p tcp -m tcp --sport 1:65535 --dport 10000 -j CONFIRMED
> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
> -p udp -m udp --sport 1:65535 --dport 10000 -j CONFIRMED
> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
> -p tcp -m tcp --sport 1024:65535 --dport 80 -j CONFIRMED
> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
> -p tcp -m tcp --sport 1:65535 --dport 8000:8999 -j CONFIRMED
> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
> -p udp -m udp --sport 1:65535 --dport 8000:8999 -j CONFIRMED
> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
> -p tcp -m tcp --sport 1:65535 --dport 5500:5502 -j CONFIRMED
> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
> -p udp -m udp --sport 1:65535 --dport 5500:5502 -j CONFIRMED
> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
> -p tcp -m tcp --sport 1:65535 --dport 3306 -j CONFIRMED
> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
> -p udp -m udp --sport 1:65535 --dport 3306 -j CONFIRMED
> -A USR_FORWARD -s 192.168.2.105 -j CONFIRMED
> -A USR_FORWARD -d 192.168.2.105 -p udp -m udp --sport 1:65535 --dport
> 4444 -j CONFIRMED
> -A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 3001:3305 --dport
> 1:65535 -j CONFIRMED
> -A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 3001:3305 --dport
> 1:65535 -j CONFIRMED
> -A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 4441 --dport
> 1:65535 -j CONFIRMED
> -A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 4441 --dport
> 1:65535 -j CONFIRMED
> -A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 1:65535 --dport
> 4242 -j CONFIRMED
> -A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 1:65535 --dport
> 4242 -j CONFIRMED
> -A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 1:65535 --dport
> 4441 -j CONFIRMED
> -A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 1:65535 --dport
> 4441 -j CONFIRMED
> -A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 2100:2702 --dport
> 1:65535 -j CONFIRMED
> -A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 2100:2702 --dport
> 1:65535 -j CONFIRMED
> -A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 3307:3999 --dport
> 1:65535 -j CONFIRMED
> -A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 3307:3999 --dport
> 1:65535 -j CONFIRMED
> -A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 1024:2099 --dport
> 1:65535 -j CONFIRMED
> -A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 1024:2099 --dport
> 1:65535 -j CONFIRMED
> -A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 2704:2999 --dport
> 1:65535 -j CONFIRMED
> -A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 2704:2999 --dport
> 1:65535 -j CONFIRMED
> -A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 3001:3305 --dport
> 1:65535 -j CONFIRMED
> -A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 3001:3305 --dport
> 1:65535 -j CONFIRMED
> -A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 4441 --dport
> 1:65535 -j CONFIRMED
> -A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 4441 --dport
> 1:65535 -j CONFIRMED
> -A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 1:65535 --dport
> 4242 -j CONFIRMED
> -A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 1:65535 --dport
> 4242 -j CONFIRMED
> -A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 1:65535 --dport
> 4441 -j CONFIRMED
> -A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 1:65535 --dport
> 4441 -j CONFIRMED
> -A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 2100:2702 --dport
> 1:65535 -j CONFIRMED
> -A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 2100:2702 --dport
> 1:65535 -j CONFIRMED
> -A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 3307:3999 --dport
> 1:65535 -j CONFIRMED
> -A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 3307:3999 --dport
> 1:65535 -j CONFIRMED
> -A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 1024:2099 --dport
> 1:65535 -j CONFIRMED
> -A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 1024:2099 --dport
> 1:65535 -j CONFIRMED
> -A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 2704:2999 --dport
> 1:65535 -j CONFIRMED
> -A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 2704:2999 --dport
> 1:65535 -j CONFIRMED
> -A USR_FORWARD -p tcp -m tcp --sport 123 --dport 123 -j CONFIRMED
> -A USR_FORWARD -p udp -m udp --sport 123 --dport 123 -j CONFIRMED
> -A USR_FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.2.0/255.255.255.0
> -p tcp -m tcp --sport 1:65535 --dport 2049 -j CONFIRMED
> -A USR_FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.2.0/255.255.255.0
> -p udp -m udp --sport 1:65535 --dport 2049 -j CONFIRMED
> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
> -p tcp -m tcp --sport 1:65535 --dport 2049 -j CONFIRMED
> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
> -p udp -m udp --sport 1:65535 --dport 2049 -j CONFIRMED
> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
> -p tcp -m tcp --sport 1:65535 --dport 514 -j CONFIRMED
> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
> -p udp -m udp --sport 1:65535 --dport 514 -j CONFIRMED
> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
> -p tcp -m tcp --sport 1:65535 --dport 5000 -j CONFIRMED
> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
> -p udp -m udp --sport 1:65535 --dport 5000 -j CONFIRMED
> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
> -p udp -m udp --sport 1:65535 --dport 514 -j CONFIRMED
> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
> -p tcp -m tcp --sport 1024:65535 --dport 389 -j CONFIRMED
> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
> -p udp -m udp --sport 1024:65535 --dport 389 -j CONFIRMED
> -A USR_INPUT -d 192.168.2.255 -j DROP
> -A USR_INPUT -d 192.168.1.255 -j DROP
> -A USR_INPUT -d 255.255.255.255 -j DROP
> COMMIT
> # Completed on Fri Jul 21 01:30:07 2006
>
>
> ip addr --->
> 1: lo: mtu 16436 qdisc noqueue
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> 2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000
> link/ether 00:01:02:66:65:9a brd ff:ff:ff:ff:ff:ff
> inet 192.168.2.5/24 brd 192.168.2.255 scope global eth0
> 3: eth1: mtu 1500 qdisc pfifo_fast qlen 1000
> link/ether 00:08:c7:5b:26:09 brd ff:ff:ff:ff:ff:ff
> inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1
> 4: eth2: mtu 1500 qdisc pfifo_fast qlen 1000
> link/ether 00:50:8b:0e:07:a2 brd ff:ff:ff:ff:ff:ff
> inet 69.20.153.137/28 brd 69.20.153.143 scope global eth2
> ********* end
>
> ifconfig -a ----->
> eth0 Link encap:Ethernet HWaddr 00:01:02:66:65:9A
> inet addr:192.168.2.5 Bcast:192.168.2.255 Mask:255.255.255.0
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:43248768 errors:4 dropped:0 overruns:0 frame:4
> TX packets:35972974 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:3994495514 (3809.4 Mb) TX bytes:2463271557 (2349.1 Mb)
> Interrupt:169 Base address:0xdc00
>
> eth1 Link encap:Ethernet HWaddr 00:08:C7:5B:26:09
> inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:6956097 errors:0 dropped:0 overruns:0 frame:0
> TX packets:10514182 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:111359643 (106.2 Mb) TX bytes:2215921769 (2113.2 Mb)
>
> eth2 Link encap:Ethernet HWaddr 00:50:8B:0E:07:A2
> inet addr:69.20.153.137 Bcast:69.20.153.143 Mask:255.255.255.240
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:30327796 errors:0 dropped:0 overruns:0 frame:0
> TX packets:32818577 errors:0 dropped:0 overruns:0 carrier:0
> collisions:294358 txqueuelen:1000
> RX bytes:2949179609 (2812.5 Mb) TX bytes:1976098120 (1884.5 Mb)
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:6116295 errors:0 dropped:0 overruns:0 frame:0
> TX packets:6116295 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:1516135054 (1445.8 Mb) TX bytes:1516135054 (1445.8 Mb)
>
> *************end
>
> The purpose of listing my current config was to give anyone else an idea
> of what i am now using (like to suggest just a iptables based solution
> vs a larger cisco pix box, of witch would be over kill for my use) I
> would like to switch to a different one but I would like some opinions
> of what you have used and are happy with Vs getting a beta and having
> security breaches, or if you could help me fix this one I would be very
> appreciative.
>
> Chris
>
>
>
--
# Jesse Molina
# Mail = jesse@opendreams.net
# Page = page-jesse@opendreams.net
# Cell = 1.602.323.7608
# Web = http://www.opendreams.net/jesse/
--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
-
Re: Firewall
Thank you all for the information and help
I found out what to do to fix it,
I added a new NAT rule to change any src going to my pub IP with the
service IMAP to my mail server destination and poof it works.
Thanx
Chris
Jesse Molina wrote:
>
> This is very very useful information here.
>
> The error message tells us detailed info that we need to know about
> what packet was dropped, that you did not want it dropped, and we have
> the iptables configuration.
>
> Here is the important part of the error message details;
>
> IP-SPOOFING DROP: IN=eth0
> SRC=192.168.2.105
> DST=69.20.153.137
> PROTO=TCP SPT=59941 DPT=143
>
> Okay, now here is the configuration that generated this iptables
> packet drop, and chain it came from;
>
> -A SPOOF_DROP -j ULOG --ulog-prefix "IP-SPOOFING DROP: "
> --ulog-cprange 40 --ulog-qthreshold 50
> -A SPOOF_DROP -j DROP
>
> -A SPOOFING_PROTECTION -s 192.168.2.5 -i eth0 -j SPOOF_DROP
> -A SPOOFING_PROTECTION -d 192.168.2.5 -i ! eth0 -j SPOOF_DROP
> -A SPOOFING_PROTECTION -s 192.168.1.0/255.255.255.0 -i eth0 -j SPOOF_DROP
> -A SPOOFING_PROTECTION -s 69.20.153.128/255.255.255.240 -i eth0 -j
> SPOOF_DROP
> -A SPOOFING_PROTECTION -s 192.168.1.1 -i eth1 -j SPOOF_DROP
> -A SPOOFING_PROTECTION -d 192.168.1.1 -i ! eth1 -j SPOOF_DROP
> -A SPOOFING_PROTECTION -s 192.168.2.0/255.255.255.0 -i eth1 -j SPOOF_DROP
> -A SPOOFING_PROTECTION -s 69.20.153.128/255.255.255.240 -i eth1 -j
> SPOOF_DROP
> -A SPOOFING_PROTECTION -s 69.20.153.137 -i eth2 -j SPOOF_DROP
> -A SPOOFING_PROTECTION -d 69.20.153.137 -i ! eth2 -j SPOOF_DROP
> -A SPOOFING_PROTECTION -s 192.168.2.0/255.255.255.0 -i eth2 -j SPOOF_DROP
> -A SPOOFING_PROTECTION -s 192.168.1.0/255.255.255.0 -i eth2 -j SPOOF_DROP
>
>
>
> Finally, here is the offending line that our packet matches, which is
> causing it to be dropped;
>
> "-A SPOOFING_PROTECTION -d 69.20.153.137 -i ! eth2 -j SPOOF_DROP"
>
> Yep, that packet is coming in on eth0, going to 69.20.153.137. That's
> perfectly sane, but the iptables rules are not. I think they assume
> that the 192.168.2.0/24 network will access the firewall host only on
> the same network interface, which is NOT a good assumption. Your IMAP
> server has it's DNS entry to use it's public facing port.
>
> You need to remove the offending rule and your problems may go away.
> That said, make sure to go through your firewall UI to do it -- don't
> mess with iptables directly unless the firewall vendor/project says
> you may do so, or you want to just use iptables in the future.
>
> Also, you may have other issues due to the NAT/MASQ you have going on
> there. I don't know if the firewall trying to talk to itself through
> a NAT/MASQ session is going to work.
>
> Another option that might resolve your problems is to have a split DNS
> between the Internet and your inside networks (I don't like this
> particular solution myself, but it's what many might do).
>
> My condolences on your complicated problem. You are going to need to
> meditate on this one to get it figured out. Good luck though. It can
> be done.
>
>
>
> Chris Davies wrote:
>> Jesse Molina wrote:
>>> The output of the command "iptables-save" would be useful to us. As
>>> would an "ip addr" or "ifconfig -a", on BOTH the server and the
>>> firewall.
>>>
>>> The actual error messages would be useful as well.
>>>
>>> If you don't want to fix it, which would be contrary to the fact that
>>> you told us all about it, there are a number of other Linux or
>>> FreeBSD/OpenBSD firewall projects -- google can help you find the way.
>>> If you want to go commercial, Juniper/Netscreen, Cisco ASA/PIX, and
>>> checkpoint are quite common. I don't care for Watchguard, SonicWall,
>>> or other firewall vendors much.
>>>
>>>
>>>
>>> Chris Davies wrote:
>>>> Hello,
>>>> new to this place, so Hi everyone.
>>>>
>>>> I run a few servers on my network and am having problems with my
>>>> firewall.
>>>> I am finishing up my imap server but I can't connect to it, the
>>>> error my
>>>> firewall spits out is that it is a
>>>> spoofed mac address (on the server side), I can connect to the
>>>> local
>>>> address' but will not anywhere where it has to go through my fw
>>>> I run Debian 3.01(sarge) with Exim4, Dovecot imap w/maildir, also I
>>>> have
>>>> 4 virtual IPs on this server, for intra(extra)nets.
>>>> My firewall is Astaro Security Linux 6.
>>>> My question is what is a good firewall these days, because I have
>>>> about
>>>> had it with this one.
>>>>
>>>> Thanx
>>>> Chris
>>>>
>>>>
>> Message from log --->
>> 2006:07:21-00:42:52 ulogd[1782]: IP-SPOOFING DROP: IN=eth0 OUT=
>> MAC=00:01:02:66:65:9a:00:11:09:84:f3:2c:08:00 SRC=192.168.2.105
>> DST=69.20.153.137 LEN=60 TOS=10 PREC=0x00 TTL=64 ID=42174 CE DF
>> PROTO=TCP SPT=59941 DPT=143 SEQ=1895368652 ACK=0 WINDOW=5840 SYN URGP=0
>>
>> # Generated by iptables-save v1.3.1 on Fri Jul 21 01:30:07 2006
>> *nat
>> :AUTO_OUTPUT - [0:0]
>> :AUTO_POST - [0:0]
>> :AUTO_PRE - [0:0]
>> :PREROUTING ACCEPT [684764:90790281]
>> :POSTROUTING ACCEPT [810702:54559262]
>> :OUTPUT ACCEPT [38180:5648519]
>> :USR_OUTPUT - [0:0]
>> :USR_POST - [0:0]
>> :USR_PRE - [0:0]
>> -A PREROUTING -j AUTO_PRE
>> -A PREROUTING -j USR_PRE
>> -A POSTROUTING -j AUTO_POST
>> -A POSTROUTING -j USR_POST
>> -A OUTPUT -j AUTO_OUTPUT
>> -A OUTPUT -j USR_OUTPUT
>> -A USR_OUTPUT -d 69.20.153.137 -p tcp -m tcp --sport 1024:65535 --dport
>> 80 -j DNAT --to-destination 192.168.1.110
>> -A USR_OUTPUT -d 69.20.153.128/255.255.255.240 -p tcp -m tcp --sport
>> 1:65535 --dport 4441 -j DNAT --to-destination 192.168.2.50
>> -A USR_OUTPUT -d 69.20.153.128/255.255.255.240 -p udp -m udp --sport
>> 1:65535 --dport 4441 -j DNAT --to-destination 192.168.2.50
>> -A USR_OUTPUT -d 69.20.153.137 -p tcp -m tcp --sport 1:65535 --dport 25
>> -j DNAT --to-destination 192.168.1.100
>> -A USR_OUTPUT -d 69.20.153.137 -p tcp -m tcp --sport 1:65535 --dport
>> 6881 -j DNAT --to-destination 192.168.2.105
>> -A USR_OUTPUT -d 69.20.153.137 -p udp -m udp --sport 1:65535 --dport
>> 6881 -j DNAT --to-destination 192.168.2.105
>> -A USR_OUTPUT -d 69.20.153.137 -p udp -m udp --sport 1:65535 --dport
>> 4444 -j DNAT --to-destination 192.168.2.105
>> -A USR_POST -s 192.168.1.0/255.255.255.0 -o eth2 -j MASQUERADE
>> -A USR_POST -s 192.168.2.0/255.255.255.0 -o eth2 -j MASQUERADE
>> -A USR_PRE -d 69.20.153.137 -p tcp -m tcp --sport 1024:65535 --dport 80
>> -j DNAT --to-destination 192.168.1.110
>> -A USR_PRE -d 69.20.153.128/255.255.255.240 -p tcp -m tcp --sport
>> 1:65535 --dport 4441 -j DNAT --to-destination 192.168.2.50
>> -A USR_PRE -d 69.20.153.128/255.255.255.240 -p udp -m udp --sport
>> 1:65535 --dport 4441 -j DNAT --to-destination 192.168.2.50
>> -A USR_PRE -d 69.20.153.137 -p tcp -m tcp --sport 1:65535 --dport 25 -j
>> DNAT --to-destination 192.168.1.100
>> -A USR_PRE -d 69.20.153.137 -p tcp -m tcp --sport 1:65535 --dport 6881
>> -j DNAT --to-destination 192.168.2.105
>> -A USR_PRE -d 69.20.153.137 -p udp -m udp --sport 1:65535 --dport 6881
>> -j DNAT --to-destination 192.168.2.105
>> -A USR_PRE -d 69.20.153.137 -p udp -m udp --sport 1:65535 --dport 4444
>> -j DNAT --to-destination 192.168.2.105
>> COMMIT
>> # Completed on Fri Jul 21 01:30:07 2006
>> # Generated by iptables-save v1.3.1 on Fri Jul 21 01:30:07 2006
>> *ips
>> :PREROUTING ACCEPT [85268420:58804227617]
>> :INPUT ACCEPT [71920:73703193]
>> :FORWARD ACCEPT [18409:10865526]
>> :OUTPUT ACCEPT [51149:7744091]
>> :POSTROUTING ACCEPT [85257053:58524784864]
>> COMMIT
>> # Completed on Fri Jul 21 01:30:07 2006
>> # Generated by iptables-save v1.3.1 on Fri Jul 21 01:30:07 2006
>> *mangle
>> :INVALID_PKT - [0:0]
>> :POLICY_ROUTING_OUT - [0:0]
>> :POLICY_ROUTING_PRE - [0:0]
>> :PREROUTING ACCEPT [85268432:58804228448]
>> :INPUT ACCEPT [6933573:1948839077]
>> :FORWARD ACCEPT [78333312:56855205229]
>> :OUTPUT ACCEPT [7027235:1676138656]
>> :POSTROUTING ACCEPT [67282614:56180797304]
>> :SET_PRIO_HIGH - [0:0]
>> :SET_PRIO_LOW - [0:0]
>> -A INVALID_PKT -j ULOG --ulog-prefix "INVALID_PKT: " --ulog-cprange 40
>> --ulog-qthreshold 50
>> -A INVALID_PKT -j DROP
>> -A PREROUTING -p icmp -m length --length 20:21 -j INVALID_PKT
>> -A PREROUTING -p icmp -m icmp --icmp-type 5 -j ULOG --ulog-prefix "ICMP
>> REDIRECT: " --ulog-cprange 40 --ulog-qthreshold 50
>> -A PREROUTING -j POLICY_ROUTING_PRE
>> -A PREROUTING -p tcp -m length --length 20:39 -j INVALID_PKT
>> -A PREROUTING -p udp -m length --length 20:27 -j INVALID_PKT
>> -A PREROUTING -p icmp -m length --length 20:21 -j INVALID_PKT
>> -A PREROUTING -m state --state RELATED -m helper --helper "ftp" -j ULOG
>> --ulog-prefix "FTP_DATA: " --ulog-cprange 40 --ulog-qthreshold 50
>> -A PREROUTING -s ! 127.0.0.0/255.0.0.0 -d ! 127.0.0.0/255.0.0.0 -p udp
>> -m udp --sport 53:65535 --dport 53 -m u32 --u32
>> 0x0>>0x16&0x3c@0x8>>0xf&0x1=0x0 -j ULOG --ulog-prefix "DNS_REQUEST: "
>> --ulog-cprange 40 --ulog-qthreshold 50
>> -A PREROUTING -s ! 127.0.0.0/255.0.0.0 -d ! 127.0.0.0/255.0.0.0 -p tcp
>> -m tcp --sport 53:65535 --dport 53 -m u32 --u32
>> 0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x0>>0xf&0x1=0x0 -j ULOG --ulog-prefix
>> "DNS_REQUEST: " --ulog-cprange 40 --ulog-qthreshold 50
>> -A OUTPUT -j POLICY_ROUTING_OUT
>> -A POSTROUTING -o lo -j ACCEPT
>> -A POSTROUTING -p tcp -m tcp --tcp-flags ACK ACK -m length --length
>> 50:100 -j SET_PRIO_HIGH
>> -A POSTROUTING -m tos --tos Minimize-Delay -j SET_PRIO_HIGH
>> -A POSTROUTING -p icmp -j SET_PRIO_HIGH
>> -A SET_PRIO_HIGH -j CLASSIFY --set-class 0000:0008
>> -A SET_PRIO_HIGH -j ACCEPT
>> -A SET_PRIO_LOW -j CLASSIFY --set-class 0000:0005
>> -A SET_PRIO_LOW -j ACCEPT
>> COMMIT
>> # Completed on Fri Jul 21 01:30:07 2006
>> # Generated by iptables-save v1.3.1 on Fri Jul 21 01:30:07 2006
>> *raw
>> :ICMP_FLOOD - [0:0]
>> :ICMP_FLOOD_DROP - [0:0]
>> :ICMP_FLOOD_DST - [0:0]
>> :ICMP_FLOOD_SRC - [0:0]
>> :LOCAL_TRAFFIC - [0:0]
>> :PREROUTING ACCEPT [144:6172]
>> :OUTPUT ACCEPT [913592:160544115]
>> :SYN_FLOOD - [0:0]
>> :SYN_FLOOD_DROP - [0:0]
>> :SYN_FLOOD_DST - [0:0]
>> :SYN_FLOOD_SRC - [0:0]
>> :UDP_FLOOD - [0:0]
>> :UDP_FLOOD_DROP - [0:0]
>> :UDP_FLOOD_DST - [0:0]
>> :UDP_FLOOD_SRC - [0:0]
>> -A ICMP_FLOOD -j ICMP_FLOOD_SRC
>> -A ICMP_FLOOD_DROP -m limit --limit 5/sec -j ULOG --ulog-prefix
>> "ICMP_FLOOD: " --ulog-cprange 40 --ulog-qthreshold 50
>> -A ICMP_FLOOD_DROP -j DROP
>> -A ICMP_FLOOD_DST -m hashlimit --hashlimit 5/sec --hashlimit-burst 2
>> --hashlimit-mode dstip --hashlimit-name ICMP_FLOOD_DST -j ACCEPT
>> -A ICMP_FLOOD_DST -j ICMP_FLOOD_DROP
>> -A ICMP_FLOOD_SRC -m hashlimit --hashlimit 5/sec --hashlimit-burst 2
>> --hashlimit-mode srcip --hashlimit-name ICMP_FLOOD_SRC -j ICMP_FLOOD_DST
>> -A ICMP_FLOOD_SRC -j ICMP_FLOOD_DROP
>> -A LOCAL_TRAFFIC -j NOTRACK
>> -A LOCAL_TRAFFIC -j ACCEPT
>> -A LOCAL_TRAFFIC -j NOTRACK
>> -A LOCAL_TRAFFIC -j ACCEPT
>> -A PREROUTING -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -j
>> LOCAL_TRAFFIC
>> -A PREROUTING -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -j
>> LOCAL_TRAFFIC
>> -A PREROUTING -p tcp -j SYN_FLOOD
>> -A PREROUTING -p udp -j UDP_FLOOD
>> -A PREROUTING -p icmp -j ICMP_FLOOD
>> -A OUTPUT -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -j LOCAL_TRAFFIC
>> -A OUTPUT -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -j LOCAL_TRAFFIC
>> -A SYN_FLOOD -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
>> -A SYN_FLOOD -j SYN_FLOOD_SRC
>> -A SYN_FLOOD_DROP -m limit --limit 5/sec -j ULOG --ulog-prefix
>> "SYN_FLOOD: " --ulog-cprange 40 --ulog-qthreshold 50
>> -A SYN_FLOOD_DROP -j DROP
>> -A SYN_FLOOD_DST -m hashlimit --hashlimit 200/sec --hashlimit-burst 30
>> --hashlimit-mode dstip --hashlimit-name SYN_FLOOD_DST -j ACCEPT
>> -A SYN_FLOOD_DST -j SYN_FLOOD_DROP
>> -A SYN_FLOOD_SRC -m hashlimit --hashlimit 100/sec --hashlimit-burst 30
>> --hashlimit-mode srcip --hashlimit-name SYN_FLOOD_SRC -j SYN_FLOOD_DST
>> -A SYN_FLOOD_SRC -j SYN_FLOOD_DROP
>> -A UDP_FLOOD -j UDP_FLOOD_SRC
>> -A UDP_FLOOD_DROP -m limit --limit 5/sec -j ULOG --ulog-prefix
>> "UDP_FLOOD: " --ulog-cprange 40 --ulog-qthreshold 50
>> -A UDP_FLOOD_DROP -j DROP
>> -A UDP_FLOOD_DST -m hashlimit --hashlimit 303/sec --hashlimit-burst 60
>> --hashlimit-mode dstip --hashlimit-name UDP_FLOOD_DST -j ACCEPT
>> -A UDP_FLOOD_DST -j UDP_FLOOD_DROP
>> -A UDP_FLOOD_SRC -m hashlimit --hashlimit 200/sec --hashlimit-burst 60
>> --hashlimit-mode srcip --hashlimit-name UDP_FLOOD_SRC -j UDP_FLOOD_DST
>> -A UDP_FLOOD_SRC -j UDP_FLOOD_DROP
>> COMMIT
>> # Completed on Fri Jul 21 01:30:07 2006
>> # Generated by iptables-save v1.3.1 on Fri Jul 21 01:30:07 2006
>> *filter
>> :AUTO_FORWARD - [0:0]
>> :AUTO_INPUT - [0:0]
>> :AUTO_OUTPUT - [0:0]
>> :HA - [0:0]
>> :INPUT DROP [3:534]
>> :FORWARD DROP [0:0]
>> :INVALID_PKT - [0:0]
>> :LOGACCEPT - [0:0]
>> :LOGDROP - [0:0]
>> :LOGREJECT - [0:0]
>> :OUTPUT DROP [4:224]
>> :PSD_ACTION - [0:0]
>> :PSD_MATCH - [0:0]
>> :SANITY_CHECKS - [0:0]
>> :SPOOFING_PROTECTION - [0:0]
>> :SPOOF_DROP - [0:0]
>> :STRICT_TCP_STATE - [0:0]
>> :USR_FORWARD - [0:0]
>> :USR_INPUT - [0:0]
>> :USR_OUTPUT - [0:0]
>> -A AUTO_FORWARD -p icmp -m icmp --icmp-type 8/0 -j CONFIRMED
>> -A AUTO_FORWARD -p icmp -m icmp --icmp-type 0/0 -j CONFIRMED
>> -A AUTO_INPUT -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport 1:65535
>> --dport 22 -j CONFIRMED
>> -A AUTO_INPUT -p tcp -m tcp --sport 1:65535 --dport 22 -j LOGDROP
>> -A AUTO_INPUT -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
>> 1024:65535 --dport 443 -j CONFIRMED
>> -A AUTO_INPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -j LOGDROP
>> -A AUTO_INPUT -p tcp -m tcp --sport 53:65535 --dport 53 -j CONFIRMED
>> -A AUTO_INPUT -p udp -m udp --sport 53:65535 --dport 53 -j CONFIRMED
>> -A AUTO_INPUT -p tcp -m tcp --sport 1:65535 --dport 25 -j LOGDROP
>> -A AUTO_INPUT -p tcp -m tcp --sport 1:65535 --dport 3840 -j CONFIRMED
>> -A AUTO_OUTPUT -d 216.180.176.3 -p tcp -m tcp --sport 53:65535 --dport
>> 53 -m owner --cmd-owner named -j CONFIRMED
>> -A AUTO_OUTPUT -d 216.180.176.3 -p udp -m udp --sport 53:65535 --dport
>> 53 -m owner --cmd-owner named -j CONFIRMED
>> -A AUTO_OUTPUT -d 69.20.128.5 -p tcp -m tcp --sport 53:65535 --dport 53
>> -m owner --cmd-owner named -j CONFIRMED
>> -A AUTO_OUTPUT -d 69.20.128.5 -p udp -m udp --sport 53:65535 --dport 53
>> -m owner --cmd-owner named -j CONFIRMED
>> -A AUTO_OUTPUT -d 69.20.129.5 -p tcp -m tcp --sport 53:65535 --dport 53
>> -m owner --cmd-owner named -j CONFIRMED
>> -A AUTO_OUTPUT -d 69.20.129.5 -p udp -m udp --sport 53:65535 --dport 53
>> -m owner --cmd-owner named -j CONFIRMED
>> -A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 25 -m owner
>> --cmd-owner exim -j CONFIRMED
>> -A AUTO_OUTPUT -d 192.168.1.100 -p udp -m udp --sport 1:65535 --dport
>> 514 -m owner --cmd-owner syslog-ng -j CONFIRMED
>> -A AUTO_OUTPUT -p udp -m udp --sport 1024:65535 --dport 33000:34000 -m
>> owner --cmd-owner netselect -j CONFIRMED
>> -A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 80 -m owner
>> --cmd-owner aus -j CONFIRMED
>> -A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 443 -m owner
>> --cmd-owner aus -j CONFIRMED
>> -A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 80 -m owner
>> --cmd-owner pattern_aus -j CONFIRMED
>> -A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 443 -m owner
>> --cmd-owner pattern_aus -j CONFIRMED
>> -A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 21 -m owner
>> --cmd-owner wget -j CONFIRMED
>> -A INPUT -i lo -j ACCEPT
>> -A INPUT -m confirmed ERROR: UNKNOWN CONNMARK MATCH MODE -j ACCEPT
>> -A INPUT -m state --state RELATED -j CONFIRMED
>> -A INPUT -j SPOOFING_PROTECTION
>> -A INPUT -j HA
>> -A INPUT -j PSD_MATCH
>> -A INPUT -j SANITY_CHECKS
>> -A INPUT -j AUTO_INPUT
>> -A INPUT -j USR_INPUT
>> -A INPUT -j LOGDROP
>> -A FORWARD -m confirmed ERROR: UNKNOWN CONNMARK MATCH MODE -j ACCEPT
>> -A FORWARD -m state --state RELATED -j CONFIRMED
>> -A FORWARD -j SPOOFING_PROTECTION
>> -A FORWARD -j PSD_MATCH
>> -A FORWARD -j SANITY_CHECKS
>> -A FORWARD -j AUTO_FORWARD
>> -A FORWARD -j USR_FORWARD
>> -A FORWARD -j LOGDROP
>> -A INVALID_PKT -j ULOG --ulog-prefix "INVALID_PKT: " --ulog-cprange 40
>> --ulog-qthreshold 50
>> -A INVALID_PKT -j DROP
>> -A LOGACCEPT -j ULOG --ulog-prefix "ACCEPT: " --ulog-cprange 40
>> --ulog-qthreshold 50
>> -A LOGACCEPT -j CONFIRMED
>> -A LOGDROP -j ULOG --ulog-prefix "DROP: " --ulog-cprange 40
>> --ulog-qthreshold 50
>> -A LOGDROP -j DROP
>> -A LOGREJECT -j ULOG --ulog-prefix "REJECT: " --ulog-cprange 40
>> --ulog-qthreshold 50
>> -A LOGREJECT -j REJECT --reject-with icmp-port-unreachable
>> -A OUTPUT -o lo -j ACCEPT
>> -A OUTPUT -m confirmed ERROR: UNKNOWN CONNMARK MATCH MODE -j ACCEPT
>> -A OUTPUT -m state --state RELATED -j CONFIRMED
>> -A OUTPUT -j HA
>> -A OUTPUT -j SANITY_CHECKS
>> -A OUTPUT -j AUTO_OUTPUT
>> -A OUTPUT -j USR_OUTPUT
>> -A OUTPUT -j LOGDROP
>> -A PSD_ACTION -j ULOG --ulog-prefix "PORTSCAN: " --ulog-cprange 40
>> --ulog-qthreshold 50
>> -A PSD_ACTION -j DROP
>> -A PSD_MATCH -m psd --psd-weight-threshold 21 --psd-delay-threshold 300
>> --psd-lo-ports-weight 3 --psd-hi-ports-weight 1 -j PSD_ACTION
>> -A SANITY_CHECKS -p tcp -m tcp --sport 21 --dport 1:65535 --tcp-flags
>> SYN,RST,ACK RST -m state --state INVALID -j ACCEPT
>> -A SANITY_CHECKS -p tcp -m state --state NEW -j STRICT_TCP_STATE
>> -A SANITY_CHECKS -p tcp -m tcp --sport 1:65535 --dport 21 -m state
>> --state INVALID -j REJECT --reject-with tcp-reset
>> -A SANITY_CHECKS -p tcp -m state --state INVALID -j INVALID_PKT
>> -A SPOOFING_PROTECTION -s 192.168.2.5 -i eth0 -j SPOOF_DROP
>> -A SPOOFING_PROTECTION -d 192.168.2.5 -i ! eth0 -j SPOOF_DROP
>> -A SPOOFING_PROTECTION -s 192.168.1.0/255.255.255.0 -i eth0 -j
>> SPOOF_DROP
>> -A SPOOFING_PROTECTION -s 69.20.153.128/255.255.255.240 -i eth0 -j
>> SPOOF_DROP
>> -A SPOOFING_PROTECTION -s 192.168.1.1 -i eth1 -j SPOOF_DROP
>> -A SPOOFING_PROTECTION -d 192.168.1.1 -i ! eth1 -j SPOOF_DROP
>> -A SPOOFING_PROTECTION -s 192.168.2.0/255.255.255.0 -i eth1 -j
>> SPOOF_DROP
>> -A SPOOFING_PROTECTION -s 69.20.153.128/255.255.255.240 -i eth1 -j
>> SPOOF_DROP
>> -A SPOOFING_PROTECTION -s 69.20.153.137 -i eth2 -j SPOOF_DROP
>> -A SPOOFING_PROTECTION -d 69.20.153.137 -i ! eth2 -j SPOOF_DROP
>> -A SPOOFING_PROTECTION -s 192.168.2.0/255.255.255.0 -i eth2 -j
>> SPOOF_DROP
>> -A SPOOFING_PROTECTION -s 192.168.1.0/255.255.255.0 -i eth2 -j
>> SPOOF_DROP
>> -A SPOOF_DROP -j ULOG --ulog-prefix "IP-SPOOFING DROP: " --ulog-cprange
>> 40 --ulog-qthreshold 50
>> -A SPOOF_DROP -j DROP
>> -A STRICT_TCP_STATE -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN
>> -A STRICT_TCP_STATE -p tcp -j INVALID_PKT
>> -A STRICT_TCP_STATE -p tcp -j DROP
>> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
>> 1024:65535 --dport 80 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
>> 1024:65535 --dport 20:21 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
>> 1024:65535 --dport 21 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
>> 1024:65535 --dport 443 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
>> 1:65535 --dport 110 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
>> 1:65535 --dport 25 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
>> 1024:65535 --dport 23 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.100 -p tcp -m
>> tcp --sport 1024:65535 --dport 143 -j CONFIRMED
>> -A USR_FORWARD -p tcp -m tcp --sport 1:65535 --dport 53 -j CONFIRMED
>> -A USR_FORWARD -p udp -m udp --sport 1:65535 --dport 53 -j CONFIRMED
>> -A USR_FORWARD -d 192.168.1.100 -p tcp -m tcp --sport 1:65535 --dport 25
>> -j CONFIRMED
>> -A USR_FORWARD -s 192.168.1.100 -p tcp -m tcp --sport 1:65535 --dport 25
>> -j CONFIRMED
>> -A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
>> 1:65535 --dport 110 -j CONFIRMED
>> -A USR_FORWARD -d 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
>> 1:65535 --dport 110 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
>> 1:65535 --dport 2703 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p udp -m udp --sport
>> 1:65535 --dport 2703 -j CONFIRMED
>> -A USR_FORWARD -d 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
>> 1:65535 --dport 2703 -j CONFIRMED
>> -A USR_FORWARD -d 192.168.1.0/255.255.255.0 -p udp -m udp --sport
>> 1:65535 --dport 2703 -j CONFIRMED
>> -A USR_FORWARD -d 192.168.1.100 -p tcp -m tcp --sport 1024:65535 --dport
>> 143 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.1.100 -p tcp -m tcp --sport 1024:65535 --dport
>> 143 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
>> 1024:65535 --dport 80 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
>> 1024:65535 --dport 20:21 -j CONFIRMED
>> -A USR_FORWARD -d 192.168.1.110 -p tcp -m tcp --sport 1024:65535 --dport
>> 80 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
>> 1024:65535 --dport 443 -j CONFIRMED
>> -A USR_FORWARD -d 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
>> 1024:65535 --dport 443 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
>> -p tcp -m tcp --dport 22 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
>> -p tcp -m tcp --sport 1:65535 --dport 25 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
>> -p tcp -m tcp --sport 1:65535 --dport 10000 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
>> -p udp -m udp --sport 1:65535 --dport 10000 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
>> -p tcp -m tcp --sport 1024:65535 --dport 80 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
>> -p tcp -m tcp --sport 1:65535 --dport 8000:8999 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
>> -p udp -m udp --sport 1:65535 --dport 8000:8999 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
>> -p tcp -m tcp --sport 1:65535 --dport 5500:5502 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
>> -p udp -m udp --sport 1:65535 --dport 5500:5502 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
>> -p tcp -m tcp --sport 1:65535 --dport 3306 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
>> -p udp -m udp --sport 1:65535 --dport 3306 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.2.105 -j CONFIRMED
>> -A USR_FORWARD -d 192.168.2.105 -p udp -m udp --sport 1:65535 --dport
>> 4444 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 3001:3305 --dport
>> 1:65535 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 3001:3305 --dport
>> 1:65535 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 4441 --dport
>> 1:65535 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 4441 --dport
>> 1:65535 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 1:65535 --dport
>> 4242 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 1:65535 --dport
>> 4242 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 1:65535 --dport
>> 4441 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 1:65535 --dport
>> 4441 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 2100:2702 --dport
>> 1:65535 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 2100:2702 --dport
>> 1:65535 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 3307:3999 --dport
>> 1:65535 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 3307:3999 --dport
>> 1:65535 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 1024:2099 --dport
>> 1:65535 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 1024:2099 --dport
>> 1:65535 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 2704:2999 --dport
>> 1:65535 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 2704:2999 --dport
>> 1:65535 -j CONFIRMED
>> -A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 3001:3305 --dport
>> 1:65535 -j CONFIRMED
>> -A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 3001:3305 --dport
>> 1:65535 -j CONFIRMED
>> -A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 4441 --dport
>> 1:65535 -j CONFIRMED
>> -A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 4441 --dport
>> 1:65535 -j CONFIRMED
>> -A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 1:65535 --dport
>> 4242 -j CONFIRMED
>> -A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 1:65535 --dport
>> 4242 -j CONFIRMED
>> -A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 1:65535 --dport
>> 4441 -j CONFIRMED
>> -A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 1:65535 --dport
>> 4441 -j CONFIRMED
>> -A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 2100:2702 --dport
>> 1:65535 -j CONFIRMED
>> -A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 2100:2702 --dport
>> 1:65535 -j CONFIRMED
>> -A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 3307:3999 --dport
>> 1:65535 -j CONFIRMED
>> -A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 3307:3999 --dport
>> 1:65535 -j CONFIRMED
>> -A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 1024:2099 --dport
>> 1:65535 -j CONFIRMED
>> -A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 1024:2099 --dport
>> 1:65535 -j CONFIRMED
>> -A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 2704:2999 --dport
>> 1:65535 -j CONFIRMED
>> -A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 2704:2999 --dport
>> 1:65535 -j CONFIRMED
>> -A USR_FORWARD -p tcp -m tcp --sport 123 --dport 123 -j CONFIRMED
>> -A USR_FORWARD -p udp -m udp --sport 123 --dport 123 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.2.0/255.255.255.0
>> -p tcp -m tcp --sport 1:65535 --dport 2049 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.2.0/255.255.255.0
>> -p udp -m udp --sport 1:65535 --dport 2049 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
>> -p tcp -m tcp --sport 1:65535 --dport 2049 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
>> -p udp -m udp --sport 1:65535 --dport 2049 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
>> -p tcp -m tcp --sport 1:65535 --dport 514 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
>> -p udp -m udp --sport 1:65535 --dport 514 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
>> -p tcp -m tcp --sport 1:65535 --dport 5000 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
>> -p udp -m udp --sport 1:65535 --dport 5000 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
>> -p udp -m udp --sport 1:65535 --dport 514 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
>> -p tcp -m tcp --sport 1024:65535 --dport 389 -j CONFIRMED
>> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
>> -p udp -m udp --sport 1024:65535 --dport 389 -j CONFIRMED
>> -A USR_INPUT -d 192.168.2.255 -j DROP
>> -A USR_INPUT -d 192.168.1.255 -j DROP
>> -A USR_INPUT -d 255.255.255.255 -j DROP
>> COMMIT
>> # Completed on Fri Jul 21 01:30:07 2006
>>
>>
>> ip addr --->
>> 1: lo: mtu 16436 qdisc noqueue
>> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>> inet 127.0.0.1/8 scope host lo
>> 2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000
>> link/ether 00:01:02:66:65:9a brd ff:ff:ff:ff:ff:ff
>> inet 192.168.2.5/24 brd 192.168.2.255 scope global eth0
>> 3: eth1: mtu 1500 qdisc pfifo_fast qlen 1000
>> link/ether 00:08:c7:5b:26:09 brd ff:ff:ff:ff:ff:ff
>> inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1
>> 4: eth2: mtu 1500 qdisc pfifo_fast qlen 1000
>> link/ether 00:50:8b:0e:07:a2 brd ff:ff:ff:ff:ff:ff
>> inet 69.20.153.137/28 brd 69.20.153.143 scope global eth2
>> ********* end
>>
>> ifconfig -a ----->
>> eth0 Link encap:Ethernet HWaddr 00:01:02:66:65:9A
>> inet addr:192.168.2.5 Bcast:192.168.2.255 Mask:255.255.255.0
>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>> RX packets:43248768 errors:4 dropped:0 overruns:0 frame:4
>> TX packets:35972974 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:1000
>> RX bytes:3994495514 (3809.4 Mb) TX bytes:2463271557
>> (2349.1 Mb)
>> Interrupt:169 Base address:0xdc00
>>
>> eth1 Link encap:Ethernet HWaddr 00:08:C7:5B:26:09
>> inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>> RX packets:6956097 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:10514182 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:1000
>> RX bytes:111359643 (106.2 Mb) TX bytes:2215921769 (2113.2 Mb)
>>
>> eth2 Link encap:Ethernet HWaddr 00:50:8B:0E:07:A2
>> inet addr:69.20.153.137 Bcast:69.20.153.143
>> Mask:255.255.255.240
>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>> RX packets:30327796 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:32818577 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:294358 txqueuelen:1000
>> RX bytes:2949179609 (2812.5 Mb) TX bytes:1976098120
>> (1884.5 Mb)
>>
>> lo Link encap:Local Loopback
>> inet addr:127.0.0.1 Mask:255.0.0.0
>> UP LOOPBACK RUNNING MTU:16436 Metric:1
>> RX packets:6116295 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:6116295 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:0
>> RX bytes:1516135054 (1445.8 Mb) TX bytes:1516135054
>> (1445.8 Mb)
>>
>> *************end
>>
>> The purpose of listing my current config was to give anyone else an idea
>> of what i am now using (like to suggest just a iptables based solution
>> vs a larger cisco pix box, of witch would be over kill for my use) I
>> would like to switch to a different one but I would like some opinions
>> of what you have used and are happy with Vs getting a beta and having
>> security breaches, or if you could help me fix this one I would be very
>> appreciative.
>>
>> Chris
>>
>>
>>
>
--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
