John Fiore on 19 Nov 2003 10:34:02 -0500


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] IPTables Help.. 

What happens if you change this rule:

$IPT -A INPUT -p tcp -s 0/0 -d $EX_IP -i eth0 --dport
1:65535 -j DROP

to the same thing, but with --syn added?

--- Chris <chris@jynx.net> wrote:
> 
> 
> 
> Can anyone tell me what im doing wrong? All in_bound
> port filtering
> works like a charm coming in.
> 
> Problem lies on the Output.  Once DROPS are applied
> the machine can no
> longer make any outbound connections.
> Even after   any / any / all accept is applied. Any
> iptables gurus want
> to help me with this?
> 
> 
> root@mysql:/etc/firewall# telnet 64.115.34.114 22
> Trying 64.115.34.114...
> Connected to 64.115.34.114.
> Escape character is '^]'.
> SSH-2.0-3.2.0 SSH Secure Shell (non-commercial)
> ^]
> telnet> quit
> Connection closed.
> root@mysql:/etc/firewall# ./eth0 
> Flush IPTables:  ..done
> Setting ICMP Rules:  ..done
> Setting INPUT Rules:  ..done
> Setting OUTPUT Rules:  ..done
> root@mysql:/etc/firewall# telnet 64.115.34.114 22
> Trying 64.115.34.114...
> telnet: Unable to connect to remote host: Connection
> timed out
> root@mysql:/etc/firewall# iptables -L
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
>         
> ACCEPT     tcp  --  anywhere            
> mysql.jynx.net     tcp dpt:85 
> ACCEPT     tcp  --  user216-178-70-3.netcarrier.net 
> mysql.jynx.net
> tcp dpt:ssh 
> ACCEPT     tcp  -- 
> pcp01341770pcs.wilog301.pa.comcast.net
> mysql.jynx.net     tcp dpt:ssh 
> ACCEPT     udp  --  anywhere            
> ns3.jynx.net       udp
> dpt:domain 
> ACCEPT     udp  --  anywhere            
> ns3.jynx.net       udp
> spt:domain 
> ACCEPT     tcp  --  10.10.10.0/24        10.0.0.2   
>        tcp
> dpts:tcpmux:65535 
> ACCEPT     udp  --  10.10.10.0/24        10.0.0.2   
>        udp
> dpts:1:65535 
> DROP       tcp  --  anywhere            
> mysql.jynx.net     tcp
> dpts:tcpmux:65535 
> DROP       udp  --  anywhere            
> mysql.jynx.net     udp
> dpts:1:65535 
> DROP       tcp  --  anywhere            
> ns3.jynx.net       tcp
> dpts:tcpmux:65535 
> DROP       udp  --  anywhere            
> ns3.jynx.net       udp
> dpts:1:65535 
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
>         
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>         
> ACCEPT     all  --  localhost            anywhere   
>        
> ACCEPT     all  --  anywhere             anywhere   
>        
> 
> 
> 
> 
> 
> #!/bin/sh
> IPT="/usr/local/sbin/iptables"
> EX_IP="64.115.34.115"
> IN_IP="10.0.0.2"
> AL_IP="64.115.34.116"
> IN_NET="10.10.10.0/24"
> 
> echo -n "Flush IPTables: "
> $IPT -P INPUT ACCEPT
> $IPT -P FORWARD ACCEPT
> $IPT -P OUTPUT ACCEPT
> 
> # Flush it.
> #$IPT -F
> 
>         echo " ..done"
> 
> 
>                 echo -n "Setting ICMP Rules: "
> #$IPT -N icmp_packets
> #$IPT -A icmp_packets --fragment -p ICMP -j LOG
> --log-prefix "ICMP
> Fragment: "
> #$IPT -A icmp_packets --fragment -p ICMP -j DROP
> #$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11
> -j ACCEPT
> #$IPT -A icmp_packets -p ICMP -j RETURN
>                 echo " ..done"
> 
> 
>         echo -n "Setting INPUT Rules: "
> # Webmin
> $IPT -A INPUT -p tcp -s 0/0 -d $EX_IP -i eth0
> --dport 85 -j ACCEPT
> # SSH
> $IPT -A INPUT -p tcp -s 216.178.70.3 -d $EX_IP -i
> eth0 --dport 22 -j
> ACCEPT
> $IPT -A INPUT -p tcp -s 68.81.114.30 -d $EX_IP -i
> eth0 --dport 22 -j
> ACCEPT
> # DNS
> $IPT -A INPUT -p udp -s 0/0 -d $AL_IP -i eth0
> --dport 53 -j ACCEPT
> # DNS
> $IPT -A INPUT -p udp -s 0/0 -d $AL_IP -i eth0
> --source-port 53 -j ACCEPT
> # Internal
> $IPT -A INPUT -p tcp -s $IN_NET -d $IN_IP -i eth1
> --dport 1:65535 -j
> ACCEPT
> # Internal
> $IPT -A INPUT -p udp -s $IN_NET -d $IN_IP -i eth1
> --dport 1:65535 -j
> ACCEPT
> # Allow Inside Out
> 
>         echo " ..done"
> 
>                 echo -n "Setting OUTPUT Rules: "
>         echo " "
> $IPT -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
> $IPT -A OUTPUT -p ALL -o lo -j ACCEPT
> $IPT -A OUTPUT -o eth0 -j ACCEPT
> 
> 
> $IPT -A INPUT -p tcp -s 0/0 -d $EX_IP -i eth0
> --dport 1:65535 -j DROP
> $IPT -A INPUT -p udp -s 0/0 -d $EX_IP -i eth0
> --dport 1:65535 -j DROP
> 
> $IPT -A INPUT -p tcp -s 0/0 -d $AL_IP -i eth0
> --dport 1:65535 -j DROP
> $IPT -A INPUT -p udp -s 0/0 -d $AL_IP -i eth0
> --dport 1:65535 -j DROP
> 
> 
>                 echo " ..done"
> 
>
___________________________________________________________________________
> Philadelphia Linux Users Group         --       
> http://www.phillylinux.org
> Announcements -
>
http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion  --  
http://lists.phillylinux.org/mailman/listinfo/plug

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug