View previous topic :: View next topic |
Author |
Message |
meranto Tux's lil' helper
Joined: 23 Sep 2005 Posts: 129 Location: Ridderkerk, The Netherlands
|
Posted: Tue Nov 15, 2005 1:13 pm Post subject: iptables settings not reloaded [solved] |
|
|
I use "guarddog" as my GUI configuration utility for my iptables-firewall. This works very well, but the firewall rules do not get loaded until I run guarddog and apply the settings. This is very irritating because I have to run "guarddog" everytime after I reboot in order to keep my system safe.
I have put "iptables" and "firestarter" in my default runlevel, but if I restart them both, my firewall rules are wiped until I start "guarddog" again and apply the settings.
If anyone is interested in the "iptables -L" output, here it is:
everything shut down:
Code: | iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
|
after "/etc/init.d/iptables start"
Code: | iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- router anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
ACCEPT udp -- router anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere limit: avg 10/sec burst 5
DROP all -- anywhere 255.255.255.255
DROP all -- anywhere 10.255.255.255
DROP all -- BASE-ADDRESS.MCAST.NET/8 anywhere
DROP all -- anywhere BASE-ADDRESS.MCAST.NET/8
DROP all -- 255.255.255.255 anywhere
DROP all -- anywhere 0.0.0.0
DROP all -- anywhere anywhere state INVALID
LSI all -f anywhere anywhere limit: avg 10/min burst 5
INBOUND all -- anywhere anywhere
LOG_FILTER all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Unknown Input'
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere limit: avg 10/sec burst 5
LOG_FILTER all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Unknown Forward'
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 10.0.0.10 router tcp dpt:domain
ACCEPT udp -- 10.0.0.10 router udp dpt:domain
ACCEPT all -- anywhere anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/8 anywhere
DROP all -- anywhere BASE-ADDRESS.MCAST.NET/8
DROP all -- 255.255.255.255 anywhere
DROP all -- anywhere 0.0.0.0
DROP all -- anywhere anywhere state INVALID
OUTBOUND all -- anywhere anywhere
LOG_FILTER all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Unknown Output'
Chain INBOUND (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED
LSI all -- anywhere anywhere
Chain LOG_FILTER (5 references)
target prot opt source destination
Chain LSI (2 references)
target prot opt source destination
LOG_FILTER all -- anywhere anywhere
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5 LOG level info prefix `Inbound '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5 LOG level info prefix `Inbound '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST
LOG icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5 LOG level info prefix `Inbound '
DROP icmp -- anywhere anywhere icmp echo-request
LOG all -- anywhere anywhere limit: avg 5/sec burst 5 LOG level info prefix `Inbound '
DROP all -- anywhere anywhere
Chain LSO (0 references)
target prot opt source destination
LOG_FILTER all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 5/sec burst 5 LOG level info prefix `Outbound '
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTBOUND (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
|
after "/etc/init.d/firestarter start" nothing changes compared to the ouput above.
after running "guarddog" and applying the policies:
Code: | iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ACCEPT all -- 10.0.0.10 10.255.255.255
logaborted tcp -- anywhere anywhere state RELATED,ESTABLISHED tcp flags:RST/RST
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
nicfilt all -- anywhere anywhere
srcfilt all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
srcfilt all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:bootps
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
s1 all -- anywhere anywhere
Chain f0to1 (3 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:1212 state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:19191 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:http state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:http-alt state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:http-alt state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:8000 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:8888 state NEW
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:smtp state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:2869 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:https state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:domain state NEW
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpts:2234:2240 state NEW
ACCEPT udp -- anywhere anywhere udp dpt:19191
ACCEPT udp -- anywhere anywhere udp dpt:ntp
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ntp state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ftp state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:jetdirect state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:nicname state NEW
ACCEPT udp -- anywhere anywhere udp dpt:nicname
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:pop3 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:pop3s state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ipp state NEW
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpts:6891:6901 state NEW
ACCEPT udp -- anywhere anywhere udp dpt:1900
ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds state NEW
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT udp -- anywhere anywhere udp dpts:6970:7170
ACCEPT udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:cvsup
ACCEPT udp -- anywhere anywhere udp spt:netbios-ns dpt:netbios-ns
ACCEPT udp -- anywhere anywhere udp spt:netbios-dgm dpt:netbios-dgm
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:6881:6889 state NEW
logdrop all -- anywhere anywhere
Chain f1to0 (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT tcp -- anywhere anywhere tcp dpt:1212 state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:19191 state NEW
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT tcp -- anywhere anywhere tcp spts:1024:cvsup dpt:http state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:cvsup dpt:http-alt state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:cvsup dpt:http-alt state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:cvsup dpt:8000 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:cvsup dpt:8888 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:cvsup dpt:smtp state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:2869 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:cvsup dpt:dict state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:cvsup dpt:6969 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:cvsup dpt:https state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:domain state NEW
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpts:2234:2240 state NEW
ACCEPT udp -- anywhere anywhere udp dpt:19191
ACCEPT udp -- anywhere anywhere udp dpt:ntp
ACCEPT tcp -- anywhere anywhere tcp spts:1024:cvsup dpt:ntp state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:cvsup dpt:ftp state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:jetdirect state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:rtsp state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:7070 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:cvsup dpt:1863 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:cvsup dpt:nicname state NEW
ACCEPT udp -- anywhere anywhere udp dpt:nicname
ACCEPT tcp -- anywhere anywhere tcp dpt:1755 state NEW
ACCEPT udp -- anywhere anywhere udp dpt:1755
ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ns state NEW
ACCEPT udp -- anywhere anywhere udp spts:1024:cvsup dpt:netbios-ns
ACCEPT udp -- anywhere anywhere udp spt:netbios-ns dpt:netbios-ns
ACCEPT udp -- anywhere anywhere udp spts:1024:cvsup dpt:netbios-dgm
ACCEPT udp -- anywhere anywhere udp spt:netbios-dgm dpt:netbios-dgm
ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ssn state NEW
ACCEPT udp -- anywhere anywhere udp spts:1024:cvsup dpt:netbios-ssn
ACCEPT tcp -- anywhere anywhere tcp spts:1024:cvsup dpt:pop3 state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:submission state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:cvsup dpts:6881:6889 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:cvsup dpt:pop3s state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:cvsup dpt:ipp state NEW
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpts:6891:6901 state NEW
ACCEPT udp -- anywhere anywhere udp dpt:1900
ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:cvsup dpt:rsync state NEW
logdrop all -- anywhere anywhere
Chain logaborted (1 references)
target prot opt source destination
logaborted2 all -- anywhere anywhere limit: avg 1/sec burst 10
LOG all -- anywhere anywhere limit: avg 2/min burst 1 LOG level warning prefix `LIMITED '
Chain logaborted2 (1 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `ABORTED '
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Chain logdrop (4 references)
target prot opt source destination
logdrop2 all -- anywhere anywhere limit: avg 1/sec burst 10
LOG all -- anywhere anywhere limit: avg 2/min burst 1 LOG level warning prefix `LIMITED '
DROP all -- anywhere anywhere
Chain logdrop2 (1 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `DROPPED '
DROP all -- anywhere anywhere
Chain logreject (0 references)
target prot opt source destination
logreject2 all -- anywhere anywhere limit: avg 1/sec burst 10
LOG all -- anywhere anywhere limit: avg 2/min burst 1 LOG level warning prefix `LIMITED '
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
DROP all -- anywhere anywhere
Chain logreject2 (1 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `REJECTED '
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
DROP all -- anywhere anywhere
Chain nicfilt (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
logdrop all -- anywhere anywhere
Chain s0 (1 references)
target prot opt source destination
f0to1 all -- anywhere 10.0.0.10
f0to1 all -- anywhere 10.255.255.255
f0to1 all -- anywhere localhost
logdrop all -- anywhere anywhere
Chain s1 (1 references)
target prot opt source destination
f1to0 all -- anywhere anywhere
Chain srcfilt (2 references)
target prot opt source destination
s0 all -- anywhere anywhere
|
Here all my policies are the way I want them to be.
Sorry for the enormous opening post, maybe the problem is much easier to solve, but I don't know how.
In the end I just want all these policies to be applied after the boot is completed without the need to start additional programs etc.
Last edited by meranto on Wed Nov 16, 2005 1:39 pm; edited 1 time in total |
|
Back to top |
|
|
limn l33t
Joined: 13 May 2005 Posts: 997
|
Posted: Tue Nov 15, 2005 4:08 pm Post subject: |
|
|
iptablesby default should save the settings at shutdown.
Check
/etc/conf.d/iptables
Perhaps firestarter is shutting down before iptables and confusing things.
If firestarter is not adding to the rules, try turning it off. |
|
Back to top |
|
|
magic919 Advocate
Joined: 17 Jun 2005 Posts: 2182 Location: Berkshire, UK
|
Posted: Tue Nov 15, 2005 4:46 pm Post subject: |
|
|
Once you have them all set up as you wish do Code: | /etc/init.d/iptables save |
That'll save the config and will load it at next /etc/init.d/iptables start - or at boot if you have it in your default runlevel.
Should not need to start anything else if you just want your settings loaded. |
|
Back to top |
|
|
meranto Tux's lil' helper
Joined: 23 Sep 2005 Posts: 129 Location: Ridderkerk, The Netherlands
|
Posted: Wed Nov 16, 2005 8:16 am Post subject: |
|
|
One part solved:
I removed "firestarter" from the default runlevel and ran "/etc/init.d/iptables save". After a reboot all my rules were applied, BUT.....
I couldn't use anything.... All ports were blocked, I couldn't browse the internet or get my mail is UNTIL I ran "guarddog" again and appied the settings.
After I ran "/etc/init.d/iptables stop" and "/etc/init.d/iptables start" everything still works fine, but after a reboot I does not.....
Does it look like my system is goofed up with firewalls? |
|
Back to top |
|
|
magic919 Advocate
Joined: 17 Jun 2005 Posts: 2182 Location: Berkshire, UK
|
Posted: Wed Nov 16, 2005 9:04 am Post subject: |
|
|
It looks like might want to read and try what I posted above.
Get the firewall working to your satisfaction. At this point the iptables are ok.
Save the tables.
Enjoy. |
|
Back to top |
|
|
meranto Tux's lil' helper
Joined: 23 Sep 2005 Posts: 129 Location: Ridderkerk, The Netherlands
|
Posted: Wed Nov 16, 2005 10:05 am Post subject: |
|
|
magic919 wrote: | It looks like might want to read and try what I posted above.
Get the firewall working to your satisfaction. At this point the iptables are ok.
Save the tables.
Enjoy. |
I already did, but unfortunately to no avial.
It does work when I restart "/etc/init.d/iptables", but after I reboot all connections are blocked until I run "guarddog" again and apply the policies. |
|
Back to top |
|
|
magic919 Advocate
Joined: 17 Jun 2005 Posts: 2182 Location: Berkshire, UK
|
Posted: Wed Nov 16, 2005 10:21 am Post subject: |
|
|
I think we need to see what is happening with IPTables - and not be checking with Fireguard and Dogstarter.
Get the firewall working and fine using the tools of your choice.
Run iptables -L -n -v and do a copy a paste the output somewhere.
Do the /etc/init.d/iptables save.
Reboot.
Make sure /etc/init.d/iptables is running
Run iptables -L -n -v and compare.
I'd like to know what is blocking the ports if all your rules are applied. |
|
Back to top |
|
|
meranto Tux's lil' helper
Joined: 23 Sep 2005 Posts: 129 Location: Ridderkerk, The Netherlands
|
Posted: Wed Nov 16, 2005 12:43 pm Post subject: |
|
|
I followed your post exactly:
Before I reboot:
Code: | iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
8353 2934K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
42 13920 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
75 15036 ACCEPT all -- eth0 * 192.168.26.116 192.168.26.255
1068 43896 logaborted tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED tcp flags:0x04/0x04
93058 77M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 12
547 120K nicfilt all -- * * 0.0.0.0/0 0.0.0.0/0
547 120K srcfilt all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 12
0 0 srcfilt all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
8353 2934K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67
74868 15M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 12
8331 447K s1 all -- * * 0.0.0.0/0 0.0.0.0/0
Chain f0to1 (3 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:21 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9100 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:43 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:43
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:110 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:995 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:631 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:6891:6901 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1212 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:19191 state NEW
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:80 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:8080 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:8008 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:8000 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:8888 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:25 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2869 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:443 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:19191
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:2234:2240 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:123 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:6970:7170
13 1170 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:5999
52 4056 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpt:137
429 100K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:138 dpt:138
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpts:6881:6889 state NEW
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0
4 312 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0
Chain f1to0 (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0
4 208 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:21 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:1863 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:554 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7070 state NEW
1 52 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9100 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:43 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:43
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1755 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1755
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:137 state NEW
6 468 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:1024:5999 dpt:137
12 1080 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpt:137
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:1024:5999 dpt:138
57 13488 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:138 dpt:138
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:1024:5999 dpt:139
50 2600 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:110 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:587 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpts:6881:6889 state NEW
98 5096 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:995 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:631 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:6891:6901 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:873 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1212 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:19191 state NEW
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
6889 358K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:80 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:8080 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:8008 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:8000 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:8888 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:25 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2869 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:2628 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:6969 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 state NEW
240 15126 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
952 49504 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:443 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:19191
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:2234:2240 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:123 state NEW
22 1096 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logaborted (1 references)
pkts bytes target prot opt in out source destination
1056 43416 logaborted2 all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 10
2 80 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 2/min burst 1 LOG flags 0 level 4 prefix `LIMITED '
Chain logaborted2 (1 references)
pkts bytes target prot opt in out source destination
1056 43416 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 7 level 4 prefix `ABORTED '
1056 43416 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain logdrop (4 references)
pkts bytes target prot opt in out source destination
75 15462 logdrop2 all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 10
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 2/min burst 1 LOG flags 0 level 4 prefix `LIMITED '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logdrop2 (1 references)
pkts bytes target prot opt in out source destination
75 15462 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 7 level 4 prefix `DROPPED '
75 15462 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logreject (0 references)
pkts bytes target prot opt in out source destination
0 0 logreject2 all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 10
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 2/min burst 1 LOG flags 0 level 4 prefix `LIMITED '
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logreject2 (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 7 level 4 prefix `REJECTED '
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain nicfilt (1 references)
pkts bytes target prot opt in out source destination
547 120K RETURN all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0
Chain s0 (1 references)
pkts bytes target prot opt in out source destination
21 1794 f0to1 all -- * * 0.0.0.0/0 192.168.26.116
477 104K f0to1 all -- * * 0.0.0.0/0 192.168.26.255
0 0 f0to1 all -- * * 0.0.0.0/0 127.0.0.1
49 14054 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0
Chain s1 (1 references)
pkts bytes target prot opt in out source destination
8331 447K f1to0 all -- * * 0.0.0.0/0 0.0.0.0/0
Chain srcfilt (2 references)
pkts bytes target prot opt in out source destination
547 120K s0 all -- * * 0.0.0.0/0 0.0.0.0/0
|
After this I saved the rules: "/etc/init.d/iptables save"
I rebooted and get this (while I can't access internet, mail)
Code: | iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
8417 2950K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
42 13920 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
97 17440 ACCEPT all -- eth0 * 192.168.26.116 192.168.26.255
1076 44216 logaborted tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED tcp flags:0x04/0x04
93175 77M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 12
551 121K nicfilt all -- * * 0.0.0.0/0 0.0.0.0/0
551 121K srcfilt all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 12
0 0 srcfilt all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
8417 2950K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67
74980 15M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 12
8433 455K s1 all -- * * 0.0.0.0/0 0.0.0.0/0
Chain f0to1 (3 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:21 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9100 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:43 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:43
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:110 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:995 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:631 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:6891:6901 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1212 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:19191 state NEW
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:80 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:8080 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:8008 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:8000 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:8888 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:25 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2869 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:443 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:19191
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:2234:2240 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:123 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:6970:7170
13 1170 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:5999
52 4056 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpt:137
433 101K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:138 dpt:138
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpts:6881:6889 state NEW
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0
4 312 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0
Chain f1to0 (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0
4 208 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:21 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:1863 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:554 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7070 state NEW
1 52 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9100 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:43 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:43
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1755 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1755
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:137 state NEW
6 468 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:1024:5999 dpt:137
32 3000 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpt:137
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:1024:5999 dpt:138
59 13972 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:138 dpt:138
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:1024:5999 dpt:139
50 2600 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:110 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:587 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpts:6881:6889 state NEW
98 5096 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:995 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:631 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:6891:6901 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:873 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1212 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:19191 state NEW
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
6893 358K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:80 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:8080 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:8008 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:8000 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:8888 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:25 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2869 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:2628 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:6969 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 state NEW
245 15440 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
960 49920 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:443 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:19191
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:2234:2240 state NEW
48 3648 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:123 state NEW
37 1858 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logaborted (1 references)
pkts bytes target prot opt in out source destination
1064 43736 logaborted2 all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 10
2 80 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 2/min burst 1 LOG flags 0 level 4 prefix `LIMITED '
Chain logaborted2 (1 references)
pkts bytes target prot opt in out source destination
1064 43736 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 7 level 4 prefix `ABORTED '
1064 43736 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain logdrop (4 references)
pkts bytes target prot opt in out source destination
90 16224 logdrop2 all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 10
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 2/min burst 1 LOG flags 0 level 4 prefix `LIMITED '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logdrop2 (1 references)
pkts bytes target prot opt in out source destination
90 16224 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 7 level 4 prefix `DROPPED '
90 16224 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logreject (0 references)
pkts bytes target prot opt in out source destination
0 0 logreject2 all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 10
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 2/min burst 1 LOG flags 0 level 4 prefix `LIMITED '
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logreject2 (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 7 level 4 prefix `REJECTED '
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain nicfilt (1 references)
pkts bytes target prot opt in out source destination
551 121K RETURN all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0
Chain s0 (1 references)
pkts bytes target prot opt in out source destination
21 1794 f0to1 all -- * * 0.0.0.0/0 192.168.26.116
481 105K f0to1 all -- * * 0.0.0.0/0 192.168.26.255
0 0 f0to1 all -- * * 0.0.0.0/0 127.0.0.1
49 14054 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0
Chain s1 (1 references)
pkts bytes target prot opt in out source destination
8433 455K f1to0 all -- * * 0.0.0.0/0 0.0.0.0/0
Chain srcfilt (2 references)
pkts bytes target prot opt in out source destination
551 121K s0 all -- * * 0.0.0.0/0 0.0.0.0/0
|
After this I ran "/etc/init.d/iptables stop", otherwise I could not get here. (I could have started "guarddog" too)
Last edited by meranto on Wed Nov 16, 2005 12:57 pm; edited 1 time in total |
|
Back to top |
|
|
meranto Tux's lil' helper
Joined: 23 Sep 2005 Posts: 129 Location: Ridderkerk, The Netherlands
|
Posted: Wed Nov 16, 2005 12:52 pm Post subject: |
|
|
Here are the last few lines of my "/var/log/messages"
You can see that outgoing traffic is rejected.....
Code: | Nov 16 13:38:35 localhost DROPPED IN= OUT=eth0 SRC=192.168.26.116 DST=172.20.16.160 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31057 DF PROTO=TCP SPT=45868 DPT=80 SEQ=4236158207 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080AFFFEDDAE0000000001030302)
Nov 16 13:38:36 localhost DROPPED IN= OUT=eth0 SRC=192.168.26.116 DST=213.193.208.33 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=36579 DF PROTO=TCP SPT=50688 DPT=80 SEQ=4229984156 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080AFFFEE17F0000000001030302)
Nov 16 13:38:36 localhost DROPPED IN= OUT=eth0 SRC=192.168.26.116 DST=64.233.187.99 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=18284 DF PROTO=TCP SPT=34886 DPT=443 SEQ=4226327931 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080AFFFEE2170000000001030302)
Nov 16 13:38:38 localhost DROPPED IN= OUT=eth0 SRC=192.168.26.116 DST=172.20.16.160 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31059 DF PROTO=TCP SPT=45868 DPT=80 SEQ=4236158207 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080AFFFEE9660000000001030302)
Nov 16 13:38:39 localhost DROPPED IN= OUT=eth0 SRC=192.168.26.116 DST=213.193.208.33 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=36581 DF PROTO=TCP SPT=50688 DPT=80 SEQ=4229984156 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080AFFFEED370000000001030302)
Nov 16 13:38:39 localhost DROPPED IN= OUT=eth0 SRC=192.168.26.116 DST=64.233.187.99 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=18286 DF PROTO=TCP SPT=34886 DPT=443 SEQ=4226327931 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080AFFFEEDD00000000001030302)
Nov 16 13:38:44 localhost DROPPED IN= OUT=eth0 SRC=192.168.26.116 DST=172.20.16.160 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31061 DF PROTO=TCP SPT=45868 DPT=80 SEQ=4236158207 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080AFFFF00D60000000001030302)
Nov 16 13:38:45 localhost DROPPED IN= OUT=eth0 SRC=192.168.26.116 DST=213.193.208.33 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=36583 DF PROTO=TCP SPT=50688 DPT=80 SEQ=4229984156 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080AFFFF04A70000000001030302)
Nov 16 13:38:45 localhost DROPPED IN= OUT=eth0 SRC=192.168.26.116 DST=64.233.187.99 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=18288 DF PROTO=TCP SPT=34886 DPT=443 SEQ=4226327931 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080AFFFF05400000000001030302)
Nov 16 13:38:56 localhost DROPPED IN= OUT=eth0 SRC=192.168.26.116 DST=172.20.16.160 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31063 DF PROTO=TCP SPT=45868 DPT=80 SEQ=4236158207 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080AFFFF2FB60000000001030302)
Nov 16 13:38:57 localhost DROPPED IN= OUT=eth0 SRC=192.168.26.116 DST=213.193.208.33 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=36585 DF PROTO=TCP SPT=50688 DPT=80 SEQ=4229984156 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080AFFFF33870000000001030302)
Nov 16 13:38:57 localhost DROPPED IN= OUT=eth0 SRC=192.168.26.116 DST=64.233.187.99 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=18290 DF PROTO=TCP SNov 16 13:37:19 localhost DROPPED IN= OUT=eth0 SRC=192.168.26.116 DST=172.20.16.160 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=15919 DF PROTO=TCP SPT=45864 DPT=80 SEQ=4149775503 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080AFFFDB2A00000000001030302)
Nov 16 13:37:21 localhost DROPPED IN= OUT=eth0 SRC=192.168.26.116 DST=213.193.208.33 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=37641 DF PROTO=TCP SPT=50684 DPT=80 SEQ=4160366621 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080AFFFDBB140000000001030302)
Nov 16 13:37:21 localhost DROPPED IN= OUT=eth0 SRC=192.168.26.116 DST=64.233.187.104 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=44279 DF PROTO=TCP SPT=49121 DPT=443 SEQ=4152299598 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080AFFFDBCB90000000001030302)
Nov 16 13:37:22 localhost DROPPED IN= OUT=eth0 SRC=192.168.26.116 DST=172.20.16.160 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=15921 DF PROTO=TCP SPT=45864 DPT=80 SEQ=4149775503 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080AFFFDBE580000000001030302)
Nov 16 13:37:24 localhost DROPPED IN= OUT=eth0 SRC=192.168.26.116 DST=213.193.208.33 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=37643 DF PROTO=TCP SPT=50684 DPT=80 SEQ=4160366621 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080AFFFDC6CC0000000001030302)
Nov 16 13:37:24 localhost DROPPED IN= OUT=eth0 SRC=192.168.26.116 DST=64.233.187.104 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=44281 DF PROTO=TCP SPT=49121 DPT=443 SEQ=4152299598 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080AFFFDC8710000000001030302)
Nov 16 13:37:31 localhost su(pam_unix)[10940]: session opened for user root by (uid=1000)
Nov 16 13:37:44 localhost (nathan-10931): GConf server is not in use, shutting down.
Nov 16 13:37:44 localhost (nathan-10931): Exiting
Nov 16 13:38:34 localhost (nathan-10992): starting (version 2.10.1), pid 10992 user 'nathan'
Nov 16 13:38:34 localhost (nathan-10992): Resolved address "xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only configuration source at position 0
Nov 16 13:38:34 localhost (nathan-10992): Resolved address "xml:readwrite:/home/nathan/.gconf" to a writable configuration source at position 1
Nov 16 13:38:34 localhost (nathan-10992): Resolved address "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configuration source at position 2
Nov 16 13:38:35 localhost DROPPED IN= OUT=eth0 SRC=192.168.26.116 DST=172.20.16.160 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31057 DF PROTO=TCP SPT=45868 DPT=80 SEQ=4236158207 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080AFFFEDDAE0000000001030302)
Nov 16 13:38:36 localhost DROPPED IN= OUT=eth0 SRC=192.168.26.116 DST=213.193.208.33 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=36579 DF PROTO=TCP SPT=50688 DPT=80 SEQ=4229984156 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080AFFFEE17F0000000001030302)
Nov 16 13:38:36 localhost DROPPED IN= OUT=eth0 SRC=192.168.26.116 DST=64.233.187.99 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=18284 DF PROTO=TCP SPT=34886 DPT=443 SEQ=4226327931 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080AFFFEE2170000000001030302)
Nov 16 13:38:38 localhost DROPPED IN= OUT=eth0 SRC=192.168.26.116 DST=172.20.16.160 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31059 DF PROTO=TCP SPT=45868 DPT=80 SEQ=4236158207 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080AFFFEE9660000000001030302)
Nov 16 13:38:39 localhost DROPPED IN= OUT=eth0 SRC=192.168.26.116 DST=213.193.208.33 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=36581 DF PROTO=TCP SPT=50688 DPT=80 SEQ=4229984156 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080AFFFEED370000000001030302)
Nov 16 13:38:39 localhost DROPPED IN= OUT=eth0 SRC=192.168.26.116 DST=64.233.187.99 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=18286 DF PROTO=TCP SPT=34886 DPT=443 SEQ=4226327931 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080AFFFEEDD00000000001030302)
Nov 16 13:38:44 localhost DROPPED IN= OUT=eth0 SRC=192.168.26.116 DST=172.20.16.160 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31061 DF PROTO=TCP SPT=45868 DPT=80 SEQ=4236158207 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080AFFFF00D60000000001030302)
Nov 16 13:38:45 localhost DROPPED IN= OUT=eth0 SRC=192.168.26.116 DST=213.193.208.33 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=36583 DF PROTO=TCP SPT=50688 DPT=80 SEQ=4229984156 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080AFFFF04A70000000001030302)
Nov 16 13:38:45 localhost DROPPED IN= OUT=eth0 SRC=192.168.26.116 DST=64.233.187.99 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=18288 DF PROTO=TCP SPT=34886 DPT=443 SEQ=4226327931 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080AFFFF05400000000001030302)
Nov 16 13:38:56 localhost DROPPED IN= OUT=eth0 SRC=192.168.26.116 DST=172.20.16.160 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31063 DF PROTO=TCP SPT=45868 DPT=80 SEQ=4236158207 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080AFFFF2FB60000000001030302)
Nov 16 13:38:57 localhost DROPPED IN= OUT=eth0 SRC=192.168.26.116 DST=213.193.208.33 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=36585 DF PROTO=TCP SPT=50688 DPT=80 SEQ=4229984156 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080AFFFF33870000000001030302)
Nov 16 13:38:57 localhost DROPPED IN= OUT=eth0 SRC=192.168.26.116 DST=64.233.187.99 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=18290 DF PROTO=TCP SPT=34886 DPT=443 SEQ=4226327931 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080AFFFF34200000000001030302) |
|
|
Back to top |
|
|
Cintra Advocate
Joined: 03 Apr 2004 Posts: 2111 Location: Norway
|
|
Back to top |
|
|
magic919 Advocate
Joined: 17 Jun 2005 Posts: 2182 Location: Berkshire, UK
|
Posted: Wed Nov 16, 2005 1:23 pm Post subject: |
|
|
Your rules are killing off new stuff to Port 80, for example. S1 and then f1to0 needs src port <6000 and you are trying to come from a higher source port.
Probably the same elsewhere as it only lets related and established directly. The other bits, poorly done, kill the new stuff if it doesn't fit the criteria. |
|
Back to top |
|
|
meranto Tux's lil' helper
Joined: 23 Sep 2005 Posts: 129 Location: Ridderkerk, The Netherlands
|
Posted: Wed Nov 16, 2005 1:38 pm Post subject: |
|
|
With the help of this topic I created a workaround, not the same as mentioned in the topic.
I did leave "iptables" in the default runlevel, but I created another script (as non programmer) named "firewall-rules" and added it also to the default runlevel.
The script is as follows:
Code: | #!/sbin/runscript
depend() {
after iptables
}
start() {
ebegin "Applying firewall rules"
/etc/rc.firewall
eend $? "Firewall rules not set"
} |
It's probably the shortest script ever, but it works perfectly.
After I reboot, I can browse and do mail while all the rules are applied, so whatever I did not specify gets blocked, just the way it should be.
Thanks everyone (magic919, Cintra and limn) for the input, I'l mark this "solved"
btw, is this a bug or just some incompetence in my system? (I did install al lot of different firewalls and removed most of them) |
|
Back to top |
|
|
Cintra Advocate
Joined: 03 Apr 2004 Posts: 2111 Location: Norway
|
Posted: Wed Nov 16, 2005 2:23 pm Post subject: |
|
|
Good for you
Mvh _________________ "I am not bound to please thee with my answers" W.S. |
|
Back to top |
|
|
magic919 Advocate
Joined: 17 Jun 2005 Posts: 2182 Location: Berkshire, UK
|
Posted: Wed Nov 16, 2005 7:50 pm Post subject: |
|
|
Glad you got that sorted. Given that iptables do the firewalling there are a surprisingly large number of front ends to manipulate them. Problem is that IPtables puts the fear of god into many. If this wasn't the case we'd have fewer magic scripts and so on.
I don't think IPTables is too bad but there's definitely some room for something else. |
|
Back to top |
|
|
MaDxRaY Tux's lil' helper
Joined: 14 May 2004 Posts: 106 Location: central europe
|
Posted: Tue Jan 31, 2006 8:19 pm Post subject: |
|
|
Hi,
meranto wrote: |
btw, is this a bug or just some incompetence in my system? (I did install al lot of different firewalls and removed most of them) |
I'm also interessted in this question. I think it's a major problem of iptables (1.3.4) restore function / init script (I dislike to use graphical toys to fig my firewall) but I found no solution for, no bug report or anything else.
I'll create one. Maybe there are more people with same problem. _________________ greetz
Ray |
|
Back to top |
|
|
|