Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Are this IPTABLES OK???
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
lo-jay
l33t
l33t


Joined: 27 Feb 2005
Posts: 862

PostPosted: Sat Jan 18, 2014 4:36 pm    Post subject: Are this IPTABLES OK??? Reply with quote

Do suffer from dropouts & super bad bandwidth lately.
My ISP claims the prob is not on his side.
Am behind a Tomato router, didn't alt anything there.

Here the iptables:

Code:
#!/bin/bash

# vars
IPT=/sbin/iptables

# Flush old rules, old custom tables
echo " * flushing old rules"
$IPT --flush
$IPT --delete-chain

# Set default policies for all three default chains
echo " * setting default policies"
$IPT -P INPUT DROP

#$IPT -A FORWARD -o tun0 -j ACCEPT

$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT

# Enable free use of loopback interfaces
echo " * allowing loopback devices"
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# All TCP sessions should begin with SYN
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# Allow established and related packets
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT

# Enable free use of loopback interfaces
echo " * allowing loopback devices"
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# All TCP sessions should begin with SYN
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# Allow established and related packets
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Open the following ports
echo " * allowing ssh on port 22"
$IPT -A INPUT -p tcp --dport 22  -m state --state NEW -j ACCEPT

echo " * allowing dns on port 53"
$IPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT

echo " * allowing http on port 80"
$IPT -A INPUT -p tcp --dport 80  -m state --state NEW -j ACCEPT

echo " * allowing https on port 443"
$IPT -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

#echo " * Possible YouTube speed help"
#$IPT -A INPUT -s 173.194.55.0/24 -j REJECT
#$IPT -A INPUT -s 206.111.0.0/16 -j REJECT

echo " * allowing udp on port 1194"
$IPT -A INPUT -p udp --dport 1194 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p udp --dport 1194 -m state --state NEW -j ACCEPT

echo " * allowing udp on port 10010"
$IPT -A INPUT -p udp --dport 10010 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p udp --dport 10010 -m state --state NEW -j ACCEPT

echo " * allowing udp on port 10020"
$IPT -A INPUT -p udp --dport 10020 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p udp --dport 10020 -m state --state NEW -j ACCEPT

#echo " * allowing tun"
#$IPT -A INPUT -i tun+ -j ACCEPT
#$IPT -A OUTPUT -o tun+ -j ACCEPT
#$IPT -A FORWARD -i tun+ -j ACCEPT

echo " * allowing ping responses"
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT

# DROP everything else and Log it
$IPT -A INPUT -j LOG
$IPT -A INPUT -j DROP

#
# Save settings
#
echo " * saving settings"
/etc/init.d/iptables save



Cheers!
_________________
lo-jay

The mechanic "One of 'em Dodge Chargers - let him go by."
The driver "Not today!"

taken from "Two Lane Blacktop"
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Sat Jan 18, 2014 6:24 pm    Post subject: Reply with quote

Two of your rules should be in *this* order:
Code:
# Allow established and related packets
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# All TCP sessions should begin with SYN
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP


You screwed up the copy-paste, some of the rules at your top of your script are duplicated ;)
Back to top
View user's profile Send private message
litan
n00b
n00b


Joined: 13 Aug 2012
Posts: 51

PostPosted: Sat Jan 18, 2014 7:10 pm    Post subject: Reply with quote

I think this could possibly result in very big log files, if something goes wrong:
Code:
$IPT -A INPUT -j LOG

Maybe you want to limit a bit:
Code:
$IPT -A INPUT -m limit --limit 1/sec -j LOG
Back to top
View user's profile Send private message
lo-jay
l33t
l33t


Joined: 27 Feb 2005
Posts: 862

PostPosted: Sat Jan 18, 2014 7:37 pm    Post subject: Reply with quote

ok, now looks like this:

Code:

#!/bin/bash

# vars
IPT=/sbin/iptables

# Flush old rules, old custom tables
echo " * flushing old rules"
$IPT --flush
$IPT --delete-chain

# Set default policies for all three default chains
echo " * setting default policies"
$IPT -P INPUT DROP

#$IPT -A FORWARD -o tun0 -j ACCEPT

$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT

# Enable free use of loopback interfaces
echo " * allowing loopback devices"
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# Allow established and related packets
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# All TCP sessions should begin with SYN
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# Open the following ports
echo " * allowing ssh on port 22"
$IPT -A INPUT -p tcp --dport 22  -m state --state NEW -j ACCEPT

echo " * allowing dns on port 53"
$IPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT

echo " * allowing http on port 80"
$IPT -A INPUT -p tcp --dport 80  -m state --state NEW -j ACCEPT

echo " * allowing https on port 443"
$IPT -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

#echo " * Possible YouTube speed help"
#$IPT -A INPUT -s 173.194.55.0/24 -j REJECT
#$IPT -A INPUT -s 206.111.0.0/16 -j REJECT

echo " * allowing udp on port 1194"
$IPT -A INPUT -p udp --dport 1194 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p udp --dport 1194 -m state --state NEW -j ACCEPT

echo " * allowing udp on port 10010"
$IPT -A INPUT -p udp --dport 10010 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p udp --dport 10010 -m state --state NEW -j ACCEPT

echo " * allowing udp on port 10020"
$IPT -A INPUT -p udp --dport 10020 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p udp --dport 10020 -m state --state NEW -j ACCEPT

#echo " * allowing tun"
#$IPT -A INPUT -i tun+ -j ACCEPT
#$IPT -A OUTPUT -o tun+ -j ACCEPT
#$IPT -A FORWARD -i tun+ -j ACCEPT

echo " * allowing ping responses"
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT

# DROP everything else and Log it
$IPT -A INPUT -m limit --limit 1/sec -j LOG
$IPT -A INPUT -j DROP

#
# Save settings
#
echo " * saving settings"
/etc/init.d/iptables save



anymore stuff wrong - please bring it on guys!

cheers!
_________________
lo-jay

The mechanic "One of 'em Dodge Chargers - let him go by."
The driver "Not today!"

taken from "Two Lane Blacktop"
Back to top
View user's profile Send private message
lo-jay
l33t
l33t


Joined: 27 Feb 2005
Posts: 862

PostPosted: Sat Jan 18, 2014 7:50 pm    Post subject: Reply with quote

but getting an error now?

Code:
# /root/rules.sh
 * flushing old rules
 * setting default policies
 * allowing loopback devices
 * allowing ssh on port 22
 * allowing dns on port 53
 * allowing http on port 80
 * allowing https on port 443
 * allowing udp on port 1194
 * allowing udp on port 10010
 * allowing udp on port 10020
 * allowing ping responses
iptables: No chain/target/match by that name.
 * saving settings
 * Saving iptables state ...                 


Code:
#  iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
DROP       tcp  --  anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh state NEW
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http state NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https state NEW
ACCEPT     udp  --  anywhere             anywhere             udp dpt:openvpn state NEW
ACCEPT     udp  --  anywhere             anywhere             udp dpt:10010 state NEW
ACCEPT     udp  --  anywhere             anywhere             udp dpt:10020 state NEW
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
DROP       all  --  anywhere             anywhere           

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     udp  --  anywhere             anywhere             udp dpt:openvpn state NEW
ACCEPT     udp  --  anywhere             anywhere             udp dpt:10010 state NEW
ACCEPT     udp  --  anywhere             anywhere             udp dpt:10020 state NEW


any insights?

cheers!!!
_________________
lo-jay

The mechanic "One of 'em Dodge Chargers - let him go by."
The driver "Not today!"

taken from "Two Lane Blacktop"
Back to top
View user's profile Send private message
litan
n00b
n00b


Joined: 13 Aug 2012
Posts: 51

PostPosted: Sat Jan 18, 2014 8:19 pm    Post subject: Reply with quote

The logging rule is failing, which means you don't have the limit match.
Check if you have support in the iptables command line tool with:
Code:
# iptables -m limit -h
[...]
limit match options:
--limit avg         max average match rate: default 3/hour
                                [Packets per second unless followed by
                                /sec /minute /hour /day postfixes]
--limit-burst number      number to match in a burst, default 5

and check if you have the kernel module:
Code:
# lsmod | grep xt_limit
xt_limit                1857  14
# grep CONFIG_NETFILTER_XT_MATCH_LIMIT /usr/src/linux/.config
CONFIG_NETFILTER_XT_MATCH_LIMIT=m


By the way, you have to consider that while limiting the LOG target might prevent log file flooding,
it might also miss some packets which might be interesting to you.
If you don't want to miss some specific packets, you should log them separately, e.g:
Code:
$IPT -A INPUT -p tcp --dport 22 ! -s ${trusted_host} -m limit --limit 1/sec -j LOG --log-prefix "ssh: "
$IPT -A INPUT -p tcp --dport 22 ! -s ${trusted_host} -j DROP
$IPT -A INPUT -m limit --limit 1/sec -j LOG
$IPT -A INPUT -j DROP 


edit: added --log-prefix


Last edited by litan on Sat Jan 18, 2014 8:26 pm; edited 1 time in total
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Sat Jan 18, 2014 8:19 pm    Post subject: Reply with quote

More up-to-date is, instead of -m state:

Code:
$IPT -A INPUT -p tcp -m conntrack --ctstate INVALID -j DROP

Then , you don't need all those "-m state --state NEW" checks, since the state can only be NEW.

Don't block icmp unless you actually have a problem you're trying to solve ;)
Back to top
View user's profile Send private message
lo-jay
l33t
l33t


Joined: 27 Feb 2005
Posts: 862

PostPosted: Sat Jan 18, 2014 9:35 pm    Post subject: Reply with quote

hey,

is this essential???

Code:
# lsmod | grep xt_limit
xt_limit                1857  14
# grep CONFIG_NETFILTER_XT_MATCH_LIMIT /usr/src/linux/.config
CONFIG_NETFILTER_XT_MATCH_LIMIT=m


i did just recompile my kernel, but it is still not showing up...
where exactly would that option be hiding;-)

cheers,
_________________
lo-jay

The mechanic "One of 'em Dodge Chargers - let him go by."
The driver "Not today!"

taken from "Two Lane Blacktop"
Back to top
View user's profile Send private message
mv
Watchman
Watchman


Joined: 20 Apr 2005
Posts: 6276

PostPosted: Sat Jan 18, 2014 9:59 pm    Post subject: Reply with quote

PaulBredbury wrote:
Don't block icmp

I guess this is the origin of the dropouts and bandwidth problems.
Back to top
View user's profile Send private message
lo-jay
l33t
l33t


Joined: 27 Feb 2005
Posts: 862

PostPosted: Sat Jan 18, 2014 10:04 pm    Post subject: Reply with quote

ok,

so how should i alter this line to not block it?

Code:
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT


thanks again!
_________________
lo-jay

The mechanic "One of 'em Dodge Chargers - let him go by."
The driver "Not today!"

taken from "Two Lane Blacktop"
Back to top
View user's profile Send private message
mv
Watchman
Watchman


Joined: 20 Apr 2005
Posts: 6276

PostPosted: Sat Jan 18, 2014 10:25 pm    Post subject: Reply with quote

You should at least allow 'destination-unreachable' 'source-quench' 'time-exceeded' 'parameter-problem' (and perhaps hash-limitted 'echo-reply' and 'echo-request').

As a side note, instead of DROP a (hash-limited) REJECT is a cleaner way: This will actually lower traffic since (at least reasonably written) programs will not repeat their request.
Back to top
View user's profile Send private message
lo-jay
l33t
l33t


Joined: 27 Feb 2005
Posts: 862

PostPosted: Sat Jan 18, 2014 10:31 pm    Post subject: Reply with quote

did put
Code:
$IPT -A INPUT -p icmp -j ACCEPT


still the same dropouts...

cheers!
_________________
lo-jay

The mechanic "One of 'em Dodge Chargers - let him go by."
The driver "Not today!"

taken from "Two Lane Blacktop"
Back to top
View user's profile Send private message
litan
n00b
n00b


Joined: 13 Aug 2012
Posts: 51

PostPosted: Sat Jan 18, 2014 10:34 pm    Post subject: Reply with quote

lo-jay wrote:
hey,

is this essential???

Code:
# lsmod | grep xt_limit
xt_limit                1857  14
# grep CONFIG_NETFILTER_XT_MATCH_LIMIT /usr/src/linux/.config
CONFIG_NETFILTER_XT_MATCH_LIMIT=m


i did just recompile my kernel, but it is still not showing up...
where exactly would that option be hiding;-)

cheers,

If you can't find the kernel option, it is under
Code:
Networking support  --->
    Networking options  --->
        Network packet filtering framework (Netfilter)  --->
            Core Netfilter Configuration  --->
                < > "limit" match support


Is it essential? I guess it kind of depends on your network and your risk tolerance.
If I understand correctly, this is the configuration of a machine
in your local network, right?. One should hope that there are no DoS attacks from the local network, but that's not the only
thing that could go wrong. I think it is enough to forget to allow some traffic or other hickups and your log file
can become very big in a very short time, slowing down your harddrive and possibly filling up your file system,
if you log all dropped packets without limiting.
I would not recommend it.
Back to top
View user's profile Send private message
lo-jay
l33t
l33t


Joined: 27 Feb 2005
Posts: 862

PostPosted: Sat Jan 18, 2014 11:12 pm    Post subject: Reply with quote

ok, gladly followed your advice & compiled it as a module:

Code:
# find /lib/modules/$(uname -r)/kernel/net -iname '*.ko'
/lib/modules/3.6.11-gentoo/kernel/net/netfilter/xt_limit.ko
/lib/modules/3.6.11-gentoo/kernel/net/netfilter/ipvs/ip_vs.ko
/lib/modules/3.6.11-gentoo/kernel/net/netfilter/xt_mark.ko
/lib/modules/3.6.11-gentoo/kernel/net/netfilter/ipset/ip_set.ko
/lib/modules/3.6.11-gentoo/kernel/net/netfilter/xt_LOG.ko
/lib/modules/3.6.11-gentoo/kernel/net/ipv4/esp4.ko
/lib/modules/3.6.11-gentoo/kernel/net/ipv4/xfrm4_mode_transport.ko
/lib/modules/3.6.11-gentoo/kernel/net/ipv4/xfrm4_mode_beet.ko
/lib/modules/3.6.11-gentoo/kernel/net/ipv4/xfrm4_mode_tunnel.ko
/lib/modules/3.6.11-gentoo/kernel/net/ipv4/udp_diag.ko
/lib/modules/3.6.11-gentoo/kernel/net/ipv4/xfrm4_tunnel.ko
/lib/modules/3.6.11-gentoo/kernel/net/ipv4/ipcomp.ko
/lib/modules/3.6.11-gentoo/kernel/net/ipv4/ah4.ko
/lib/modules/3.6.11-gentoo/kernel/net/xfrm/xfrm_ipcomp.ko


still wondering if there is anyway to strip down my iptables conf ?

thanks again!
_________________
lo-jay

The mechanic "One of 'em Dodge Chargers - let him go by."
The driver "Not today!"

taken from "Two Lane Blacktop"
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Sun Jan 19, 2014 9:12 am    Post subject: Reply with quote

lo-jay wrote:
still the same dropouts...

Show what you've got in the firewall rules. Easy way to show:

Code:
iptables-save


"Dropouts" could also be caused by something else, e.g. incorrect MTU setting on interface.
Back to top
View user's profile Send private message
lo-jay
l33t
l33t


Joined: 27 Feb 2005
Posts: 862

PostPosted: Sun Jan 19, 2014 11:58 am    Post subject: Reply with quote

here we go

Code:
iptables-save
# Generated by iptables-save v1.4.20 on Sun Jan 19 14:27:38 2014
*nat
:PREROUTING ACCEPT [3:704]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [5077:278311]
:POSTROUTING ACCEPT [5077:278311]
COMMIT
# Completed on Sun Jan 19 14:27:38 2014
# Generated by iptables-save v1.4.20 on Sun Jan 19 14:27:38 2014
*mangle
:PREROUTING ACCEPT [49899:47444940]
:INPUT ACCEPT [49896:47444236]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [52426:5384762]
:POSTROUTING ACCEPT [52426:5384762]
COMMIT
# Completed on Sun Jan 19 14:27:38 2014
# Generated by iptables-save v1.4.20 on Sun Jan 19 14:27:38 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [2498:200012]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 10010 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 10020 -m state --state NEW -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m limit --limit 1/sec -j LOG
-A INPUT -j DROP
-A FORWARD -i tun+ -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p udp -m udp --dport 1194 -m state --state NEW -j ACCEPT
-A OUTPUT -p udp -m udp --dport 10010 -m state --state NEW -j ACCEPT
-A OUTPUT -p udp -m udp --dport 10020 -m state --state NEW -j ACCEPT
COMMIT
# Completed on Sun Jan 19 14:27:38 2014




cheers again!
_________________
lo-jay

The mechanic "One of 'em Dodge Chargers - let him go by."
The driver "Not today!"

taken from "Two Lane Blacktop"
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Sun Jan 19, 2014 3:35 pm    Post subject: Reply with quote

Get rid of that --tcp-flags FIN,SYN,RST,ACK SYN line, especially with your unresolved dropout issue. As I mentioned earlier, check for INVALID instead, if anything. Here's an example I'm currently playing with, to see what gets caught:

Code:
$ipt -N invalid
# Reject google (youtube)
$ipt -A invalid -s 173.194.0.0/16 -j REJECT
$ipt -A invalid -s 74.125.0.0/16 -j REJECT
# Drop twitter
$ipt -A invalid -s 199.16.156.0/22 -j DROP
# Drop incapsula
$ipt -A invalid -s 199.83.128.0/21 -j DROP
# Log the remainder
$ipt -A invalid -m limit --limit 1/min --limit-burst 1 -j LOG --log-level warning --log-prefix "invalid: "
$ipt -A invalid -j DROP
$ipt -A INPUT -m conntrack --ctstate INVALID -j invalid


But I don't recommend you try anything like the above, until you're resolved the dropouts - which may require analysis using e.g. wireshark.

All that --state NEW checking you've got, is inelegant - I would put that in a chain called "new".

All of your OUTPUT rules at the bottom are useless, because they just ACCEPT, and that's your default policy anyway ;)

Edit: Changed from 2/sec to 1/min with limit-burst


Last edited by PaulBredbury on Sun Feb 02, 2014 11:48 am; edited 2 times in total
Back to top
View user's profile Send private message
lo-jay
l33t
l33t


Joined: 27 Feb 2005
Posts: 862

PostPosted: Sun Jan 19, 2014 4:05 pm    Post subject: Reply with quote

well,

commented some lines out. here the result:

Code:
# iptables-save
# Generated by iptables-save v1.4.20 on Sun Jan 19 17:02:42 2014
*nat
:PREROUTING ACCEPT [121:9118]
:INPUT ACCEPT [90:4700]
:OUTPUT ACCEPT [12220:709783]
:POSTROUTING ACCEPT [12220:709783]
COMMIT
# Completed on Sun Jan 19 17:02:42 2014
# Generated by iptables-save v1.4.20 on Sun Jan 19 17:02:42 2014
*mangle
:PREROUTING ACCEPT [284085:338108189]
:INPUT ACCEPT [284078:338106700]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [289099:26426757]
:POSTROUTING ACCEPT [289099:26426757]
COMMIT
# Completed on Sun Jan 19 17:02:42 2014
# Generated by iptables-save v1.4.20 on Sun Jan 19 17:02:42 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [49:8005]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 433 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 10010 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 10020 -m state --state NEW -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m limit --limit 1/sec -j LOG
-A INPUT -j DROP
-A FORWARD -i tun+ -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
COMMIT
# Completed on Sun Jan 19 17:02:42 2014


should i also get rid of OUTPUT for the loopback line?



ps: thanks a lot :)
_________________
lo-jay

The mechanic "One of 'em Dodge Chargers - let him go by."
The driver "Not today!"

taken from "Two Lane Blacktop"
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Sun Jan 19, 2014 4:47 pm    Post subject: Reply with quote

lo-jay wrote:
should i also get rid of OUTPUT for the loopback line?

You can.

With the rules you've got, INVALID traffic will mostly be dropped by your rules. Which is more liable than REJECT (which I think Linux would do with them) to cause "dropouts". So your enthusiastic firewalling may be making the situation worse ;)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum