iptables question, ports over 1024
Madison Kelly
linux-5ZoueyuiTZhBDgjK7y7TUQ at public.gmane.org
Thu Jun 23 18:16:34 UTC 2005
ted leslie wrote:
> you have to add both a NAT rule and a
> FORWARD ... ACCEPT rule
>
> i sometimes forget to do the FORWARD and the result is as you explained.
>
> -tl
I have a blanket FORWARD rule like so (relevant lines from 'itables-save'):
-A PREROUTING -d 111.222.33.44 -j DNAT --to-destination 192.168.2.22
-A POSTROUTING -s 192.168.2.22 -j SNAT --to-source 111.222.33.44
-A FORWARD -i eth2 -o eth1 -j SRVIN
-A FORWARD -i eth1 -o eth2 -j SRVOUT
-A SRVIN -m state --state INVALID -j TREJECT
-A SRVIN -p icmp -m icmp --icmp-type 5 -j TREJECT
-A SRVIN -p icmp -m icmp --icmp-type 9 -j TREJECT
-A SRVIN -p icmp -m icmp --icmp-type 10 -j TREJECT
-A SRVIN -p icmp -m icmp --icmp-type 15 -j TREJECT
-A SRVIN -p icmp -m icmp --icmp-type 16 -j TREJECT
-A SRVIN -p icmp -m icmp --icmp-type 17 -j TREJECT
-A SRVIN -p icmp -m icmp --icmp-type 18 -j TREJECT
-A SRVIN -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A SRVIN -p icmp -m icmp --icmp-type 8 -j TREJECT
-A SRVIN -p icmp -m icmp ! --icmp-type 8 -j ACCEPT
-A SRVIN -m state --state ESTABLISHED -j ACCEPT
-A SRVIN -p tcp -m tcp --dport 1024:65535 -m state --state RELATED -j
TCPACCEPT
-A SRVIN -p udp -m udp --dport 1024:65535 -m state --state RELATED -j
UDPACCEPT
-A SRVIN -d 192.168.2.22 -p tcp -m tcp --dport 22 -j TCPACCEPT
-A SRVIN -d 192.168.2.22 -p tcp -m tcp --dport 80 -j TCPACCEPT
-A SRVIN -d 192.168.2.22 -p tcp -m tcp --dport 1352 -j TCPACCEPT
-A SRVIN -d 192.168.2.22 -p udp -m udp --dport 22 -j UDPACCEPT
-A SRVIN -d 192.168.2.22 -p udp -m udp --dport 80 -j UDPACCEPT
-A SRVIN -d 192.168.2.22 -p udp -m udp --dport 1352 -j UDPACCEPT
-A SRVOUT -s 192.168.2.0/255.255.255.0 -o eth2 -j ACCEPT
-A SRVOUT -j ACCEPT
# This allows for flood protection, UDPACCEPT is the same
-A TCPACCEPT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit
20-A TCPACCEPT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit
--limit 20/sec -j ACCEPT
-A TCPACCEPT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit
2/sec -j LOG --log-prefix "Possible SynFlood "
-A TCPACCEPT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j TREJECT
-A TCPACCEPT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A TCPACCEPT -m limit --limit 2/sec -j LOG --log-prefix "Mismatch in
TCPACCEPT "
-A TCPACCEPT -j TREJECT
/sec -j ACCEPT
-A TCPACCEPT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit
2/sec -j LOG --log-prefix "Possible SynFlood "
-A TCPACCEPT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j TREJECT
-A TCPACCEPT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A TCPACCEPT -m limit --limit 2/sec -j LOG --log-prefix "Mismatch in
TCPACCEPT "
-A TCPACCEPT -j TREJECT
Should this not do the job? Thanks!
Madison
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Madison Kelly (Digimer)
TLE-BU, The Linux Experience; Back Up
http://tle-bu.thelinuxexperience.com
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list