forwarded ports become "filtered" instead of "open"

Anthony DiSante theant at nodivisions.com
Wed Aug 10 19:27:35 CEST 2005


Jörg Harmuth wrote:
>>Can anyone offer some pointers here?  I imagine more of my narc.conf
>>and/or iptables' output would be helpful, but rather than me attaching
>>the whole thing right now, just ask if you want me to post any of that.
> 
> 
> Yes, please do "iptables-save > <filename>" and paste the content of the
> file into your posting, after changing information that must not be
> public (if any). Some other info like kernel version, interfaces (if
> more than one)and iptables version may be useful too.

I only have one network interface (not counting lo).  Here's the rest of 
that info:

# uname -a
Linux box1 2.6.8-2-686-smp #1 SMP Thu May 19 17:27:55 JST 2005 i686 GNU/Linux

# iptables --version
iptables v1.3.1

# iptables-save
# Generated by iptables-save v1.3.1 on Wed Aug 10 13:21:27 2005
*mangle
:PREROUTING ACCEPT [3810743:1593668883]
:INPUT ACCEPT [3810723:1593667323]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5229526:6297115310]
:POSTROUTING ACCEPT [5233616:6298102388]
-A PREROUTING -d 0.0.0.0/255.0.0.0 -i eth0 -m state --state NEW -j DROP
-A PREROUTING -d 255.255.255.255 -i eth0 -m state --state NEW -j DROP
-A PREROUTING -d 224.0.0.0/240.0.0.0 -i eth0 -m state --state NEW -j DROP
-A PREROUTING -d 0.0.0.0/255.0.0.0 -i eth0 -m state --state NEW -j DROP
-A PREROUTING -d 255.255.255.255 -i eth0 -m state --state NEW -j DROP
-A PREROUTING -d 224.0.0.0/240.0.0.0 -i eth0 -m state --state NEW -j DROP
COMMIT
# Completed on Wed Aug 10 13:21:27 2005
# Generated by iptables-save v1.3.1 on Wed Aug 10 13:21:27 2005
*nat
:PREROUTING ACCEPT [253511:23814701]
:POSTROUTING ACCEPT [23451:1825798]
:OUTPUT ACCEPT [23451:1825798]
COMMIT
# Completed on Wed Aug 10 13:21:27 2005
# Generated by iptables-save v1.3.1 on Wed Aug 10 13:21:27 2005
*filter
:CUST_LOG - [0:0]
:ICMP_CHK - [0:0]
:INPUT DROP [5:272]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [60966:44974754]
:SANITY_CHK - [0:0]
:SPOOF_CHK - [0:0]
:STATE_CHK - [0:0]
:TCP_CHK - [0:0]
:UDP_CHK - [0:0]
-A CUST_LOG -s 127.0.0.0/255.0.0.0 -i eth0 -j LOG --log-prefix "SPOOF " 
--log-level 7 --log-tcp-options --log-ip-options
-A CUST_LOG -s 240.0.0.0/248.0.0.0 -i eth0 -j LOG --log-prefix "SPOOF " 
--log-level 7 --log-tcp-options --log-ip-options
-A CUST_LOG -s 248.0.0.0/248.0.0.0 -i eth0 -j LOG --log-prefix "SPOOF " 
--log-level 7 --log-tcp-options --log-ip-options
-A CUST_LOG -s 172.16.0.0/255.240.0.0 -i eth0 -j LOG --log-prefix "SPOOF " 
--log-level 7 --log-tcp-options --log-ip-options
-A CUST_LOG -s 192.168.0.0/255.255.0.0 -i eth0 -j LOG --log-prefix "SPOOF " 
--log-level 7 --log-tcp-options --log-ip-options
-A CUST_LOG -s 10.0.0.12 -i eth0 -j LOG --log-prefix "SPOOF " --log-level 7 
--log-tcp-options --log-ip-options
-A CUST_LOG -p tcp -m multiport --dports 
23,81,111,123,161,445,515,555,1234,1241,1243,1433,1494,2049,3306 -j LOG 
--log-prefix "PROBE " --log-level 7 --log-tcp-options --log-ip-options
-A CUST_LOG -p tcp -m multiport --dports 
3128,3389,5631,5632,6635,8080,9055,12345,24452,27374,27573,31337,42484 -j 
LOG --log-prefix "PROBE " --log-level 7 --log-tcp-options --log-ip-options
-A CUST_LOG -p udp -m multiport --dports 
22,161,1025,3283,5634,5882,28431,31337,31789 -j LOG --log-prefix "PROBE " 
--log-level 7 --log-ip-options
-A CUST_LOG -j DROP
-A ICMP_CHK -p icmp -m icmp --icmp-type 0 -m limit --limit 1/sec -j ACCEPT
-A ICMP_CHK -p icmp -m icmp --icmp-type 3/0 -m limit --limit 1/sec -j ACCEPT
-A ICMP_CHK -p icmp -m icmp --icmp-type 3/1 -m limit --limit 1/sec -j ACCEPT
-A ICMP_CHK -p icmp -m icmp --icmp-type 3/3 -m limit --limit 1/sec -j ACCEPT
-A ICMP_CHK -p icmp -m icmp --icmp-type 3/4 -m limit --limit 1/sec -j ACCEPT
-A ICMP_CHK -p icmp -m icmp --icmp-type 11 -m limit --limit 1/sec -j ACCEPT
-A ICMP_CHK -j DROP
-A INPUT -j SPOOF_CHK
-A INPUT -p tcp -j SANITY_CHK
-A INPUT -j STATE_CHK
-A INPUT -s 127.0.0.0/255.255.255.0 -d 127.0.0.0/255.255.255.0 -i lo -m 
state --state NEW -j ACCEPT
-A INPUT -p tcp -j TCP_CHK
-A INPUT -p udp -j UDP_CHK
-A INPUT -p icmp -j ICMP_CHK
-A SANITY_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN -j DROP
-A SANITY_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH -j DROP
-A SANITY_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,ACK 
-j DROP
-A SANITY_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,PSH 
-j DROP
-A SANITY_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST 
-j DROP
-A SANITY_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG 
FIN,SYN,RST,PSH -j DROP
-A SANITY_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG 
FIN,SYN,RST,ACK -j DROP
-A SANITY_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG 
FIN,SYN,RST,PSH,ACK -j DROP
-A SANITY_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG 
FIN,SYN,RST,PSH,ACK,URG -j DROP
-A SANITY_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP
-A SANITY_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A SPOOF_CHK -s 127.0.0.0/255.0.0.0 -i eth0 -j CUST_LOG
-A SPOOF_CHK -s 240.0.0.0/248.0.0.0 -i eth0 -j CUST_LOG
-A SPOOF_CHK -s 248.0.0.0/248.0.0.0 -i eth0 -j CUST_LOG
-A SPOOF_CHK -s 172.16.0.0/255.240.0.0 -i eth0 -j CUST_LOG
-A SPOOF_CHK -s 192.168.0.0/255.255.0.0 -i eth0 -j CUST_LOG
-A SPOOF_CHK -s 10.0.0.12 -i eth0 -j CUST_LOG
-A STATE_CHK -m state --state RELATED,ESTABLISHED -j ACCEPT
-A STATE_CHK -m state --state INVALID -j DROP
-A STATE_CHK -p tcp -m state --state NEW -m tcp ! --tcp-flags SYN,RST,ACK 
SYN -j DROP
-A TCP_CHK -s 10.0.0.12 -d 10.0.0.12 -p tcp -m tcp --dport 3029:3038 -j ACCEPT
-A TCP_CHK -s 10.0.0.12 -d 10.0.0.12 -p tcp -m tcp --dport 5432 -j ACCEPT
-A TCP_CHK -s 10.0.0.12 -d 10.0.0.12 -p tcp -m tcp --dport 3306 -j ACCEPT
-A TCP_CHK -i eth0 -p tcp -m tcp --dport 113 --tcp-flags SYN,RST,ACK SYN -j 
REJECT --reject-with tcp-reset
-A TCP_CHK -i eth0 -p tcp -m tcp --dport 113 --tcp-flags SYN,RST,ACK SYN -j 
REJECT --reject-with tcp-reset
-A TCP_CHK -i eth0 -p tcp -m multiport --dports 22,873,80,9618 -m state 
--state NEW -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A TCP_CHK -i eth0 -p tcp -m multiport --dports 22,80,873,9618 -m state 
--state NEW -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A TCP_CHK -j CUST_LOG
-A UDP_CHK -j CUST_LOG
-A UDP_CHK -s 10.0.0.12 -d 10.0.0.12 -p udp -m udp --dport 5432 -j ACCEPT
-A UDP_CHK -s 10.0.0.12 -d 10.0.0.12 -p udp -m udp --dport 3306 -j ACCEPT
COMMIT
# Completed on Wed Aug 10 13:21:27 2005


Thanks,
Anthony DiSante
http://encodable.com/
http://nodivisions.com/



More information about the netfilter mailing list