Strange network problem

Taking care of your Linux box.
osama
Havaldaar
Posts: 117
Joined: Fri Aug 22, 2008 9:08 am

Strange network problem

Postby osama » Tue Mar 31, 2009 12:30 am


LinuxFreaK
Site Admin
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
Location: Karachi
Contact:

Re: Strange network problem

Postby LinuxFreaK » Tue Mar 31, 2009 10:25 am

Dear osama,
Salam,

Post your firewall rules.

Best Regards.
Farrukh Ahmed

osama
Havaldaar
Posts: 117
Joined: Fri Aug 22, 2008 9:08 am

Postby osama » Tue Mar 31, 2009 12:16 pm

Here it is

#Packets are marked like this
#$IPTABLES -t mangle -A PREROUTING -i $INTERNAL_INTERFACE -s $1 -m mac --mac-source $2 -j MARK --set-mark 101

###############################


#!/bin/bash

IPTABLES=/sbin/iptables
IP=/sbin/ip

EXTERNAL_INTERFACE="eth1"
INTERNAL_INTERFACE="eth0"
EXTERNAL_INTERFACE_SEC="eth2"

do_start() {

echo 1 > /proc/sys/net/ipv4/ip_forward
$IPTABLES -F
$IPTABLES -t nat -F


/sbin/modprobe ip_nat_ftp

$IPTABLES -P FORWARD DROP

$IPTABLES -P INPUT DROP

$IPTABLES -t nat -A PREROUTING -p tcp --dport 135 -j DROP
$IPTABLES -t nat -A PREROUTING -p udp --dport 135 -j DROP
$IPTABLES -t nat -A PREROUTING -p tcp --dport 445 -j DROP
$IPTABLES -t nat -A PREROUTING -p tcp --dport 139 -j DROP
$IPTABLES -t nat -A PREROUTING -p udp --dport 80 -j DROP
$IPTABLES -t nat -A PREROUTING -p udp --dport 5060 -j DROP
$IPTABLES -t nat -A PREROUTING -p tcp --dport 5060 -j DROP

$IPTABLES -t nat -A PREROUTING -p icmp -m length --length 100: -j DROP

$IPTABLES -t nat -A PREROUTING -m state --state INVALID -j DROP

# All of the bits are cleared
$IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP

# SYN and FIN are both set
$IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# SYN and RST are both set
$IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

# FIN and RST are both set
$IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP

# FIN is set without the expected accompanying ACK
$IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP

# PSH is set without the expected accompanying ACK
$IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP

# URG is set without the expected accompanying ACK
$IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP

#########virus ip start start
$IPTABLES -t nat -A PREROUTING -d 62.219.197.36/32 -j DROP # virus

$IPTABLES -t nat -A PREROUTING -d 82.103.128.83/24 -j DROP # virus
#########virus ip start END

$IPTABLES -t nat -A PREROUTING -m mark --mark 101 -p tcp --dport 80 -j REDIRECT --to-port 8085

$IPTABLES -t nat -A POSTROUTING -m mark --mark 101 -o $EXTERNAL_INTERFACE -j MASQUERADE

$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE_SEC -j MASQUERADE

$IPTABLES -A INPUT -i lo -d 0/0 -j ACCEPT

$IPTABLES -A FORWARD -m limit --limit 15/minute -j LOG --log-prefix FORWARD-Firewall: --log-level 4

$IPTABLES -A FORWARD -i $INTERNAL_INTERFACE -m mark --mark 101 -j ACCEPT

$IPTABLES -A FORWARD -i $EXTERNAL_INTERFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTERNAL_INTERFACE_SEC -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE_SEC -m state --state ESTABLISHED,RELATED -j ACCEPT



$IPTABLES -A INPUT -i $INTERNAL_INTERFACE -m mark --mark 101 -j ACCEPT

#VNC
$IPTABLES -A INPUT -p udp --destination-port 5900 -j ACCEPT
$IPTABLES -A INPUT -p tcp --destination-port 5900 -j ACCEPT
$IPTABLES -A INPUT -p udp --destination-port 5901 -j ACCEPT
$IPTABLES -A INPUT -p tcp --destination-port 5901 -j ACCEPT

#DHCP
$IPTABLES -A INPUT -i $INTERNAL_INTERFACE -p tcp --sport 68 --dport 67 -j ACCEPT
$IPTABLES -A INPUT -i $INTERNAL_INTERFACE -p udp --sport 68 --dport 67 -j ACCEPT

#SSH
$IPTABLES -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 22 -j ACCEPT

#TELNET
$IPTABLES -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 23 --syn -j ACCEPT

}

case "$1" in
*)
do_start
;;
esac
###############################

osama
Havaldaar
Posts: 117
Joined: Fri Aug 22, 2008 9:08 am

Postby osama » Mon Apr 06, 2009 12:24 pm



Return to “Administration”

Who is online

Users browsing this forum: No registered users and 1 guest