problem in linux

venky145 · Post by **venky145** » Thu Jan 03, 2008 12:51 pm

hi

i am using this script in my linux box, the problem is my clients systems we are using windows xp and linux (FC4) my pronlem is in XP internet is working fine probl is in linux internet not working sometimes its works maximum 2 to 3 min only .

this is my firewall script

PATH=$PATH:/sbin:/bin:/usr/bin:/usr/sbin
export PATH

iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X

echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A PREROUTING -p tcp -s 0/0 -d 0/0 --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A POSTROUTING -p tcp -o eth0 --dport 5050 -j MASQUERADE
iptables -I INPUT -p tcp -s 0/0 -d 0/0 --dport 3128 -j DROP
echo "1024" > /proc/sys/net/ipv4/neigh/default/gc_thresh1
echo "2048" > /proc/sys/net/ipv4/neigh/default/gc_thresh2
echo "4096" > /proc/sys/net/ipv4/neigh/default/gc_thresh3
iptables -I INPUT 1 -m state --state ESTABLISHED,RELATED -j ACCEPT

#BLOCKING MOVIE SERVER MAC ADDRESS
iptables -A INPUT -m mac --mac-source 00:11:25:b8:58:76 -j DROP
iptables -A FORWARD -m mac --mac-source 00:11:25:b8:58:76 -j DROP

#PING BLOCK EXCEPT ONE IP
iptables -A INPUT -s 10.21.0.145 -p icmp -j ACCEPT
iptables -A INPUT -p icmp -j DROP

#PING BLOCK EXCEPT ONE IP
iptables -A OUTPUT -d ! 10.21.0.145 -p icmp -j DROP

# Disable response to broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Don't accept source routed packets. Attackers can use source routing to generate
# traffic pretending to be from inside your network, but which is routed back along the path from which it came, namely outside
echo "99999999999999999999999999999" > /proc/sys/net/ipv4/ip_conntrack_max
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
# Disable ICMP redirect acceptance. ICMP redirects can be used to alter your routing tables possibly to a bad end.\par^M
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
# Enable bad error message protection.
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

/sbin/iptables -t nat -A POSTROUTING -s 10.21.0.1/24 -d 0/0 -j MASQUERADE
/sbin/iptables -I INPUT -p tcp -s 10.21.0.1/24 -d 0/0 --dport 3128 -j ACCEPT

nayyares · Post by **nayyares** » Thu Jan 03, 2008 1:42 pm

Hi,

Post $tcpdump of your internet server as well as linux client.

PS: grep only one linux client tcpdump at server :p

cheers