problem in linux

Protecting your Linux box

problem in linux

Postby venky145 » Thu Jan 03, 2008 12:51 pm

hi

i am using this script in my linux box, the problem is my clients systems we are using windows xp and linux (FC4) my pronlem is in XP internet is working fine probl is in linux internet not working sometimes its works maximum 2 to 3 min only .


this is my firewall script

PATH=$PATH:/sbin:/bin:/usr/bin:/usr/sbin
export PATH

iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X

echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A PREROUTING -p tcp -s 0/0 -d 0/0 --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A POSTROUTING -p tcp -o eth0 --dport 5050 -j MASQUERADE
iptables -I INPUT -p tcp -s 0/0 -d 0/0 --dport 3128 -j DROP
echo "1024" > /proc/sys/net/ipv4/neigh/default/gc_thresh1
echo "2048" > /proc/sys/net/ipv4/neigh/default/gc_thresh2
echo "4096" > /proc/sys/net/ipv4/neigh/default/gc_thresh3
iptables -I INPUT 1 -m state --state ESTABLISHED,RELATED -j ACCEPT

#BLOCKING MOVIE SERVER MAC ADDRESS
iptables -A INPUT -m mac --mac-source 00:11:25:b8:58:76 -j DROP
iptables -A FORWARD -m mac --mac-source 00:11:25:b8:58:76 -j DROP

#PING BLOCK EXCEPT ONE IP
iptables -A INPUT -s 10.21.0.145 -p icmp -j ACCEPT
iptables -A INPUT -p icmp -j DROP

#PING BLOCK EXCEPT ONE IP
iptables -A OUTPUT -d ! 10.21.0.145 -p icmp -j DROP

# Disable response to broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Don't accept source routed packets. Attackers can use source routing to generate
# traffic pretending to be from inside your network, but which is routed back along the path from which it came, namely outside
echo "99999999999999999999999999999" > /proc/sys/net/ipv4/ip_conntrack_max
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
# Disable ICMP redirect acceptance. ICMP redirects can be used to alter your routing tables possibly to a bad end.\par^M
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
# Enable bad error message protection.
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

/sbin/iptables -t nat -A POSTROUTING -s 10.21.0.1/24 -d 0/0 -j MASQUERADE
/sbin/iptables -I INPUT -p tcp -s 10.21.0.1/24 -d 0/0 --dport 3128 -j ACCEPT
venky145
Havaldaar
 
Posts: 118
Joined: Thu Jan 13, 2005 2:35 pm
WLM: ranga72
Yahoo Messenger: venky145
Location: qatar

Postby nayyares » Thu Jan 03, 2008 1:42 pm

Hi,

Post $tcpdump of your internet server as well as linux client.

PS: grep only one linux client tcpdump at server :p

cheers
Nayyar Ahmad
RHCE, CCNA, OCP DBA
nayyares aT fedoraproject DoT org
blogs: nayyares.blogspot.com
nayyares
Battalion Quarter Master Havaldaar
 
Posts: 237
Joined: Tue Dec 13, 2005 10:47 pm
Website: http://fedoraproject.org/wiki/NayyarAhmad
WLM: nayyares@hotmail.com
Location: JNB, SA


Return to “%s” Security

Who is online

Users browsing this forum: No registered users and 1 guest

cron