problem in linux

Protecting your Linux box
venky145
Havaldaar
Posts: 118
Joined: Thu Jan 13, 2005 2:35 pm
Location: qatar
Contact:

problem in linux

Postby venky145 » Thu Jan 03, 2008 12:51 pm

hi

i am using this script in my linux box, the problem is my clients systems we are using windows xp and linux (FC4) my pronlem is in XP internet is working fine probl is in linux internet not working sometimes its works maximum 2 to 3 min only .


this is my firewall script

PATH=$PATH:/sbin:/bin:/usr/bin:/usr/sbin
export PATH

iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X

echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A PREROUTING -p tcp -s 0/0 -d 0/0 --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A POSTROUTING -p tcp -o eth0 --dport 5050 -j MASQUERADE
iptables -I INPUT -p tcp -s 0/0 -d 0/0 --dport 3128 -j DROP
echo "1024" > /proc/sys/net/ipv4/neigh/default/gc_thresh1
echo "2048" > /proc/sys/net/ipv4/neigh/default/gc_thresh2
echo "4096" > /proc/sys/net/ipv4/neigh/default/gc_thresh3
iptables -I INPUT 1 -m state --state ESTABLISHED,RELATED -j ACCEPT

#BLOCKING MOVIE SERVER MAC ADDRESS
iptables -A INPUT -m mac --mac-source 00:11:25:b8:58:76 -j DROP
iptables -A FORWARD -m mac --mac-source 00:11:25:b8:58:76 -j DROP

#PING BLOCK EXCEPT ONE IP
iptables -A INPUT -s 10.21.0.145 -p icmp -j ACCEPT
iptables -A INPUT -p icmp -j DROP

#PING BLOCK EXCEPT ONE IP
iptables -A OUTPUT -d ! 10.21.0.145 -p icmp -j DROP

# Disable response to broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Don't accept source routed packets. Attackers can use source routing to generate
# traffic pretending to be from inside your network, but which is routed back along the path from which it came, namely outside
echo "99999999999999999999999999999" > /proc/sys/net/ipv4/ip_conntrack_max
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
# Disable ICMP redirect acceptance. ICMP redirects can be used to alter your routing tables possibly to a bad end.\par^M
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
# Enable bad error message protection.
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

/sbin/iptables -t nat -A POSTROUTING -s 10.21.0.1/24 -d 0/0 -j MASQUERADE
/sbin/iptables -I INPUT -p tcp -s 10.21.0.1/24 -d 0/0 --dport 3128 -j ACCEPT

nayyares
Battalion Quarter Master Havaldaar
Posts: 237
Joined: Tue Dec 13, 2005 10:47 pm
Location: JNB, SA
Contact:

Postby nayyares » Thu Jan 03, 2008 1:42 pm

Hi,

Post $tcpdump of your internet server as well as linux client.

PS: grep only one linux client tcpdump at server :p

cheers
Nayyar Ahmad
RHCE, CCNA, OCP DBA
nayyares aT fedoraproject DoT org
blogs: nayyares.blogspot.com


Return to “Security”

Who is online

Users browsing this forum: No registered users and 1 guest