Hej!
Jeg har været ved at skrue et iptables filter sammen - men det lukker
ikke af for bl.a. MySQL - hvilket jeg ikke forstår.
Her er en dump af listerne (eth0 er det eksterne interface, eth1 det
interne). Maskinen hoster desuden http, https , dns, ftp og smtp som
skal være tilgængelige udefra.... Men hvor pokker er fejlen, der
f.eks. gør, at man udefra kan connecte til port xxxxx hvor jeg har
Webmin kørende ???
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
140 14875 ACCEPT all -- lo any anywhere anywhere
1281 108K ACCEPT all -- eth1 any 192.168.225.0/24 anywhere
0 0 DROP tcp -- any any anywhere anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
0 0 DROP tcp -- any any anywhere anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/NONE
0 0 DROP all -- any any 192.168.1.2 anywhere
0 0 DROP all -- any any 10.0.0.0/8 anywhere
0 0 DROP all -- any any 172.16.0.0/12 anywhere
0 0 DROP all -- any any 255.255.255.255 anywhere
0 0 DROP all -- any any anywhere 0.0.0.0
0 0 DROP all -- any any BASE-ADDRESS.MCAST.NET/4 anywhere
0 0 DROP all -- any any 240.0.0.0/5 anywhere
0 0 DROP all -- any any 0.0.0.0/8 anywhere
0 0 DROP all -- any any 127.0.0.0/8 anywhere
0 0 DROP all -- any any 169.254.0.0/16 anywhere
0 0 DROP all -- any any 192.0.2.0/24 anywhere
0 0 DROP all -- any any BASE-ADDRESS.MCAST.NET/3 anywhere
0 0 DROP udp -- eth0 any anywhere 192.168.1.2 udp spts:32769:65535
dpts:traceroute:33523
0 0 ACCEPT udp -- eth0 any anywhere 192.168.1.2 udp spts:1024:65535
dpt:domain
0 0 ACCEPT udp -- eth0 any anywhere 192.168.1.2 udp spt:domain
dpt:domain
11 1945 ACCEPT udp -- eth0 any anywhere 192.168.1.2 udp spt:domain
dpts:1024:65535
0 0 ACCEPT tcp -- eth0 any anywhere 192.168.1.2 tcp spt:domain
dpts:1024:65535 flags:!SYN,RST,ACK/SYN
0 0 ACCEPT tcp -- eth0 any anywhere 192.168.1.2 tcp spts:1024:65535
dpt:domain
0 0 ACCEPT tcp -- eth0 any anywhere 192.168.1.2 tcp spt:telnet
dpts:1022:65535 flags:!SYN,RST,ACK/SYN
0 0 ACCEPT tcp -- eth0 any anywhere 192.168.1.2 tcp spts:1024:65535
dpt:http
21 5710 ACCEPT tcp -- eth0 any anywhere 192.168.1.2 tcp spt:http
dpts:1024:65535 flags:!SYN,RST,ACK/SYN
0 0 ACCEPT tcp -- eth0 any anywhere 192.168.1.2 tcp spts:1024:65535
dpt:https
0 0 ACCEPT tcp -- eth0 any anywhere 192.168.1.2 tcp spt:https
dpts:1024:65535 flags:!SYN,RST,ACK/SYN
0 0 ACCEPT tcp -- eth0 any anywhere 192.168.1.2 tcp spt:ssh
dpts:1022:65535 flags:!SYN,RST,ACK/SYN
0 0 ACCEPT tcp -- eth0 any anywhere 192.168.1.2 tcp spts:1024:65535
dpt:smtp
0 0 ACCEPT tcp -- eth0 any anywhere 192.168.1.2 tcp spt:smtp
dpts:1024:65535 flags:!SYN,RST,ACK/SYN
0 0 ACCEPT tcp -- eth0 any anywhere 192.168.1.2 tcp spt:pop3
dpts:1024:65535 flags:!SYN,RST,ACK/SYN
0 0 ACCEPT tcp -- eth0 any anywhere 192.168.1.2 tcp spt:nntp
dpts:1024:65535 flags:!SYN,RST,ACK/SYN
0 0 ACCEPT tcp -- eth0 any anywhere 192.168.1.2 tcp spt:ftp
dpts:1024:65535 flags:!SYN,RST,ACK/SYN
0 0 ACCEPT tcp -- eth0 any anywhere 192.168.1.2 tcp spt:ftp-data
dpts:1024:65535
0 0 ACCEPT tcp -- eth0 any anywhere 192.168.1.2 tcp spts:1024:65535
dpt:ftp
0 0 ACCEPT tcp -- eth0 any anywhere 192.168.1.2 tcp spts:1024:65535
dpt:ftp-data flags:!SYN,RST,ACK/SYN
0 0 ACCEPT tcp -- eth0 any anywhere 192.168.1.2 tcp spts:1024:65535
dpts:1024:65535
0 0 ACCEPT icmp -- eth0 any anywhere 192.168.1.2 icmp echo-reply
0 0 ACCEPT icmp -- eth0 any anywhere 192.168.1.2 icmp
destination-unreachable
0 0 ACCEPT icmp -- eth0 any anywhere 192.168.1.2 icmp source-quench
0 0 ACCEPT icmp -- eth0 any anywhere 192.168.1.2 icmp time-exceeded
0 0 ACCEPT icmp -- eth0 any anywhere 192.168.1.2 icmp
parameter-problem
0 0 LOG tcp -- eth0 any anywhere anywhere LOG level warning
5 260 LOG udp -- eth0 any anywhere anywhere udp dpts:0:1023 LOG level
warning
0 0 LOG udp -- eth0 any anywhere anywhere udp dpts:1024:65535 LOG
level warning
0 0 LOG icmp -- eth0 any anywhere anywhere icmp redirect LOG level
warning
0 0 LOG icmp -- eth0 any anywhere anywhere icmp type 13 code 255 LOG
level warning
0 0 DROP tcp -- eth0 any anywhere anywhere
5 260 DROP udp -- eth0 any anywhere anywhere udp dpts:0:1023
0 0 DROP udp -- eth0 any anywhere anywhere udp dpts:1024:65535
0 0 DROP icmp -- eth0 any anywhere anywhere icmp redirect
0 0 DROP icmp -- eth0 any anywhere anywhere icmp type 13 code 255
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- any any anywhere anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
0 0 DROP tcp -- any any anywhere anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/NONE
0 0 DROP all -- eth1 any !192.168.225.0/24 anywhere
0 0 ACCEPT all -- eth1 any 192.168.225.0/24 anywhere state
NEW,RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 any !192.168.225.0/24 anywhere state
RELATED,ESTABLISHED
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
140 14875 ACCEPT all -- any lo anywhere anywhere
1945 1134K ACCEPT all -- any eth1 anywhere 192.168.225.0/24
0 0 ACCEPT udp -- any eth0 192.168.1.2 anywhere udp spts:32769:65535
dpts:traceroute:33523
0 0 ACCEPT udp -- any eth0 192.168.1.2 anywhere udp spt:domain
dpts:1024:65535
0 0 ACCEPT udp -- any eth0 192.168.1.2 anywhere udp spt:domain
dpt:domain
11 738 ACCEPT udp -- any eth0 192.168.1.2 anywhere udp spts:1024:65535
dpt:domain
0 0 ACCEPT tcp -- any eth0 192.168.1.2 anywhere tcp spts:1024:65535
dpt:domain
0 0 ACCEPT tcp -- any eth0 192.168.1.2 anywhere tcp spt:domain
dpts:1024:65535
0 0 ACCEPT tcp -- any eth0 192.168.1.2 anywhere tcp spts:1022:65535
dpt:telnet
0 0 ACCEPT tcp -- any eth0 192.168.1.2 anywhere tcp spt:http
dpts:1024:65535 flags:!SYN,RST,ACK/SYN
42 10206 ACCEPT tcp -- any eth0 192.168.1.2 anywhere tcp
spts:1024:65535 dpt:http
0 0 ACCEPT tcp -- any eth0 192.168.1.2 anywhere tcp spt:https
dpts:1024:65535 flags:!SYN,RST,ACK/SYN
0 0 ACCEPT tcp -- any eth0 192.168.1.2 anywhere tcp spts:1024:65535
dpt:https
0 0 ACCEPT tcp -- any eth0 192.168.1.2 anywhere tcp spts:1022:65535
dpt:ssh
0 0 ACCEPT tcp -- any eth0 192.168.1.2 anywhere tcp spt:smtp
dpts:1024:65535 flags:!SYN,RST,ACK/SYN
0 0 ACCEPT tcp -- any eth0 192.168.1.2 anywhere tcp spts:1024:65535
dpt:smtp
0 0 ACCEPT tcp -- any eth0 192.168.1.2 anywhere tcp spts:1024:65535
dpt:pop3
0 0 ACCEPT tcp -- any eth0 192.168.1.2 anywhere tcp spts:1024:65535
dpt:nntp
0 0 ACCEPT tcp -- any eth0 192.168.1.2 anywhere tcp spts:1024:65535
dpt:ftp
0 0 ACCEPT tcp -- any eth0 192.168.1.2 anywhere tcp spts:1024:65535
dpt:ftp-data flags:!SYN,RST,ACK/SYN
0 0 ACCEPT tcp -- any eth0 192.168.1.2 anywhere tcp spt:ftp
dpts:1024:65535 flags:!SYN,RST,ACK/SYN
0 0 ACCEPT tcp -- any eth0 192.168.1.2 anywhere tcp spt:ftp-data
dpts:1024:65535
0 0 ACCEPT tcp -- any eth0 192.168.1.2 anywhere tcp spts:1024:65535
dpts:1024:65535 flags:!SYN,RST,ACK/SYN
0 0 ACCEPT icmp -- any eth0 192.168.1.2 anywhere icmp
fragmentation-needed
0 0 ACCEPT icmp -- any eth0 192.168.1.2 anywhere icmp source-quench
0 0 ACCEPT icmp -- any eth0 192.168.1.2 anywhere icmp echo-request
0 0 ACCEPT icmp -- any eth0 192.168.1.2 anywhere icmp
parameter-problem
0 0 REJECT all -- any eth0 anywhere anywhere reject-with
icmp-port-unreachable
/Brian
|