"Alex Holst" <a@mongers.org> wrote in message
news:slrnai7268.htd.a@Alpha.Area51.DK...
> Stab in the dark: du har ikke et ip filter der staar i vejen for at dhcp
> klienten modtager det nye lease?
Jo jeg har en stak iptables kommandoer, men jeg har iirc ikke ændret i dem
siden det virkede
i kan lige få dem her hvis det har nogen interesse
#printf "."
IPC=/sbin/iptables
IF=eth0
#IP=`/sbin/ifconfig $IF | grep inet | cut -d : -f 2 | cut -d \ -f 1`
#MASK=`/sbin/ifconfig $IF | grep Mas | cut -d : -f 4`
#NET=$IP/$MASK
#printf "."
#Delete user made chains. Flush and zero the chains.
$IPC -F
$IPC -X
$IPC -Z
$IPC -t nat -F
$IPC -t nat -X
$IPC -t nat -Z
#Creating custom chains.
$IPC -N LDROP
$IPC -A LDROP -p tcp -j LOG --log-level 3 --log-prefix "DROP "
$IPC -A LDROP -p udp -j LOG --log-level 3 --log-prefix "DROP "
$IPC -A LDROP -p icmp -j LOG --log-level 3 --log-prefix "DROP "
$IPC -A LDROP -f -j LOG --log-level 3 --log-prefix "DROP "
$IPC -A LDROP -j DROP
$IPC -N LREJECT
$IPC -A LREJECT -p tcp -j LOG --log-level 3 --log-prefix "REJECT "
$IPC -A LREJECT -p udp -j LOG --log-level 3 --log-prefix "REJECT "
$IPC -A LREJECT -p icmp -j LOG --log-level 3 --log-prefix "REJECT "
$IPC -A LREJECT -f -j LOG --log-level 3 --log-prefix "REJECT "
$IPC -A LREJECT -j REJECT
$IPC -N LACCEPT
$IPC -A LACCEPT -p tcp -j LOG --log-level 3 --log-prefix "ACCEPT "
$IPC -A LACCEPT -p udp -j LOG --log-level 3 --log-prefix "ACCEPT "
$IPC -A LACCEPT -p icmp -j LOG --log-level 3 --log-prefix "ACCEPT "
$IPC -A LACCEPT -f -j LOG --log-level 3 --log-prefix "ACCEPT "
$IPC -A LACCEPT -j ACCEPT
$IPC -N TREJECT
$IPC -A TREJECT -p tcp -j REJECT --reject-with tcp-reset
$IPC -A TREJECT -p ! tcp -j REJECT --reject-with icmp-port-unreachable
$IPC -A TREJECT -j REJECT
$IPC -N LTREJECT
$IPC -A LTREJECT -p tcp -j REJECT --reject-with tcp-reset
$IPC -A LTREJECT -p ! tcp -j REJECT --reject-with icmp-port-unreachable
$IPC -A LTREJECT -p tcp -j LOG --log-level 3 --log-prefix "REJECT "
$IPC -A LTREJECT -p udp -j LOG --log-level 3 --log-prefix "REJECT "
$IPC -A LTREJECT -p icmp -j LOG --log-level 3 --log-prefix "REJECT "
$IPC -A LTREJECT -f -j LOG --log-level 3 --log-prefix "REJECT "
$IPC -A LTREJECT -p tcp -j REJECT --reject-with tcp-reset
$IPC -A LTREJECT -p ! tcp -j REJECT --reject-with icmp-port-unreachable
$IPC -A LTREJECT -j REJECT
#printf "."
#Allow all traffic on the loopback interface (lo)
$IPC -I INPUT -i lo -j ACCEPT
$IPC -I OUTPUT -o lo -j ACCEPT
$IPC -I INPUT -i ! lo -s 127.0.0.0/255.0.0.0 -j DROP
#printf "."
#Allow connections with the ack bit set.
#(They are from an established connections)
$IPC -A INPUT -p tcp ! --syn -i $IF -j ACCEPT
#printf "."
#Turn on source address verification in kernel
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
fi
#printf "."
#Turn on syn cookies protection in kernel
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]
then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi
#printf "."
#Set up kernel to handle dynamic IP masquerading
if [ -e /proc/sys/net/ipv4/ip_dynaddr ]
then
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
fi
#printf "."
#to enable ip MASQUERADE and automatic defragmention (for masquerading)
echo 1 > /proc/sys/net/ipv4/ip_forward
#echo 1 > /proc/sys/net/ipv4/ip_always_defrag
#printf "."
#timeouts
#$IPC -M -S 14400 60 600
#printf "."
#Block nonroutable IPs
$IPC -A INPUT -j DROP -s 10.0.0.0/8 -i $IF
$IPC -A INPUT -j DROP -s 127.0.0.0/8 -i $IF
$IPC -A INPUT -j DROP -s 172.16.0.0/12 -i $IF
$IPC -A INPUT -j DROP -s 192.168.0.0/16 -i $IF
#printf "."
#Block Back Orifice
$IPC -A INPUT -p tcp -i $IF --dport 31337 -j LDROP
$IPC -A INPUT -p udp -i $IF --dport 31337 -j LDROP
#Block NetBus
$IPC -A INPUT -p tcp -i $IF --dport 12345:12346 -j LDROP
$IPC -A INPUT -p udp -i $IF --dport 12345:12346 -j LDROP
#Block Trin00
$IPC -A INPUT -p tcp -i $IF --dport 1524 -j LDROP
$IPC -A INPUT -p tcp -i $IF --dport 27665 -j LDROP
$IPC -A INPUT -p udp -i $IF --dport 27444 -j LDROP
$IPC -A INPUT -p udp -i $IF --dport 31335 -j LDROP
#printf "."
#Block Multicast
$IPC -A INPUT -s 224.0.0.0/8 -d 0/0 -j DROP
$IPC -A INPUT -s 0/0 -d 224.0.0.0/8 -j DROP
#printf "."
#PortsRules
#FTP(21)
$IPC -A INPUT -p tcp -i $IF --dport 21 -j LACCEPT
#SSH
$IPC -A INPUT -p tcp -i $IF --dport 22 -j LACCEPT
#SMTP
#$IPC -A INPUT -p tcp -i $IF --dport 25 -j LACCEPT
#WWW
$IPC -A INPUT -p tcp -i $IF --dport 80 -j LACCEPT
#POP
#$IPC -A INPUT -p tcp -i $IF --dport 110 -j LACCEPT
#IDENT
$IPC -A INPUT -p tcp -i $IF --dport 113 -j ACCEPT
$IPC -A INPUT -p udp -i $IF --dport 113 -j ACCEPT
#printf "."
#Settings for internal interfaces (LAN) - Internet Connection Share.
$IPC -A FORWARD -i $IF -j ACCEPT
$IPC -A FORWARD -o $IF -j ACCEPT
$IPC -t nat -A POSTROUTING -o $IF -j MASQUERADE
#printf "."
#printf "."
#Settings for internal interfaces (LAN).
InternalIP=`/sbin/ifconfig eth1 | grep inet | cut -d : -f 2 | cut -d \ -f 1`
InternalMASK=`/sbin/ifconfig eth1 | grep Mas | cut -d : -f 4`
InternalNET=$InternalIP/$InternalMASK
$IPC -A INPUT -i eth1 -j ACCEPT
$IPC -A OUTPUT -o eth1 -j ACCEPT
$IPC -A INPUT -i ! eth1 -s $InternalNET -j DROP
#printf "."
#Set telnet, www, smtp, pop3 and FTP for minimum delay
#$IPC -A OUTPUT -p tcp -d 0/0 80 -t 0x01 0x10
#$IPC -A OUTPUT -p tcp -d 0/0 22 -t 0x01 0x10
#$IPC -A OUTPUT -p tcp -d 0/0 23 -t 0x01 0x10
#$IPC -A OUTPUT -p tcp -d 0/0 21 -t 0x01 0x10
#$IPC -A OUTPUT -p tcp -d 0/0 110 -t 0x01 0x10
#$IPC -A OUTPUT -p tcp -d 0/0 25 -t 0x01 0x10
$IPC -t mangle -A OUTPUT -p tcp --dport 21 -j TOS --set-tos Minimize-Delay
$IPC -t mangle -A OUTPUT -p tcp --dport 22 -j TOS --set-tos Minimize-Delay
$IPC -t mangle -A OUTPUT -p tcp --dport 23 -j TOS --set-tos Minimize-Delay
$IPC -t mangle -A OUTPUT -p tcp --dport 80 -j TOS --set-tos Minimize-Delay
$IPC -t mangle -A OUTPUT -p tcp --dport 110 -j TOS --set-tos Minimize-Delay
$IPC -t mangle -A OUTPUT -p tcp --dport 25 -j TOS --set-tos Minimize-Delay
#printf "."
#Set ftp-data for maximum throughput
#$IPC -A OUTPUT -p tcp -d 0/0 20 -t 0x01 0x08
$IPC -t mangle -A OUTPUT -p tcp --dport 20 -j TOS --set-tos
Maximize-Throughput
#printf "."
#Allow ICMP
$IPC -A INPUT -p icmp -i $IF -j ACCEPT
$IPC -A OUTPUT -p icmp -o $IF -j ACCEPT
#printf "."
#Open ports for established connections
$IPC -A INPUT -m state --state ESTABLISHED -j ACCEPT
$IPC -A INPUT -m state --state RELATED -j ACCEPT
$IPC -A INPUT -p tcp -i $IF --dport 1023:65535 -j ACCEPT
$IPC -A INPUT -p udp -i $IF --dport 1023:65535 -j ACCEPT
#printf "."
#Set default rule on MASQUERADE chain to DROP
$IPC -P FORWARD DROP
#printf "."
#DROP everything else
$IPC -P OUTPUT ACCEPT
$IPC -A INPUT -i $IF -j LDROP
#printf "."
Mvh
Martin