Re: Which port to block for ping, and how?
From: Anthony Campbell (me_at_privacy.net)
Date: 12/18/03
- Next message: Chris Shepherd: "Re: Firewalls: what's the use?"
- Previous message: Chris Shepherd: "Re: Firewalls: what's the use?"
- In reply to: Tim Haynes: "Re: Which port to block for ping, and how?"
- Next in thread: Tim Haynes: "Re: Which port to block for ping, and how?"
- Reply: Tim Haynes: "Re: Which port to block for ping, and how?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 18 Dec 2003 16:27:39 GMT
On 2003-12-18, Tim Haynes <usenet-20031218@stirfried.vegetable.org.uk> wrote:
> Anthony Campbell <me@privacy.net> writes:
>
>>> Interesting. Can you debug which 3 lines are causing that for me? E.g.
>>> run it with `sudo /bin/bash -v -x ./iptables.sh' , or put a few echo
>>> statements into it and see between which the errors appear?
>>
>> It seems to be here (I commented out the modprobes because I compiled
>> everything into the kernel)::
>
> This is where I think you're probably going wrong, ish: have you built
> support for LOG and REJECT targets?
> Personal preference is to modularise the whole of netfilter, myself.
>
> Otherwise, it is doing something - the presence of lots of rules in
> `iptables -vnL' was good to see, it's just that I think you'll find
> outgoing ftp, mail and IRC quite slow going, and won't have any logs of
> failed packets to tell you why.
>
> ~Tim
OK, I did as you suggested and modularized all the items, and the script
now appears to execute correctly. I repeated iptables -vlN and got:
ac:~:$ sudo iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
63 22712 block all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 block all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 58 packets, 3891 bytes)
pkts bytes target prot opt in out source destination
Chain DLOG (2 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 4 prefix `catch-all '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain block (2 references)
pkts bytes target prot opt in out source destination
0 0 DLOG all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
63 22712 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 * 10.0.0.0/16 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 reject-with tcp-reset
0 0 DLOG all -- * * 0.0.0.0/0 0.0.0.0/0
Does this appear to be correct?
A.
-- Using Linux GNU/Debian - Windows-free zone http://www.acampbell.org.uk (book reviews and articles) Email: replace "www." with "ac@"
- Next message: Chris Shepherd: "Re: Firewalls: what's the use?"
- Previous message: Chris Shepherd: "Re: Firewalls: what's the use?"
- In reply to: Tim Haynes: "Re: Which port to block for ping, and how?"
- Next in thread: Tim Haynes: "Re: Which port to block for ping, and how?"
- Reply: Tim Haynes: "Re: Which port to block for ping, and how?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
