iptables only allowing tcp packets with PSH set
- From: mikedawg@xxxxxxxxx
- Date: 22 Jun 2006 09:02:25 -0700
I'm having a weird problem with iptables 1.2.11 on my linux system.
For some reason, it is only allowing packets through from allowed
hosts/ports that have the TCP flag PSH set on them, it will deny all
others. I have no rules set in iptables about allowing/disallowing
this tcp flags, and I'm not quite sure what could be causing my
problems.
Does anyone have any ideas why my linux system would be doing this?
Thanks
Mike
Here is an output of my iptables-save (with a few edits for mac and ip
security):
# Generated by iptables-save v1.2.11 on Thu Jun 22 09:38:48 2006
*filter
:INPUT ACCEPT [23:1292]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [35:43479]
:Cid449952DF.0 - [0:0]
:Cid449952E9.0 - [0:0]
:Cid449952E9.1 - [0:0]
:Cid449952F3.0 - [0:0]
:Cid44995307.0 - [0:0]
:Cid44995307.1 - [0:0]
:Cid4499B94F.0 - [0:0]
:RULE_2 - [0:0]
:RULE_3 - [0:0]
:RULE_4 - [0:0]
:RULE_5 - [0:0]
:RULE_7 - [0:0]
:RULE_8 - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s <firewall host> -m state --state NEW -j ACCEPT
-A INPUT -d <firewall host> -m state --state NEW -j Cid44995307.0
-A INPUT -d <firewall host> -p tcp -m tcp --dport 22 -m state --state
NEW -j Cid449952F3.0
-A INPUT -d <firewall host> -m state --state NEW -j Cid449952E9.0
-A INPUT -d <firewall host> -p tcp -m tcp --dport 10000:10500 -m state
--state NEW -j Cid449952DF.0
-A INPUT -s <priv subnet>/255.255.255.0 -d <firewall host> -p tcp -m
tcp --sport 1520:1522 -m state --state NEW -j RULE_5
-A INPUT -s <priv subnet 1>/255.255.255.0 -d <firewall host> -p tcp -m
tcp --sport 445 -j DROP
-A INPUT -s <priv subnet 2>/255.255.255.0 -d <firewall host> -m state
--state NEW -j Cid4499B94F.0
-A INPUT -d <firewall host> -j RULE_8
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s <firewall host> -m state --state NEW -j ACCEPT
-A OUTPUT -d <firewall host> -j RULE_8
-A Cid449952DF.0 -s 10.0.0.0/255.0.0.0 -j RULE_4
-A Cid449952DF.0 -s <priv subnet 3>/255.255.0.0 -j RULE_4
-A Cid449952DF.0 -s <priv subnet 5>/<priv subnet range> -j RULE_4
-A Cid449952DF.0 -s <priv subnet 6>/<priv subnet range> -j RULE_4
-A Cid449952DF.0 -s <priv subnet 6>/<priv subnet range> -j RULE_4
-A Cid449952DF.0 -s <priv subnet 7>/<priv subnet range> -j RULE_4
-A Cid449952DF.0 -s <priv subnet 8>/<priv subnet range> -j RULE_4
-A Cid449952E9.0 -p tcp -m tcp -m multiport --dports 80,443 -j
Cid449952E9.1
-A Cid449952E9.1 -s 10.0.0.0/255.0.0.0 -j RULE_3
-A Cid449952E9.1 -s <priv subnet 3>/255.255.0.0 -j RULE_3
-A Cid449952E9.1 -s <priv subnet 5>/<priv subnet range> -j RULE_3
-A Cid449952E9.1 -s <priv subnet 6>/<priv subnet range> -j RULE_3
-A Cid449952E9.1 -s <priv subnet 6>/<priv subnet range> -j RULE_3
-A Cid449952E9.1 -s <priv subnet 7>/<priv subnet range> -j RULE_3
-A Cid449952E9.1 -s <priv subnet 8>/<priv subnet range> -j RULE_3
-A Cid449952F3.0 -s 10.0.0.0/255.0.0.0 -j RULE_2
-A Cid449952F3.0 -s <priv subnet 3>/255.255.0.0 -j RULE_2
-A Cid449952F3.0 -s <priv subnet 5>/<priv subnet range> -j RULE_2
-A Cid449952F3.0 -s <priv subnet 6>/<priv subnet range> -j RULE_2
-A Cid449952F3.0 -s <priv subnet 6>/<priv subnet range> -j RULE_2
-A Cid449952F3.0 -s <priv subnet 7>/<priv subnet range> -j RULE_2
-A Cid449952F3.0 -s <priv subnet 8>/<priv subnet range> -j RULE_2
-A Cid44995307.0 -f -j Cid44995307.1
-A Cid44995307.0 -p icmp -m icmp --icmp-type 11/0 -j Cid44995307.1
-A Cid44995307.0 -p icmp -m icmp --icmp-type 11/1 -j Cid44995307.1
-A Cid44995307.0 -p icmp -m icmp --icmp-type 0/0 -j Cid44995307.1
-A Cid44995307.0 -p icmp -m icmp --icmp-type 3 -j Cid44995307.1
-A Cid44995307.0 -p icmp -m icmp --icmp-type 8/0 -j Cid44995307.1
-A Cid44995307.1 -s 10.0.0.0/255.0.0.0 -j ACCEPT
-A Cid44995307.1 -s <priv subnet 3>/255.255.0.0 -j ACCEPT
-A Cid44995307.1 -s <priv subnet 5>/<priv subnet range> -j ACCEPT
-A Cid44995307.1 -s <priv subnet 6>/<priv subnet range> -j ACCEPT
-A Cid44995307.1 -s <priv subnet 6>/<priv subnet range> -j ACCEPT
-A Cid44995307.1 -s <priv subnet 7>/<priv subnet range> -j ACCEPT
-A Cid44995307.1 -s <priv subnet 8>/<priv subnet range> -j ACCEPT
-A Cid4499B94F.0 -p tcp -m tcp -m multiport --dports 445,139 -j RULE_7
-A Cid4499B94F.0 -p udp -m udp -m multiport --dports 138,137 -j RULE_7
-A RULE_2 -j LOG --log-prefix "ALLOWED-SSH " --log-level 6
-A RULE_2 -j ACCEPT
-A RULE_3 -j LOG --log-prefix "ALLOWED-WEB " --log-level 6
-A RULE_3 -j ACCEPT
-A RULE_4 -j LOG --log-prefix "ALLOWED-APP " --log-level 6
-A RULE_4 -j ACCEPT
-A RULE_5 -j LOG --log-prefix "ALLOWED-DB " --log-level 6
-A RULE_5 -j ACCEPT
-A RULE_7 -j LOG --log-prefix "ALLOWED-SMB " --log-level 6
-A RULE_7 -j ACCEPT
-A RULE_8 -j LOG --log-prefix "DENIED " --log-level 6
-A RULE_8 -j DROP
COMMIT
# Completed on Thu Jun 22 09:38:48 2006
.
- Prev by Date: Re: nmap 113/auth on shorewall
- Next by Date: Re: Logcheck ignore regexp?
- Previous by thread: Setting Up Nat (Full cone, restricted...) using IPTABLES
- Next by thread: iptables TARPIT
- Index(es):
Relevant Pages
|
|
