Package: iptables
Version: v1.2.11
Severity: grave
|After some up time the mac adresses of my iptables filter are changing.
|I am using Debian GNU/Linux 3.1, kernel 2.4.27-2-k7|
|//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
I am using my my own iptables script which will be started on startup.
The script is defined as follows:
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
debian:/home/hgsch# cat /etc/init.d/filter_masq
#! /bin/sh
# PacketFilterScript
case "$1" in
start)
echo -n "Turning on packet filtering:"
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "."
iptables -X
iptables -F
iptables -t nat -F
# POLICY START
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# POLICY STOP
# RULES START
#-------INPUT--------------------------------------------------------------------------------------------------------------------------------
iptables -A INPUT -s 127.0.0.1/8 -p icmp -j ACCEPT
iptables -A INPUT -s 127.0.0.1/8 -p tcp --dport 53:3306 -j
ACCEPT # domain:mysql
iptables -A INPUT -s 127.0.0.1/8 -p udp --dport 53:3306 -j
ACCEPT # domain:mysql
iptables -A INPUT -s 192.168.0.0/24 -p icmp -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 53:2049 -j
ACCEPT # domain:nfs
iptables -A INPUT -s 192.168.0.0/24 -p udp --dport 53:2049 -j
ACCEPT # domain:nfs
iptables -A INPUT -m mac --mac-source 00:20:ED:39:91:E7 -p tcp
--dport 3128:3130 -j ACCEPT # 3128:icpv2 (squid) shodan.localnet
iptables -A INPUT -m mac --mac-source 00:20:ED:39:91:E7 -p udp
--dport 3128:3130 -j ACCEPT # 3128:icpv2 (squid) shodan.localnet
iptables -A INPUT -m mac --mac-source 00:12:3F:D6:89:8A -p tcp
--dport 3128:3130 -j ACCEPT # 3128:icpv2 (squid) osiris.localnet
iptables -A INPUT -m mac --mac-source 00:12:3F:D6:89:8A -p udp
--dport 3128:3130 -j ACCEPT # 3128:icpv2 (squid) osiris.localnet
iptables -A INPUT -m mac --mac-source 00:13:D3:FD:20:FA -p tcp
--dport 3128:3130 -j ACCEPT # 3128:icpv2 (squid) hhosch.localnet
iptables -A INPUT -m mac --mac-source 00:13:D3:FD:20:FA -p udp
--dport 3128:3130 -j ACCEPT # 3128:icpv2 (squid) hhosch.localnet
iptables -A INPUT -m mac --mac-source 00:14:38:00:AB:A6 -p tcp
--dport 3128:3130 -j ACCEPT # 3128:icpv2 (squid) finn-power
iptables -A INPUT -m mac --mac-source 00:14:38:00:AB:A6 -p udp
--dport 3128:3130 -j ACCEPT # 3128:icpv2 (squid) finn-power
iptables -A INPUT -p tcp --dport 20:21 -j
ACCEPT # ftp-data:ftp
iptables -A INPUT -p tcp --dport 22 -j
ACCEPT # ssh
iptables -A INPUT -p udp --dport 22 -j
ACCEPT # ssh
iptables -A INPUT -p tcp --dport 53 -j
ACCEPT # domain
iptables -A INPUT -p udp --dport 53 -j
ACCEPT # domain
iptables -A INPUT -p tcp --dport 80 -j
ACCEPT # http
iptables -A INPUT -p udp --dport 80 -j
ACCEPT # http
iptables -A INPUT -p tcp --dport 123 -j
ACCEPT # ntp
iptables -A INPUT -p udp --dport 123 -j
ACCEPT # ntp
iptables -A INPUT -p tcp --dport 443 -j
ACCEPT # https
iptables -A INPUT -p udp --dport 443 -j
ACCEPT # https
iptables -A INPUT -p tcp --dport 3306 -j
ACCEPT # mysql
iptables -A INPUT -p udp --dport 3306 -j
ACCEPT # mysql
iptables -A INPUT -p tcp --dport 32768:65535 -j
ACCEPT # 32768:65535
iptables -A INPUT -p udp --dport 32768:65535 -j
ACCEPT # 32768:65535
#-------FORWARD------------------------------------------------------------------------------------------------------------------------------
iptables -A FORWARD -d 192.168.0.0/24 -j ACCEPT
iptables -A FORWARD -m mac --mac-source 00:20:ED:39:91:E7 -j
ACCEPT # shodan.localnet
iptables -A FORWARD -m mac --mac-source 00:12:3F:D6:89:8A -j
ACCEPT # osiris.localnet
iptables -A FORWARD -m mac --mac-source 00:13:D3:FD:20:FA -j
ACCEPT # hhosch.localnet
iptables -A FORWARD -m mac --mac-source 00:14:38:00:AB:A6 -j
ACCEPT # finn-power
#-------OUTPUT-------------------------------------------------------------------------------------------------------------------------------
iptables -A OUTPUT -d 127.0.0.1/8 -p icmp -j ACCEPT
iptables -A OUTPUT -d 127.0.0.1/8 -p tcp --sport 53:3306 -j
ACCEPT # domain:mysql
iptables -A OUTPUT -d 127.0.0.1/8 -p udp --sport 53:3306 -j
ACCEPT # domain:mysql
iptables -A OUTPUT -d 192.168.0.0/24 -p icmp -j ACCEPT
iptables -A OUTPUT -d 192.168.0.0/24 -p tcp --sport 53:2049 -j
ACCEPT # domain:nfs
iptables -A OUTPUT -d 192.168.0.0/24 -p udp --sport 53:2049 -j
ACCEPT # domain:nfs
iptables -A OUTPUT -d 192.168.0.0/24 -p tcp --sport 3128:3130 -j
ACCEPT # 3128:icpv2 (squid)
iptables -A OUTPUT -d 192.168.0.0/24 -p udp --sport 3128:3130 -j
ACCEPT # 3128:icpv2 (squid)
iptables -A OUTPUT -p tcp --sport 20:21 -j
ACCEPT # ftp-data:ftp
iptables -A OUTPUT -p tcp --sport 22 -j
ACCEPT # ssh
iptables -A OUTPUT -p udp --sport 22 -j
ACCEPT # ssh
iptables -A OUTPUT -p tcp --sport 53 -j
ACCEPT # domain
iptables -A OUTPUT -p udp --sport 53 -j
ACCEPT # domain
iptables -A OUTPUT -p tcp --sport 80 -j
ACCEPT # http
iptables -A OUTPUT -p udp --sport 80 -j
ACCEPT # http
iptables -A OUTPUT -p tcp --sport 123 -j
ACCEPT # ntp
iptables -A OUTPUT -p udp --sport 123 -j
ACCEPT # ntp
iptables -A OUTPUT -p tcp --sport 443 -j
ACCEPT # https
iptables -A OUTPUT -p udp --sport 443 -j
ACCEPT # https
iptables -A OUTPUT -p tcp --sport 3306 -j
ACCEPT # mysql
iptables -A OUTPUT -p udp --sport 3306 -j
ACCEPT # mysql
iptables -A OUTPUT -p tcp --sport 32768:65535 -j
ACCEPT # 32768:65535
iptables -A OUTPUT -p udp --sport 32768:65535 -j
ACCEPT # 32768:65535
#-------nat----------------------------------------------------------------------------------------------------------------------------------
iptables -t nat -A PREROUTING -p tcp -s 192.168.0.0/24 --dport
80 -j REDIRECT --to 3128
iptables -t nat -A PREROUTING -p tcp -s 192.168.0.0/24 --dport
443 -j REDIRECT --to 3128
iptables -t nat -A PREROUTING -p tcp -s 192.168.0.0/24 --dport
8080 -j REDIRECT --to 3128
iptables -t nat -A POSTROUTING -p icmp -s 192.168.0.0/24 -o ppp0
-j MASQUERADE
iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.0/24 --dport
20:123 -o ppp0 -j MASQUERADE
iptables -t nat -A POSTROUTING -p udp -s 192.168.0.0/24 --dport
22:123 -o ppp0 -j MASQUERADE
iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.0/24 --dport
995:65535 -o ppp0 -j MASQUERADE
iptables -t nat -A POSTROUTING -p udp -s 192.168.0.0/24 --dport
995:65535 -o ppp0 -j MASQUERADE
# RULES STOP
;;
stop)
echo -n "Turning off packet filtering:"
echo 0 > /proc/sys/net/ipv4/ip_forward
iptables -X
iptables -F
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
echo "."
;;
*)
echo "Usage: { start | stop }"
exit 1
;;
esac
exit 0
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
The rules after startup are the following
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
debian:/home/hgsch# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT icmp -- 127.0.0.0/8 anywhere
ACCEPT tcp -- 127.0.0.0/8 anywhere tcp
dpts:domain:mysql
ACCEPT udp -- 127.0.0.0/8 anywhere udp
dpts:domain:mysql
ACCEPT icmp -- localnet/24 anywhere
ACCEPT tcp -- localnet/24 anywhere tcp
dpts:domain:2049
ACCEPT udp -- localnet/24 anywhere udp
dpts:domain:2049
ACCEPT tcp -- anywhere anywhere MAC
00:20:ED:39:91:E7 tcp dpts:3128:icpv2
ACCEPT udp -- anywhere anywhere MAC
00:20:ED:39:91:E7 udp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:05:5D:F5:E8:FF tcp dpts:3128:icpv2
ACCEPT udp -- anywhere anywhere MAC
00:05:5D:F5:E8:FF udp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:05:5D:F6:10:BD tcp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:05:5D:F6:10:BD tcp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:12:3F:D6:89:8A tcp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:12:3F:D6:89:8A tcp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:14:38:00:AB:A6 tcp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:14:38:00:AB:A6 tcp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere tcp
dpts:ftp-data:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT udp -- anywhere anywhere udp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:ntp
ACCEPT udp -- anywhere anywhere udp dpt:ntp
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT udp -- anywhere anywhere udp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:mysql
ACCEPT udp -- anywhere anywhere udp dpt:mysql
ACCEPT tcp -- anywhere anywhere tcp
dpts:32768:65535
ACCEPT udp -- anywhere anywhere udp
dpts:32768:65535
Chain FORWARD (policy DROP)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp
flags:SYN,RST/SYN tcpmss match 1400:1536 TCPMSS clamp to PMTU
ACCEPT all -- anywhere localnet/24
ACCEPT all -- anywhere anywhere MAC
00:20:ED:39:91:E7
ACCEPT all -- anywhere anywhere MAC
00:05:5D:F5:E8:FF
ACCEPT all -- anywhere anywhere MAC
00:05:5D:F6:10:BD
ACCEPT all -- anywhere anywhere MAC
00:12:3F:D6:89:8A
ACCEPT all -- anywhere anywhere MAC
00:14:38:00:AB:A6
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT icmp -- anywhere 127.0.0.0/8
ACCEPT tcp -- anywhere 127.0.0.0/8 tcp
spts:domain:mysql
ACCEPT udp -- anywhere 127.0.0.0/8 udp
spts:domain:mysql
ACCEPT icmp -- anywhere localnet/24
ACCEPT tcp -- anywhere localnet/24 tcp
spts:domain:2049
ACCEPT udp -- anywhere localnet/24 udp
spts:domain:2049
ACCEPT tcp -- anywhere localnet/24 tcp
spts:3128:icpv2
ACCEPT udp -- anywhere localnet/24 udp
spts:3128:icpv2
ACCEPT tcp -- anywhere anywhere tcp
spts:ftp-data:ftp
ACCEPT tcp -- anywhere anywhere tcp spt:ssh
ACCEPT udp -- anywhere anywhere udp spt:ssh
ACCEPT tcp -- anywhere anywhere tcp spt:domain
ACCEPT udp -- anywhere anywhere udp spt:domain
ACCEPT tcp -- anywhere anywhere tcp spt:www
ACCEPT udp -- anywhere anywhere udp spt:www
ACCEPT tcp -- anywhere anywhere tcp spt:ntp
ACCEPT udp -- anywhere anywhere udp spt:ntp
ACCEPT tcp -- anywhere anywhere tcp spt:https
ACCEPT udp -- anywhere anywhere udp spt:https
ACCEPT tcp -- anywhere anywhere tcp spt:mysql
ACCEPT udp -- anywhere anywhere udp spt:mysql
ACCEPT tcp -- anywhere anywhere tcp
spts:32768:65535
ACCEPT udp -- anywhere anywhere udp
spts:32768:65535
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
But after some up time the mac adresses of the iptables filter are
changing and the computers are unable to access the proxy server:
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
debian:/home/hgsch# /etc/init.d/filter_masq start
Turning on packet filtering:.
debian:/home/hgsch# iptables
-L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT icmp -- 127.0.0.0/8 anywhere
ACCEPT tcp -- 127.0.0.0/8 anywhere tcp
dpts:domain:mysql
ACCEPT udp -- 127.0.0.0/8 anywhere udp
dpts:domain:mysql
ACCEPT icmp -- localnet/24 anywhere
ACCEPT tcp -- localnet/24 anywhere tcp
dpts:domain:2049
ACCEPT udp -- localnet/24 anywhere udp
dpts:domain:2049
ACCEPT tcp -- anywhere anywhere MAC
00:20:ED:39:91:E7 tcp dpts:3128:icpv2
ACCEPT udp -- anywhere anywhere MAC
00:20:ED:39:91:E7 udp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:12:3F:D6:89:8A tcp dpts:3128:icpv2
ACCEPT udp -- anywhere anywhere MAC
00:12:3F:D6:89:8A udp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:13:D3:FD:20:FA tcp dpts:3128:icpv2
ACCEPT udp -- anywhere anywhere MAC
00:13:D3:FD:20:FA udp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:14:38:00:AB:A6 tcp dpts:3128:icpv2
ACCEPT udp -- anywhere anywhere MAC
00:14:38:00:AB:A6 udp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere tcp
dpts:ftp-data:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT udp -- anywhere anywhere udp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:ntp
ACCEPT udp -- anywhere anywhere udp dpt:ntp
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT udp -- anywhere anywhere udp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:mysql
ACCEPT udp -- anywhere anywhere udp dpt:mysql
ACCEPT tcp -- anywhere anywhere tcp
dpts:32768:65535
ACCEPT udp -- anywhere anywhere udp
dpts:32768:65535
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere localnet/24
ACCEPT all -- anywhere anywhere MAC
00:20:ED:39:91:E7
ACCEPT all -- anywhere anywhere MAC
00:12:3F:D6:89:8A
ACCEPT all -- anywhere anywhere MAC
00:13:D3:FD:20:FA
ACCEPT all -- anywhere anywhere MAC
00:14:38:00:AB:A6
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT icmp -- anywhere 127.0.0.0/8
ACCEPT tcp -- anywhere 127.0.0.0/8 tcp
spts:domain:mysql
ACCEPT udp -- anywhere 127.0.0.0/8 udp
spts:domain:mysql
ACCEPT icmp -- anywhere localnet/24
ACCEPT tcp -- anywhere localnet/24 tcp
spts:domain:2049
ACCEPT udp -- anywhere localnet/24 udp
spts:domain:2049
ACCEPT tcp -- anywhere localnet/24 tcp
spts:3128:icpv2
ACCEPT udp -- anywhere localnet/24 udp
spts:3128:icpv2
ACCEPT tcp -- anywhere anywhere tcp
spts:ftp-data:ftp
ACCEPT tcp -- anywhere anywhere tcp spt:ssh
ACCEPT udp -- anywhere anywhere udp spt:ssh
ACCEPT tcp -- anywhere anywhere tcp spt:domain
ACCEPT udp -- anywhere anywhere udp spt:domain
ACCEPT tcp -- anywhere anywhere tcp spt:www
ACCEPT udp -- anywhere anywhere udp spt:www
ACCEPT tcp -- anywhere anywhere tcp spt:ntp
ACCEPT udp -- anywhere anywhere udp spt:ntp
ACCEPT tcp -- anywhere anywhere tcp spt:https
ACCEPT udp -- anywhere anywhere udp spt:https
ACCEPT tcp -- anywhere anywhere tcp spt:mysql
ACCEPT udp -- anywhere anywhere udp spt:mysql
ACCEPT tcp -- anywhere anywhere tcp
spts:32768:65535
ACCEPT udp -- anywhere anywhere udp
spts:32768:65535
debian:/home/hgsch#
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
