I'll paste the script at the bottom. Cory Petkovsek ([EMAIL PROTECTED]) wrote: > >On Thu, Sep 18, 2003 at 12:33:01AM +0000, Bob Crandell wrote: >> How would you change: >> > iptables -A sort -j LOG --log-level info >> to limit the log size? > > iptables -A sort -m limit -j LOG --log-level info This should be good enough.
> >This uses the defaults 3/hour for an average rate and 5 for a burst. >See the man page for other possibilities, such as the one below: > > iptables -A sort -m limit --limit 10/hour --limit-burst 10 -j LOG --log-level info > > >> I've some hints from each of the respondants and built an iptable >> script. There is supposed to be only 3 or 4 ports open on this box. >> Can some of you guys with the know how check 216.239.175.248 and see >> what's open? I just heard that there are going to be some ComCast >> uses banging on it and now I'm scared. >Don't think locally. Anyone with an ip address can bang on it. I'm >running a scan now. Either the machine is off or it's not responding to >icmp. I'm smiling so big. > >> While reading through the man page, I saw a way to restrict access by MAC address. >> Can someone post an example? >I wouldn't do this, as it won't work well for being an internet server. > >iptables -A FORWARD -s $intfw -m mac --mac-source XX:XX:XX:XX:XX:XX \ > -d ! $intnet -j ACCEPT > >Forward anything coming from a specific internal ip (like an internal >firewall), with mac address <xx> and going to somewhere other than the >internal network. > >> So my original requirement to allow some networks and some IP >> addresses now includes some MAC addresses. I'm assuming they would be >> added to the end of the list in the sort rule. Yes? No? > >Who provided this requirement? Why? Is matching by ip not sufficient? There are >only special cases where I would use this module. The ComCast customers are DHCP so I don't have an IP. I don't want to open up to their network. That leaves MAC addresses. > >> Should I post the iptables script I have so far? >The scan is done. Either the machine is down or the firewall is too >tight because there are no services available and I can't even get a >fingerprint. This is a good thing. > >$ sudo nmap -sS -v -O -P0 216.239.175.248 > >Starting nmap 3.27 ( www.insecure.org/nmap/ ) at 2003-09-18 09:56 PDT >Host 216.239.175.248 appears to be up ... good. >Initiating SYN Stealth Scan against 216.239.175.248 at 09:56 >The SYN Stealth Scan took 492 seconds to scan 1623 ports. >Warning: OS detection will be MUCH less reliable because we did not >find at least 1 open and 1 closed TCP port >All 1623 scanned ports on 216.239.175.248 are: filtered >Too many fingerprints match this host for me to give an accurate OS >guess >TCP/IP fingerprint: >SInfo(V=3.27%P=i686-pc-linux-gnu%D=9/18%Time=3F69E5C6%O=-1%C=-1) >T5(Resp=N) >T6(Resp=N) >T7(Resp=N) >PU(Resp=N) > >Nmap run completed -- 1 IP address (1 host up) scanned in 506.213 seconds > >So you probably should post your ruleset since it isn't working as you >had planned. It is working better than I planned. There are users on it now. Thanks big time, guys. > >Cory > >EuG-LUG mailing list >[EMAIL PROTECTED] >http://mailman.efn.org/cgi-bin/listinfo/eug-lug > ================================ #/bin/sh # Kernel flags /bin/echo "0" > /proc/sys/net/ipv4/ip_forward /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route /bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # Setup Variables BROADCAST="216.239.175.255" LOOPNET="127.0.0.0/8" NET1="64.28.48.0/24" SNIPPED NET9="216.239.175.0/24" SNIPPED HOST1="64.112.226.198" SNIPPED echo " Clearing existing configuration." /usr/sbin/iptables -F INPUT /usr/sbin/iptables -P INPUT DROP /usr/sbin/iptables -F FORWARD /usr/sbin/iptables -P FORWARD DROP /usr/sbin/iptables -F OUTPUT /usr/sbin/iptables -P OUTPUT ACCEPT /usr/sbin/iptables -F -t nat /usr/sbin/iptables -F logdrop /usr/sbin/iptables -X logdrop /usr/sbin/iptables -F sort /usr/sbin/iptables -X sort echo "Create Drop Chain." /usr/sbin/iptables -N logdrop /usr/sbin/iptables -A logdrop -m limit -j LOG --log-level info /usr/sbin/iptables -A logdrop -j DROP echo "Create Sort Chain." /usr/sbin/iptables -N sort # Friendly networks - sortof /usr/sbin/iptables -A sort -s $NET1 -j ACCEPT /usr/sbin/iptables -A sort -s $NET2 -j ACCEPT /usr/sbin/iptables -A sort -s $NET3 -j ACCEPT /usr/sbin/iptables -A sort -s $NET4 -j ACCEPT /usr/sbin/iptables -A sort -s $NET5 -j ACCEPT /usr/sbin/iptables -A sort -s $NET6 -j ACCEPT /usr/sbin/iptables -A sort -s $NET7 -j ACCEPT /usr/sbin/iptables -A sort -s $NET8 -j ACCEPT /usr/sbin/iptables -A sort -s $NET9 -j ACCEPT /usr/sbin/iptables -A sort -s $NET10 -j ACCEPT /usr/sbin/iptables -A sort -s $NET11 -j ACCEPT /usr/sbin/iptables -A sort -s $NET12 -j ACCEPT /usr/sbin/iptables -A sort -s $NET13 -j ACCEPT /usr/sbin/iptables -A sort -s $NET14 -j ACCEPT /usr/sbin/iptables -A sort -s $NET15 -j ACCEPT /usr/sbin/iptables -A sort -s $NET16 -j ACCEPT /usr/sbin/iptables -A sort -s $NET17 -j ACCEPT /usr/sbin/iptables -A sort -s $NET18 -j ACCEPT /usr/sbin/iptables -A sort -s $NET19 -j ACCEPT /usr/sbin/iptables -A sort -s $NET20 -j ACCEPT /usr/sbin/iptables -A sort -s $NET21 -j ACCEPT /usr/sbin/iptables -A sort -s $NET22 -j ACCEPT #Friendly hosts - maybe /usr/sbin/iptables -A sort -s $HOST1 -j ACCEPT /usr/sbin/iptables -A sort -s $HOST2 -j ACCEPT /usr/sbin/iptables -A sort -s $HOST3 -j ACCEPT /usr/sbin/iptables -A sort -s $HOST4 -j ACCEPT /usr/sbin/iptables -A sort -s $HOST5 -j ACCEPT /usr/sbin/iptables -A sort -s $HOST6 -j ACCEPT /usr/sbin/iptables -A sort -s $HOST7 -j ACCEPT /usr/sbin/iptables -A sort -s $HOST8 -j ACCEPT # MAC address of router or firewall for DHCP sites like ComCast # How is intfw defined? # How is intnet defined? #/usr/sbin/iptables -A FORWARD -s $intfw -m mac --mac-source XX:XX:XX:XX:XX:XX -d ! $intnet -j ACCEPT #You probably want this if the server needs to talk to the internet. /usr/sbin/iptables -A sort -m state --state ESTABLISHED,RELATED -j ACCEPT #Everything else is logged and then dropped /usr/sbin/iptables -A sort -j logdrop echo "INPUT Rule sets." /usr/sbin/iptables -A INPUT -i lo -j ACCEPT /usr/sbin/iptables -A INPUT -i eth0 -d $BROADCAST -j DROP /usr/sbin/iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT /usr/sbin/iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT /usr/sbin/iptables -A INPUT -i eth0 -p tcp --sport 81 -m state --state ESTABLISHED -j ACCEPT /usr/sbin/iptables -A INPUT -i eth0 -p tcp --sport 10000 -m state --state ESTABLISHED -j ACCEPT /usr/sbin/iptables -A INPUT -j sort echo "FORWARD Rule sets." /usr/sbin/iptables -A FORWARD -j sort echo " OUTPUT Rule sets." /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT /usr/sbin/iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT /usr/sbin/iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT /usr/sbin/iptables -A OUTPUT -o eth0 -p tcp --dport 81 -m state --state NEW,ESTABLISHED -j ACCEPT /usr/sbin/iptables -A OUTPUT -o eth0 -p tcp --dport 10000 -m state --state NEW,ESTABLISHED -j ACCEPT echo "Redirect Web traffic through Dan's Guardian" /usr/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 81 -j REDIRECT --to-port 8080 # or go around DansGuardian #/usr/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 81 -j REDIRECT --to-port 3128 ======================================= -- Bob Crandell Assured Computing When you need to be sure. [EMAIL PROTECTED] www.assuredcomp.com Voice - 541-689-9159 FAX - 541-463-1627 Eugene, Oregon _______________________________________________ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug
