[qmailtoaster] firewall.sh

Martin Waschbuesch Tue, 11 May 2010 03:30:39 -0700

Hi,

I just noticed that firewall.sh, at least the version in the cent50 scripts 
which I use, contains the following section:


## Drop outside packets with local addresses - anti-spoofing measure
iptables -A INPUT -s $MYIP -i ! lo -j DROP
iptables -A INPUT -s 127.0.0.0/8 -i ! lo -j DROP
#iptables -A INPUT -s 10.0.0.0/8 -i ! lo -j DROP
#iptables -A INPUT -s 192.168.0.0/16 -i ! lo -j DROP
iptables -A INPUT -s 224.0.0.0/4 -i ! lo -j DROP
iptables -A INPUT -s 0.0.0.0/8 -i ! lo -j DROP
iptables -A INPUT -s 255.255.255.255 -i ! lo -j DROP
iptables -A INPUT -s 169.254.0.0/16 -i ! lo -j DROP
iptables -A INPUT -s 221.240.102 -i ! lo -j DROP
iptables -A INPUT -s 203.215.94.193 -i ! lo -j DROP
iptables -A INPUT -s 218.71.137.68 -i ! lo -j DROP
#

Now, I just wondered why the private class A & C networks are listed, if only 
as optional, and the class B variant is not? E.g.

#iptables -A INPUT -s 172.16.0.0/8 -i ! lo -j DROP

Likewise, the multicast space is excluded (224.0.0.0/4) while the class E test 
space is not. E.g.

iptables -A INPUT -s 240.0.0.0/4 -i ! lo -j DROP

The other sections I all understand (e.g. loopback, APIPA, current network, 
etc.), but then there are some individual addresses that I do not recognize 
again:

iptables -A INPUT -s 221.240.102 -i ! lo -j DROP
iptables -A INPUT -s 203.215.94.193 -i ! lo -j DROP
iptables -A INPUT -s 218.71.137.68 -i ! lo -j DROP

Are these known troublemakers or some other special addresses? If so, 
personally, I'd prefer to not have individual IP address excludes in the 
firewall.sh script per default. I mean, those addresses *could* be reassigned 
and serve a different / legit purpose at some point in the future.

Anyway, I included a slightly modified script that includes description for the 
reserved / protected address spaces  and adds the missing two I mentioned above.

Thanks,

Martin

--
"However beautiful the strategy, you should occasionally look at the results."

Winston Churchill

firewall.sh
Description: Binary data

---------------------------------------------------------------------------------
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
    Vickers Consulting Group offers Qmailtoaster support and installations.
      If you need professional help with your setup, contact them today!
---------------------------------------------------------------------------------
     Please visit qmailtoaster.com for the latest news, updates, and packages.
     
      To unsubscribe, e-mail: [email protected]
     For additional commands, e-mail: [email protected]

[qmailtoaster] firewall.sh

Reply via email to