Re: [Shorewall-devel] Shorewall 3.9.6

Mon, 07 May 2007 14:27:18 -0700 

Tom

Interface entry:

lan  eth0  detect  maclist,tcpflags,nosmurfs,blacklist,norfc1918

when compiled with shorewall-perl, generates 2 calls to each of the maclist, 
tcpflags, nosmurfs, blacklist and norfc1918 chains from both eth0_in and 
eth0_fwd chains.

This can be seen in the attached iptables-restore-input.

This does not happen with the shorewall-shell compiler.


Steven.

*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:eth0_dyni - [0:0]
-A PREROUTING -i eth0 -j eth0_dyni
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:tcfor - [0:0]
:tcout - [0:0]
:tcpost - [0:0]
:tcpre - [0:0]
-A PREROUTING  -j tcpre
-A FORWARD -j tcfor
-A OUTPUT  -j tcout
-A POSTROUTING -j tcpost
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:@fw2all - [0:0]
:Drop - [0:0]
:Reject - [0:0]
:all2all - [0:0]
:blacklog - [0:0]
:blacklst - [0:0]
:dropBcast - [0:0]
:dropInvalid - [0:0]
:dropNotSyn - [0:0]
:dynamic - [0:0]
:eth0_dynf - [0:0]
:eth0_dyni - [0:0]
:eth0_dyno - [0:0]
:eth0_fwd - [0:0]
:eth0_in - [0:0]
:eth0_mac - [0:0]
:eth0_out - [0:0]
:fw2all - [0:0]
:lan2fw - [0:0]
:logdrop - [0:0]
:logflags - [0:0]
:logreject - [0:0]
:norfc1918 - [0:0]
:reject - [0:0]
:rfc1918 - [0:0]
:smurfs - [0:0]
:tcpflags - [0:0]
-A INPUT -i eth0 -j eth0_in
-A INPUT -i lo -j ACCEPT
-A INPUT -j LOG --log-level warn --log-prefix "Shorewall:INPUT:DROP:" 
-A INPUT -j DROP
-A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth0 -j eth0_fwd
-A FORWARD -j LOG --log-level warn --log-prefix "Shorewall:FORWARD:DROP:" 
-A FORWARD -j DROP
-A OUTPUT -o eth0 -j eth0_out
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT
-A @fw2all -m limit --limit 2 -j RETURN
-A @fw2all -j DROP
-A Drop -p 6 --dport 113 -j reject
-A Drop -j dropBcast
-A Drop -p icmp --icmp-type 3/4 -j ACCEPT
-A Drop -p icmp --icmp-type 11 -j ACCEPT
-A Drop -j dropInvalid
-A Drop -p 17 -m multiport --dports 135,445 -j DROP
-A Drop -p 17 --dport 137:139 -j DROP
-A Drop -p 17 --dport 1024:65535 --sport 137 -j DROP
-A Drop -p 6 -m multiport --dports 135,139,445 -j DROP
-A Drop -p 17 --dport 1900 -j DROP
-A Drop -p 6 -j dropNotSyn
-A Drop -p 17 --sport 53 -j DROP
-A Reject -p 6 --dport 113 -j reject
-A Reject -j dropBcast
-A Reject -p icmp --icmp-type 3/4 -j ACCEPT
-A Reject -p icmp --icmp-type 11 -j ACCEPT
-A Reject -j dropInvalid
-A Reject -p 17 -m multiport --dports 135,445 -j reject
-A Reject -p 17 --dport 137:139 -j reject
-A Reject -p 17 --dport 1024:65535 --sport 137 -j reject
-A Reject -p 6 -m multiport --dports 135,139,445 -j reject
-A Reject -p 17 --dport 1900 -j DROP
-A Reject -p 6 -j dropNotSyn
-A Reject -p 17 --sport 53 -j DROP
-A all2all -m state --state ESTABLISHED,RELATED -j ACCEPT
-A all2all -j LOG --log-level warn --log-prefix "Shorewall:all2all:DROP:" 
-A all2all -j DROP
-A blacklog -j LOG --log-level 4 --log-prefix "Shorewall:blacklst:DROP:" 
-A blacklog -j DROP
-A blacklst -p 6 --dport 0 -s 84.34.55.7 -j blacklog
-A dropBcast -m addrtype --dst-type BROADCAST -j DROP
-A dropBcast -m addrtype --dst-type MULTICAST -j DROP
-A dropInvalid -m state --state INVALID -j DROP
-A dropNotSyn -p tcp ! --syn -j DROP
-A eth0_fwd -m state --state NEW,INVALID  -j dynamic
-A eth0_fwd -m state --state NEW,INVALID -j blacklst
-A eth0_fwd -m state --state NEW,INVALID -j blacklst
-A eth0_fwd -m state --state NEW,INVALID -j smurfs
-A eth0_fwd -m state --state NEW,INVALID -j smurfs
-A eth0_fwd -m state --state NEW -j norfc1918
-A eth0_fwd -m state --state NEW -j norfc1918
-A eth0_fwd -p tcp -j tcpflags
-A eth0_fwd -p tcp -j tcpflags
-A eth0_fwd -j eth0_dynf
-A eth0_fwd -m state --state NEW -j eth0_mac
-A eth0_fwd -m state --state NEW -j eth0_mac
-A eth0_in -m state --state NEW,INVALID  -j dynamic
-A eth0_in -m state --state NEW,INVALID -j blacklst
-A eth0_in -m state --state NEW,INVALID -j blacklst
-A eth0_in -m state --state NEW,INVALID -j smurfs
-A eth0_in -m state --state NEW,INVALID -j smurfs
-A eth0_in -m state --state NEW -j norfc1918
-A eth0_in -m state --state NEW -j norfc1918
-A eth0_in -p tcp -j tcpflags
-A eth0_in -p tcp -j tcpflags
-A eth0_in -j eth0_dyni
-A eth0_in -m state --state NEW -j eth0_mac
-A eth0_in -m state --state NEW -j eth0_mac
-A eth0_in -j lan2fw
-A eth0_mac -s 192.168.0.4 -m addrtype --dst-type BROADCAST -j RETURN
-A eth0_mac -s 192.168.0.4 -m addrtype --dst-type MULTICAST -j RETURN
-A eth0_mac -j LOG --log-level 6 --log-prefix "Shorewall:eth0_mac:DROP:" 
-A eth0_mac -j DROP
-A eth0_out -j eth0_dyno
-A eth0_out -j fw2all
-A fw2all -m state --state ESTABLISHED,RELATED -j ACCEPT
-A fw2all -p tcp --syn -j @fw2all
-A fw2all -j ACCEPT
-A lan2fw -m state --state ESTABLISHED,RELATED -j ACCEPT
-A lan2fw -j ACCEPT
-A logdrop  -j LOG --log-level 4 --log-prefix "Shorewall:logdrop:DROP:" 
-A logdrop  -j DROP
-A logflags -j LOG --log-ip-options --log-level 6 --log-prefix 
"Shorewall:logflags:DROP:" 
-A logflags -j DROP
-A logreject  -j LOG --log-level 4 --log-prefix "Shorewall:logreject:REJECT:" 
-A logreject  -j REJECT
-A norfc1918 -s 172.16.0.0/12 -j rfc1918
-A norfc1918 -m conntrack --ctorigdst 172.16.0.0/12 -j rfc1918
-A norfc1918 -s 192.168.0.0/16 -j rfc1918
-A norfc1918 -m conntrack --ctorigdst 192.168.0.0/16 -j rfc1918
-A norfc1918 -s 10.0.0.0/8 -j rfc1918
-A norfc1918 -m conntrack --ctorigdst 10.0.0.0/8 -j rfc1918
-A reject -m addrtype --src-type BROADCAST -j DROP
-A reject -m addrtype --src-type MULTICAST -j DROP
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -p udp -j REJECT
-A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A reject -j REJECT --reject-with icmp-host-prohibited
-A rfc1918 -j LOG --log-level 6 --log-prefix "Shorewall:rfc1918:DROP:" 
-A rfc1918 -j DROP
-A smurfs -s 0.0.0.0 -j RETURN
-A smurfs -m addrtype --src-type BROADCAST -j DROP
-A smurfs -m addrtype --src-type MULTICAST -j DROP
-A tcpflags -p tcp --tcp-flags ALL FIN,URG,PSH -j logflags
-A tcpflags -p tcp --tcp-flags ALL NONE        -j logflags
-A tcpflags -p tcp --tcp-flags SYN,RST SYN,RST -j logflags
-A tcpflags -p tcp --tcp-flags SYN,FIN SYN,FIN -j logflags
-A tcpflags -p tcp --syn --sport 0 -j logflags
COMMIT

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel

Reply via email to