Sendmail can't send mail when Iptables is on

#1 (**permalink**) 07-21-2004

Hi,

I run Sendmail 8.12 on a RH 9 box

When IPtables is on, Sendmail can receive mail OK
no problem. But I can't send any mail unless I turn Iptables
off. I have coding in the firewall script that allows SMTP in and out.

When I try to send something out, I do a iptables -L -n -v and save
the output. I can see a small number od packets sent out to port 25
of mail recipient, but nothing comes back. As soon as I turn off Iptables
the mail goes right out.

Would appreciate any thoughts

Thanks !

Dave Harman

#2 (**permalink**) 07-21-2004

dharman@lin-nett.com (Dave Harman) writes:

> Hi,
>
> I run Sendmail 8.12 on a RH 9 box
>
> When IPtables is on, Sendmail can receive mail OK
> no problem. But I can't send any mail unless I turn Iptables
> off. I have coding in the firewall script that allows SMTP in and out.
>
> When I try to send something out, I do a iptables -L -n -v and save
> the output. I can see a small number od packets sent out to port 25
> of mail recipient, but nothing comes back. As soon as I turn off Iptables
> the mail goes right out.
>
> Would appreciate any thoughts

How about a log from iptables showing what packets you're dropping?

~Tim
--
12:54:04 up 12:04, 7 users, load average: 0.14, 0.09, 0.02
piglet@stirfried.vegetable.org.uk |There's peat smoke rising
http://spodzone.org.uk/cesspit/ |From the village chimneys

#3 (**permalink**) 07-23-2004

Tim Haynes <usenet-20040721@stirfried.vegetable.org.uk> wrote in message news:<867jsxshhr.fsf@potato.vegetable.org.uk>...
> dharman@lin-nett.com (Dave Harman) writes:

>
> How about a log from iptables showing what packets you're dropping?

Hi Tim,

Here's a log - I formatted it a bit

Jul 22 17:14:41 nsw2 kernel: Dropped In packet for eth0:

IN=eth0
OUT=
MAC=00:08:a1:10:14:c0:00:02:3b:01:be:c1:08:00
SRC=66.138.240.241
DST=66.138.30.243
LEN=48 TOS=0x00 PREC=0x00
TTL=120 ID=53414 DF PROTO=TCP
SPT=2365 DPT=445 WINDOW=8160 RES=0x00 SYN URGP=0

I have a home network - I have DSL with SBC.
The router supplied is a Netopia Cayman 3500 series Broadband Gateway

The address SRC=66.138.240.41 is identified by whois as
ppp-66-138-240-41.dialup.hrlntx.swbell.net

It looks like input from that address is blocked by the firewall.

Is this correct ?

Please let me know if I can provide more info

Thanks

Dave Harman

#4 (**permalink**) 07-23-2004

On 22 Jul 2004 16:49:51 -0700,
Dave Harman (dharman@lin-nett.com) wrote:
> Jul 22 17:14:41 nsw2 kernel: Dropped In packet for eth0:
>
> IN=eth0
> OUT=
> MAC=00:08:a1:10:14:c0:00:02:3b:01:be:c1:08:00
> SRC=66.138.240.241
> DST=66.138.30.243
> LEN=48 TOS=0x00 PREC=0x00
> TTL=120 ID=53414 DF PROTO=TCP
> SPT=2365 DPT=445 WINDOW=8160 RES=0x00 SYN URGP=0

This particular example doesn't have to do with your system (66.138.30.243)
_sending_ mail to a remote IP address.

66.138.240.241 (the remote system; SRC address) had attempted a connection
to TCP port 445 of your system. TCP port 445 = microsoft-ds. If you want
to learn more about why someone might want to connect to that port of a
remote system, look here:
<http://isc.sans.org/port_details.php?port=445&isc=cdc0d31e5bdfec6d8a44 4b7f28c122c6>

But doesn't solve why your system doesn't _send_ mail unless you disable
your iptables firewall. Perhaps if you posted your rules, or a log entry
where the destination port was 25 (DPT=25).

Beverly
--
Bev A. Kupf
"The lyfe so short, the craft so long to lerne" -- Chaucer
JWolf - more flavours than Baskin Robbins - http://macconsult.com/diaperboy/

#5 (**permalink**) 07-24-2004

"Bev A. Kupf" <bevakupf@myhome.net> wrote in message news:<slrncg0v38.o75.bevakupf@myhome.net>...
> On 22 Jul 2004 16:49:51 -0700,
> Dave Harman (dharman@lin-nett.com) wrote:
> > Jul 22 17:14:41 nsw2 kernel: Dropped In packet for eth0:
> >
> > IN=eth0
> > OUT=
> > MAC=00:08:a1:10:14:c0:00:02:3b:01:be:c1:08:00
> > SRC=66.138.240.241
> > DST=66.138.30.243
> > LEN=48 TOS=0x00 PREC=0x00
> > TTL=120 ID=53414 DF PROTO=TCP
> > SPT=2365 DPT=445 WINDOW=8160 RES=0x00 SYN URGP=0
>
> This particular example doesn't have to do with your system (66.138.30.243)
> _sending_ mail to a remote IP address.
>
> 66.138.240.241 (the remote system; SRC address) had attempted a connection
> to TCP port 445 of your system. TCP port 445 = microsoft-ds. If you want
> to learn more about why someone might want to connect to that port of a
> remote system, look here:
> <http://isc.sans.org/port_details.php?port=445&isc=cdc0d31e5bdfec6d8a44 4b7f28c122c6>
>
> But doesn't solve why your system doesn't _send_ mail unless you disable
> your iptables firewall. Perhaps if you posted your rules, or a log entry
> where the destination port was 25 (DPT=25).

Thanks for your reply.

I am following my text with some of the log output.
It looks like my server is trying to make contact with the mail server
but no reply is comming back.

Here's the log output - I edited a couple of entries for clarity

Jul 23 17:12:37 nsw2 kernel:

IN=
OUT=eth0
SRC=66.138.30.243
DST=64.156.215.18 mta-v26.level13.mail.yahoo.com
LEN=60 TOS=0x00 PREC=0x00
TTL=64 ID=38845 DF PROTO=TCP
SPT=34596 DPT=25
WINDOW=5840 RES=0x00 SYN URGP=0

Jul 23 17:12:43 nsw2 kernel: IN= OUT=eth0 SRC=66.138.30.243
DST=64.156.215.18 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=38846 DF
PROTO=TCP SPT=34596 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
Jul 23 17:12:55 nsw2 kernel: IN= OUT=eth0 SRC=66.138.30.243
DST=64.156.215.18 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=38847 DF
PROTO=TCP SPT=34596 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
Jul 23 17:13:19 nsw2 kernel: IN= OUT=eth0 SRC=66.138.30.243
DST=64.156.215.18 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=38848 DF
PROTO=TCP SPT=34596 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
Jul 23 17:14:07 nsw2 kernel: IN= OUT=eth0 SRC=66.138.30.243
DST=64.156.215.18 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=38849 DF
PROTO=TCP SPT=34596 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0

Jul 23 17:14:34 nsw2 kernel:

IN=
OUT=eth0
SRC=66.138.30.243
DST=67.28.113.10 mta-v4.level13.mail.yahoo.com
LEN=60 TOS=0x00 PREC=0x00
TTL=64 ID=38850 DF PROTO=TCP
SPT=34597 DPT=25
WINDOW=5840 RES=0x00 SYN URGP=0

Jul 23 17:14:37 nsw2 kernel: IN= OUT=eth0 SRC=66.138.30.243
DST=67.28.113.10 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=18106 DF
PROTO=TCP SPT=34597 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
Jul 23 17:14:43 nsw2 kernel: IN= OUT=eth0 SRC=66.138.30.243
DST=67.28.113.10 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=18107 DF
PROTO=TCP SPT=34597 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
Jul 23 17:14:55 nsw2 kernel: IN= OUT=eth0 SRC=66.138.30.243
DST=67.28.113.10 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=18108 DF
PROTO=TCP SPT=34597 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
Jul 23 17:15:19 nsw2 kernel: IN= OUT=eth0 SRC=66.138.30.243
DST=67.28.113.10 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=18109 DF
PROTO=TCP SPT=34597 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0

Jul 23 17:17:56 nsw2 kernel:

IN=
OUT=eth0
SRC=66.138.30.243
DST=207.217.125.27 mxc.earthlink.net
LEN=60 TOS=0x00 PREC=0x00
TTL=64 ID=12594 DF PROTO=TCP
SPT=34603 DPT=25
WINDOW=5840 RES=0x00 SYN URGP=0

Jul 23 17:17:59 nsw2 kernel: IN= OUT=eth0 SRC=66.138.30.243
DST=207.217.125.27 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=34765 DF
PROTO=TCP SPT=34603 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
Jul 23 17:18:05 nsw2 kernel: IN= OUT=eth0 SRC=66.138.30.243
DST=207.217.125.27 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=34766 DF
PROTO=TCP SPT=34603 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
Jul 23 17:18:17 nsw2 kernel: IN= OUT=eth0 SRC=66.138.30.243
DST=207.217.125.27 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=34767 DF
PROTO=TCP SPT=34603 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
Jul 23 17:18:31 nsw2 kernel: Dropped In packet for eth0: IN=eth0 OUT=
MAC=00:08:a1:10:14:c0:00:02:3b:01:be:c1:08:00 SRC=66.81.137.185
DST=66.138.30.243 LEN=48 TOS=0x00 PREC=0x00 TTL=106 ID=24474 DF
PROTO=TCP SPT=3102 DPT=135 WINDOW=8760 RES=0x00 SYN URGP=0
Jul 23 17:18:31 nsw2 kernel: Dropped In packet for eth0: IN=eth0 OUT=
MAC=00:08:a1:10:14:c0:00:02:3b:01:be:c1:08:00 SRC=66.81.137.185
DST=66.138.30.243 LEN=48 TOS=0x00 PREC=0x00 TTL=106 ID=24516 DF
PROTO=TCP SPT=3102 DPT=135 WINDOW=8760 RES=0x00 SYN URGP=0
Jul 23 17:18:32 nsw2 kernel: Dropped In packet for eth0: IN=eth0 OUT=
MAC=00:08:a1:10:14:c0:00:02:3b:01:be:c1:08:00 SRC=66.81.137.185
DST=66.138.30.243 LEN=48 TOS=0x00 PREC=0x00 TTL=106 ID=24571 DF
PROTO=TCP SPT=3102 DPT=135 WINDOW=8760 RES=0x00 SYN URGP=21013
Jul 23 17:18:41 nsw2 kernel: IN= OUT=eth0 SRC=66.138.30.243
DST=207.217.125.27 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=34768 DF
PROTO=TCP SPT=34603 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
Jul 23 17:19:29 nsw2 kernel: IN= OUT=eth0 SRC=66.138.30.243
DST=207.217.125.27 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=34769 DF
PROTO=TCP SPT=34603 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
Jul 23 17:19:56 nsw2 kernel: IN= OUT=eth0 SRC=66.138.30.243
DST=207.217.125.23 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=20564 DF
PROTO=TCP SPT=34604 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
Jul 23 17:19:59 nsw2 kernel: IN= OUT=eth0 SRC=66.138.30.243
DST=207.217.125.23 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=42381 DF
PROTO=TCP SPT=34604 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
Jul 23 17:20:05 nsw2 kernel: IN= OUT=eth0 SRC=66.138.30.243
DST=207.217.125.23 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=42382 DF
PROTO=TCP SPT=34604 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0

And Here's the text of the firewall.

#!/bin/bash
#
# This is Iptables-7d
# For nsw2.lin-nett.com
# Revised 07-15-2004 Revised Scriptkiddie Exclusions
# Revised 07-19-2004 Revised SMTP Rules
# Revised 07-20-2004 Added lines for Port 113
#
# ------------------------------------------------------------------
#
# The following are Network IP Addresses
#
# 66.138.30.240 Network Address - First IP address of LAN
# 66.138.30.241 Router Public Address -
# 66.138.30.242 nsw1.lin-nett.com www.skydive-elpaso.com
# 66.138.30.243 nsw2.lin-nett.com www.lin-nett.com
# 66.138.30.244 ) Reserved
# 66.138.30.245 )
# 66.138.30.246 Gateway for Public LAN - Netopia Router
# 66.138.30.247 Broadcast - last IP address of LAN
#
# 255.255.255.248 Mask
#
# ------------------------------------------------------------------
#
SYNOPT="-m limit --limit 5/second --limit-burst 10" # Page 99
INTERNET="eth0"
PRIVATE="eth1"
NSW2IP="66.138.30.243"
PIP="192.168.1.0/24"
GEOCITIES="66.218.77.68"
ONBITCHX="81.196.20.133"
SCRIPTKIDDIE1="24.197.112.13"
SCRIPTKIDDIE2="66.194.6.80"
SCRIPTKIDDIE3="65.54.188.73"
SCRIPTKIDDIE4="69.41.171.93"
SCRIPTKIDDIE5="24.28.185.170"
SCRIPTKIDDIE6="134.253.26.12"
SCRIPTKIDDIE7="155.147.191.139"
# ------------------------------
CLASS_A="10.0.0.0/8" # Class-A Private (RFC-1918)
Networks
CLASS_B="172.16.0.0/12" # Class-B Private (RFC-1918)
Networks
CLASS_C="192.168.0.0/16" # Class-C Private (RFC-1918)
Networks
CLASS_D_MULTICAST="224.0.0.0/4" # Class-D Multicast Addresses
CLASS_E_RESERVED_NET="240.0.0.0/5" # Class-E Reserved Addresses
BROADCAST_SRC="0.0.0.0" # Broadcast Source Address
BROADCAST_DEST="255.255.255.255" # Broadcast Destination
Address
ALLPORTS="0:65535"
PRIVPORTS="0:1023" # Well-Known, Privileged Port
Range
UNPRIVPORTS="1024:65535" # Unprivileged Port Range
TRACEROUTE_SRC_PORTS="32769:65535" # Traceroute Source Ports
TRACEROUTE_DEST_PORTS="33434:33523" # Traceroute Destination Ports
# ------------------------------------------------------------------
/sbin/iptables -F # All existing Chains are emptied
/sbin/iptables -X # All existing Chains are deleted
/sbin/iptables -t nat --flush
/sbin/iptables -t mangle --flush
# ------------------------------------------------------------------
# Remove any pre-existing user-defined chains
# ------------------------------------------------------------------
/sbin/iptables --delete-chain
/sbin/iptables -t nat --delete-chain
/sbin/iptables -t mangle --delete-chain
# ------------------------------------------------------------------
# Set default policy to ACCEPT
# ------------------------------------------------------------------
/sbin/iptables --policy INPUT ACCEPT
/sbin/iptables --policy OUTPUT ACCEPT
/sbin/iptables --policy FORWARD ACCEPT
# ------------------------------------------------------------------
# The user-defined Input routine
# ------------------------------------------------------------------
/sbin/iptables -N in
/sbin/iptables -A in -m state --state INVALID -j DROP
/sbin/iptables -A in -m state --state ESTABLISHED,RELATED -j ACCEPT
# ------------------------------------------------------------------
# The user-defined Flood routine
# ------------------------------------------------------------------
/sbin/iptables -N flood
/sbin/iptables -A flood $SYNOPT -j RETURN
/sbin/iptables -A flood -j DROP
# ------------------------------------------------------------------
# Stealth Scans and TCP State Flags
# ------------------------------------------------------------------
/sbin/iptables -N flags
/sbin/iptables -A flags -p tcp --tcp-flags ACK,Fin Fin -j
DROP
/sbin/iptables -A flags -p tcp --tcp-flags ACK,PSH PSH -j
DROP
/sbin/iptables -A flags -p tcp --tcp-flags ACK,URG URG -j
DROP
/sbin/iptables -A flags -p tcp --tcp-flags Fin,RST Fin,RST -j
DROP
/sbin/iptables -A flags -p tcp --tcp-flags SYN,Fin SYN,Fin -j
DROP
/sbin/iptables -A flags -p tcp --tcp-flags SYN,RST SYN,RST -j
DROP
/sbin/iptables -A flags -p tcp --tcp-flags ALL ALL -j
DROP
/sbin/iptables -A flags -p tcp --tcp-flags ALL NONE -j
DROP
/sbin/iptables -A flags -p tcp --tcp-flags ALL,Fin PSH,URG -j
DROP
/sbin/iptables -A flags -p tcp --tcp-flags ALL SYN,Fin,PSH,URG -j
DROP
/sbin/iptables -A flags -p tcp --tcp-flags ALL SYN,RST,ACK,Fin,URG -j
DROP
#
/sbin/iptables -A flags -s $CLASS_D_MULTICAST -d 0/0 -j DROP
/sbin/iptables -A flags -s 0/0 -d $CLASS_D_MULTICAST -j DROP
#
/sbin/iptables -A flags -p tcp -i eth0 --dport 5999:6003 -j DROP #
Block X server access
/sbin/iptables -A flags -p udp -i eth0 --dport 5999:6003 -j DROP #
Block X server access
/sbin/iptables -A flags -p tcp -i eth0 --dport 7100 -j DROP #
Block X server access
# --------------------------------------------------------------------
# Block Bad IP addresses to eth0
# --------------------------------------------------------------------
/sbin/iptables -N badip
/sbin/iptables -A badip -i eth0 -s $BROADCAST_SRC -j DROP
/sbin/iptables -A badip -i eth0 -s $CLASS_B -j DROP
/sbin/iptables -A badip -i eth0 -s $CLASS_A -j DROP
/sbin/iptables -A badip -i eth0 -s 192.0.34.0/24 -j DROP
/sbin/iptables -A badip -i eth0 -s $CLASS_C -j DROP
/sbin/iptables -A badip -i eth0 -s $CLASS_D_MULTICAST -j DROP
/sbin/iptables -A badip -i eth0 -s $CLASS_E_RESERVED_NET -j DROP
/sbin/iptables -A badip -i eth0 -s $BROADCAST_DEST -j DROP
/sbin/iptables -A badip -i eth0 -s 169.254.0.0/16 -j DROP
# -----------------------------------------------------------------
# Block Trojan Activity
# -----------------------------------------------------------------
/sbin/iptables -N trojan
/sbin/iptables -A trojan -p tcp -i eth0 --dport 31337 -j
DROP
/sbin/iptables -A trojan -p udp -i eth0 --dport 31337 -j
DROP
/sbin/iptables -A trojan -p tcp -i eth0 --dport 12345:12346 -j
DROP
/sbin/iptables -A trojan -p udp -i eth0 --dport 12345:12346 -j
DROP
/sbin/iptables -A trojan -p tcp -i eth0 --dport 1524 -j
DROP
/sbin/iptables -A trojan -p tcp -i eth0 --dport 27665 -j
DROP
/sbin/iptables -A trojan -p udp -i eth0 --dport 27444 -j
DROP
/sbin/iptables -A trojan -p tcp -i eth0 --dport 31335:31337 -j
DROP
/sbin/iptables -A trojan -p udp -i eth0 --dport 31335:31337 -j
DROP
# ------------------------------------------------------------------
# Shunned Hosts
# ------------------------------------------------------------------
/sbin/iptables -N shunned
/sbin/iptables -A shunned -s $GEOCITIES -j DROP
/sbin/iptables -A shunned -s $ONBITCHX -j DROP
/sbin/iptables -A shunned -d $GEOCITIES -j DROP
/sbin/iptables -A shunned -d $ONBITCHX -j DROP
/sbin/iptables -A shunned -s $SCRIPTKIDDIE1 -j DROP
/sbin/iptables -A shunned -s $SCRIPTKIDDIE2 -j DROP
/sbin/iptables -A shunned -s $SCRIPTKIDDIE3 -j DROP
/sbin/iptables -A shunned -s $SCRIPTKIDDIE4 -j DROP
/sbin/iptables -A shunned -s $SCRIPTKIDDIE5 -j DROP
/sbin/iptables -A shunned -s $SCRIPTKIDDIE6 -j DROP
/sbin/iptables -A shunned -s $SCRIPTKIDDIE7 -j DROP
# -------------------------------------------------------------------
# Unlimited traffic on loopback interface
# -----------------------------------------------------------------
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
# ------------------------------------------------------------------
# Start Input section where User-defined rules are invoked
# -----------------------------------------------------------------
/sbin/iptables -A INPUT -p ALL -i eth1 -s 192.168.1.0/24 -j ACCEPT
/sbin/iptables -A OUTPUT -p ALL -o eth1 -d 192.168.1.0/24 -j ACCEPT
#
/sbin/iptables -A INPUT -p ALL -i eth0 -j badip
/sbin/iptables -A INPUT -p tcp -j flags
/sbin/iptables -A INPUT -p ALL -j trojan
/sbin/iptables -A INPUT -p tcp --syn -j flood
/sbin/iptables -A INPUT -p ALL -j shunned
# -----------------------------------------------------------------
# Individual entries for Time protocol ---
# -----------------------------------------------------------------
/sbin/iptables -A INPUT -p UDP -i eth0 -sport 123 --dport 123 \
-m state --state NEW -j ACCEPT
#
/sbin/iptables -A INPUT -p UDP -i eth0 -sport 123 --dport 123 \
-m state --state ESTABLISHED,RELATED -j ACCEPT
#
/sbin/iptables -A OUTPUT -p UDP -o eth0 --sport 123 --dport 123 \
-m state --state NEW -j ACCEPT
#
/sbin/iptables -A OUTPUT -p UDP -o eth0 --sport 123 --dport 123 \
-m state --state ESTABLISHED,RELATED -j ACCEPT
# --------------------------------------------------------------------------------
# Individual entries for Web Access ---
# --------------------------------------------------------------------------------
/sbin/iptables -A INPUT -p TCP -i eth0 -s 0/0 --dport 80 \
-m state --state NEW -j ACCEPT
#
/sbin/iptables -A INPUT -p TCP -i eth0 -s 0/0 --dport 80 \
-m state --state ESTABLISHED,RELATED -j ACCEPT
#
/sbin/iptables -A OUTPUT -p tcp -o eth0 -s $NSW2IP --sport 80 \
-m state --state NEW -j ACCEPT
#
/sbin/iptables -A OUTPUT -p tcp -o eth0 -s $NSW2IP --sport 80 \
-m state --state ESTABLISHED,RELATED -j ACCEPT
# --------------------------------------------------------------------------------
# SMTP entries for Sendmail Server - SMTP Port 25 ----
# --------------------------------------------------------------------------------
#
/sbin/iptables -A INPUT -p TCP -i eth0 --sport $UNPRIVPORTS --dport
25 \
-m state --state NEW -j ACCEPT
#
/sbin/iptables -A INPUT -p TCP -i eth0 --sport $UNPRIVPORTS --dport
25 \
-m state --state ESTABLISHED,RELATED -j ACCEPT
#
/sbin/iptables -A OUTPUT -p TCP -o eth0 --sport $UNPRIVPORTS --dport
25 \
-m state --state NEW -j ACCEPT
#
/sbin/iptables -A OUTPUT -p TCP -o eth0 --sport $UNPRIVPORTS --dport
25 \
-m state --state ESTABLISHED,RELATED -j ACCEPT
#
/sbin/iptables -A INPUT -p TCP -i eth0 --sport 25 --dport
$UNPRIVPORTS \
-m state --state NEW -j ACCEPT
#
/sbin/iptables -A INPUT -p TCP -i eth0 --sport 25 --dport
$UNPRIVPORTS \
-m state --state ESTABLISHED,RELATED -j ACCEPT
# --------------------------------------------------------------------------------
# Individual entries for DNS - Ports 53 and Unregistered Ports
# --------------------------------------------------------------------------------
/sbin/iptables -A INPUT -p UDP -i eth0 -s 0/0 --dport 53 \
-m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p UDP -i eth0 -s 0/0 --dport 53 \
-m state --state ESTABLISHED,RELATED -j ACCEPT
#
/sbin/iptables -A OUTPUT -p UDP -o eth0 --sport 53 \
-m state --state NEW -j ACCEPT
/sbin/iptables -A OUTPUT -p UDP -o eth0 --sport 53 \
-m state --state ESTABLISHED,RELATED -j ACCEPT
#
/sbin/iptables -A INPUT -p UDP -i eth0 -s 0/0 --dport 1024:65535 \
-m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p UDP -i eth0 -s 0/0 --dport 1024:65535 \
-m state --state ESTABLISHED,RELATED -j ACCEPT
#
/sbin/iptables -A OUTPUT -p UDP -o eth0 --sport 1024:65535 \
-m state --state NEW -j ACCEPT
/sbin/iptables -A OUTPUT -p UDP -o eth0 --sport 1024:65535 \
-m state --state ESTABLISHED,RELATED -j ACCEPT
#
/sbin/iptables -A OUTPUT -p all -o eth1 -d $PIP -j ACCEPT
/sbin/iptables -A OUTPUT -p ALL -j shunned
/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j
ACCEPT
# ------------------------------------------------------------------
/sbin/iptables -A INPUT -p ! icmp -j in
# ------------------------------------------------------------------
# ICMP Rules - send out and receive ping requests
# ------------------------------------------------------------------
/sbin/iptables -A INPUT -p icmp -i eth0 --icmp-type 8 -j DROP #
No echo request in
/sbin/iptables -A OUTPUT -p icmp -o eth0 --icmp-type 8 -j ACCEPT #
Allow echo request out
/sbin/iptables -A INPUT -p icmp -i eth0 --icmp-type 0 -j ACCEPT #
Receive echo reply
/sbin/iptables -A OUTPUT -p icmp -o eth0 --icmp-type 0 -j ACCEPT #
echo reply
/sbin/iptables -A INPUT -p udp --sport 32769:65535 --dport
33434:33525 -j DROP # disallow Traceroute
#
/sbin/iptables -A INPUT -p icmp -i eth0 --icmp-type 4 -j ACCEPT #
source quench
/sbin/iptables -A OUTPUT -p icmp -o eth0 --icmp-type 4 -j ACCEPT #
source quench
/sbin/iptables -A INPUT -p icmp -i eth0 --icmp-type 12 -j ACCEPT #
parameter problem status
/sbin/iptables -A OUTPUT -p icmp -o eth0 --icmp-type 12 -j ACCEPT #
parameter problem status
/sbin/iptables -A INPUT -p icmp -i eth0 --icmp-type 3 -j ACCEPT #
destination unreachable
/sbin/iptables -A OUTPUT -p icmp -o eth0 --icmp-type 3 -j DROP #
destination unreachable
# -----------------------------------------------------------------------
# TCP Rules - using User-defined chains
# Rules for Port-Mode FTP Data Channels - Page 155
# -----------------------------------------------------------------------
/sbin/iptables -A INPUT -p TCP -i eth0 -s 0/0 --dport 21 -j DROP #
ftp
/sbin/iptables -A INPUT -p TCP -i eth0 -s 0/0 --dport 22 -j DROP #
ssh
/sbin/iptables -A INPUT -p TCP -i eth0 -s 0/0 --dport 23 -j DROP #
telnet
# ------------------------------------------------------------------------
# Forward Chain Rules
# Accept the packets we want to forward
# ------------------------------------------------------------------------
/sbin/iptables -A FORWARD -i eth1 -o eth0 -s 192.168.1.0/24 -j
ACCEPT
/sbin/iptables -A FORWARD -i eth0 -o eth1 -s 66.138.30.242/32 -j
ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j
ACCEPT
# --------------------------------------------------------------------------
# OUTPUT Chain Rules
# Only output packets with local addresses (no spoofing)
# --------------------------------------------------------------------------
# POSTROUTING Chain Rules
# --------------------------------------------------------------------------
/sbin/iptables -t nat -A POSTROUTING -o eth0 -p tcp --tcp-flags
SYN,RST SYN -j SNAT \
--to-source 66.138.30.242
#
# Logging dropped packets
#/sbin/iptables -A INPUT -i eth0 -j LOG \
# --log-prefix "Drop In packet for eth0: "

#/sbin/iptables -A OUTPUT -o eth0 -j LOG \
# --log-prefix "Drop Out packet for eth0: "
exit 0

Thanks Again

Dave Harman

#6 (**permalink**) 07-24-2004

Dave Harman wrote:

> # ------------------------------------------------------------------
> #
> SYNOPT="-m limit --limit 5/second --limit-burst 10" # Page 99
> INTERNET="eth0"
> PRIVATE="eth1"
> NSW2IP="66.138.30.243"
> PIP="192.168.1.0/24"
> GEOCITIES="66.218.77.68"
> ONBITCHX="81.196.20.133"
> SCRIPTKIDDIE1="24.197.112.13"
> SCRIPTKIDDIE2="66.194.6.80"
> SCRIPTKIDDIE3="65.54.188.73"
> SCRIPTKIDDIE4="69.41.171.93"
> SCRIPTKIDDIE5="24.28.185.170"
> SCRIPTKIDDIE6="134.253.26.12"
> SCRIPTKIDDIE7="155.147.191.139"
> # ------------------------------
> CLASS_A="10.0.0.0/8" # Class-A Private (RFC-1918)
.... snip ...
>
>
>
> Thanks Again
>
> Dave Harman

A bit offtopic but: rather than spend all this time looking for script
kiddies to block, why don't you just block everything except for the stuff
that you do.

Then enable stateful firewalling to ensure that you can connect to them but
they can't connect to you...

It's pointless posting a huge iptables script and expect someone to go over
it with a toothpick looking for your problem - people generally won't be
bothered with the time it takes.

A good firewall script needn't be more than 10k in size. I have one that's
about 25k, but then there are 6 physical interfaces and up to another 50
virtual ones.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode