View Single Post
  #8  
Old 4th July 2006, 13:56
edge edge is offline
Moderator
 
Join Date: Dec 2005
Location: The Netherlands
Posts: 2,036
Thanks: 268
Thanked 152 Times in 132 Posts
Default

Quote:
Originally Posted by IPMolester
You could improve logging to get a better idea on what IPTables are doing.

So instead of doing a -j REJECT, you could create a dedicated chain for logging the packet before you reject it. Then replace "-j REJECT" by "-j LDROP".....
Yes that does look good!

I'll give it a go with my next install :-)

This is what I have now, and it's working great! (for sure it can have some more tweaking)

(1) I have 4 IP's, and only ports open on the IP's that I want
(2) The IP's have been changed to protect the innocent
(3) IP: 71.161.100.344* is only open for port 80, 81, 443, 8080 and 10000
(4) IP: 71.161.100.345* is only open for port 25 and 53 (UDP/TCP)
(5) IP: 71.161.100.346* is only open for port 53 (UDP/TCP) and 110
(6) IP: 71.161.100.347* is only open for port 20, 21 22 and 30000 till 40000
* see point 2

Code:
-A INPUT -p tcp -m tcp -d 127.0.0.0/255.0.0.0 ! -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth+ -j PUB_IN
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j LOG
-A FORWARD -j DROP
-A OUTPUT -o eth+ -j PUB_OUT
-A INT_IN -p icmp -j ACCEPT
-A INT_IN -j DROP
-A INT_OUT -p icmp -j ACCEPT
-A INT_OUT -j ACCEPT
-A PAROLE -j ACCEPT
-A PUB_OUT -j ACCEPT
-A PUB_IN -p icmp -d 71.161.100.344 -j ACCEPT
-A PUB_IN -p tcp -m tcp -d 71.161.100.344 --dport 80 -j PAROLE
-A PUB_IN -p tcp -m tcp -d 71.161.100.344 --dport 81 -j PAROLE
-A PUB_IN -p tcp -m tcp -d 71.161.100.344 --dport 443 -j PAROLE
-A PUB_IN -p tcp -m tcp -d 71.161.100.344 --dport 8080 -j PAROLE
-A PUB_IN -p tcp -m tcp -d 71.161.100.344 --dport 10000 -j PAROLE
-A PUB_IN -p icmp -d 71.161.100.345 -j PAROLE
-A PUB_IN -p tcp -m tcp -d 71.161.100.345 --dport 25 -j PAROLE
-A PUB_IN -p tcp -m tcp -d 71.161.100.345 --dport 53 -j PAROLE
-A PUB_IN -p udp -m udp -d 71.161.100.345 --dport 53 -j PAROLE
-A PUB_IN -p icmp -d 71.161.100.346 -j PAROLE
-A PUB_IN -p tcp -m tcp -d 71.161.100.346 --dport 53 -j PAROLE
-A PUB_IN -p udp -m udp -d 71.161.100.346 --dport 53 -j PAROLE
-A PUB_IN -p tcp -m tcp -d 71.161.100.346 --dport 110 -j PAROLE
-A PUB_IN -p icmp -d 71.161.100.347 -j  DROP
-A PUB_IN -p tcp -m tcp -d 71.161.100.347 --dport 20:21 -j PAROLE
-A PUB_IN -p tcp -m tcp -d 71.161.100.347 --dport 22-j PAROLE
-A PUB_IN -p tcp -m tcp -d 71.161.100.347 --dport 30000:40000 -j PAROLE
-A PUB_IN -j LOG
-A PUB_IN -p icmp -j DROP
-A PUB_IN -j DROP
-A INPUT -j DROP
Reply With Quote