HPE Community
Operating System - Linux
1822648 Members
3794 Online
109643 Solutions
New Discussion юеВ

Re: Port 80 abuse, iptables question.

 
SOLVED
Go to solution
Steven E. Protter
Exalted Contributor

тАО04-04-2005 09:26 AM

тАО04-04-2005 09:26 AM

Re: Port 80 abuse, iptables question.

My conclusion on the dead machine is that its MBR is corrupt. Thats because the rescue cd can mount the two hard disks.

Going to use DOS to fix that tonight and then do another OS installation. Then I have a machine I can play around with.

I would say it likely that some of my customizations to httpd.conf have opened up this vulnerability. Instead of the usual trick of copying in httpd.conf I'll run the standard web server for a while and see what the logs look like.

Turning off lookup has helped. The spoof was being done with names and not numbers and my blocking program is once again effective at stopping the inbound traffic.

Worrying however since one of the IP's blocked is aol dialup and nobody on the Internet can afforc to block aol dial up.

Fascinating.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Jerome Henry
Honored Contributor

тАО04-04-2005 04:21 PM

тАО04-04-2005 04:21 PM

Re: Port 80 abuse, iptables question.

Off topic too, did you try, if you can mount your HD with rescue disk, some LVM tools, such as pvdisplay and lvdisplay, to see if you can do something with it ? Sure that fresh reinstall is faster if no important data on it...
I always have probs when doint LVM on / itself, even with /boot on standard 83 type partition, despite several ways round to make things 'stable', one day it always end with a mess message about partitions not found and grub freezing at stage 1.5.

(plz 0 here)

Jerome
You can lean only on what resists you...
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО04-04-2005 10:49 PM

тАО04-04-2005 10:49 PM

Re: Port 80 abuse, iptables question.

I've been trying LVM because I want to use it. I suppose its time to consider a non-lvm install.

I used Windows 98/Dos to wipe the system. Did a format c: /s and booted the drive no problems off Dos.

Then reinstalled the OS. Came up no operating system. Maybe time to crack the box.

Original problem still festers, 1200 different IP addresses generated this error. Will try and get some machine on with standard httpd.conf and see if it has the problem.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО04-08-2005 12:18 PM

тАО04-08-2005 12:18 PM

Re: Port 80 abuse, iptables question.

I put a server up with a stock httpd.conf file and virtual name hosts on the Internet.

There was instant abuse of the httpd server with the base firewall settings.

I'll give 7 points for a link that will let me report this bug to apache.

I will do better for a firewall solution to stop the output without disabling the web server.

I'd like to know what the numbers in these three statements mean:
:INPUT ACCEPT [5:267]
:FORWARD DROP [0:0]
:OUTPUT DROP [136:12582]
:okay - [0:0]
:RH-Firewall-1-INPUT - [0:0]

Do they refer to port numbers? Can they be used to control firewall output?

Is there anyone else with this problem?

Shabbat Shalom, Lihitraot.


SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО04-09-2005 07:51 PM

тАО04-09-2005 07:51 PM

Re: Port 80 abuse, iptables question.

I've had partial success.

Now I have a firewall configuration that prevents the abuse. Its interfering with Samba drive connection and normal web traffic, but I can resolve that.

Just wrapped up DR work at the office. Now I'm taking the kiddies to Disneyland.

I will report back upon arrival to California.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО04-10-2005 09:22 PM

тАО04-10-2005 09:22 PM

Re: Port 80 abuse, iptables question.

Samba problem fixed.

Version 1 of a solid firewall appears to be stable.

This problem could be a consequence of running the httpd server to another box that allows access via Samba. I doubt that though.

The firewall does seem to cut down a great deal on the issues. I may have to go to a stock httpd configuration to try and figure out how the httpd/apache side of the whole is opened up.

Since existing connections are not terminated when the firewall is restarted, I have to wait a while to see if a change actually closes the hole.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Stuart Browne
Honored Contributor

тАО04-10-2005 11:39 PM

тАО04-10-2005 11:39 PM

Re: Port 80 abuse, iptables question.

The [0:0] numbers in the '/etc/sysconfig/iptables' file are the stored packets/bytes that have traversed the chain when the previous 'service iptables save' was issued.

You can zero these out if you wish to make clean numbers for a boot-up.

These are the numbers seen when using 'iptables -nvxL'.
One long-haired git at your service...
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО04-11-2005 02:09 AM

тАО04-11-2005 02:09 AM

Re: Port 80 abuse, iptables question.

Thank You Stuart.

Firewall continues to be worked on.

Trying very hard to limit all traffic in and out to authorized ports only.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО04-11-2005 03:10 AM

тАО04-11-2005 03:10 AM

Re: Port 80 abuse, iptables question.

Here is an example of an httpd access violation.

12:40:46.637325 IP (tos 0x20, ttl 111, id 57410, offset 0, flags [DF], proto 6, length: 48) 203.175.255.29.3587 > dns3.investmenttool.com.http: S [tcp sum ok] 301828640:301828640(0) win 16384
12:40:46.637487 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 6, length: 48) dns3.investmenttool.com.http > 203.175.255.29.3587: S [tcp sum ok] 4193217969:4193217969(0) ack 301828641 win 5840


Here is an attempt to telnet in on port 3587 from the logs perspective.

12:44:49.646426 IP (tos 0x20, ttl 64, id 1940, offset 0, flags [DF], proto 6, length: 40) dns3.investmenttool.com.3587 > ca-agoura-cuda2r-186.ventca.adelphia.net.4658: R [tcp sum ok] 0:0(0) ack 1 win 0

This lower attempt was denied.

I'm going to go over this thread and all suggestions and see what I can do to make this stuff stop.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО04-11-2005 04:24 AM

тАО04-11-2005 04:24 AM

Re: Port 80 abuse, iptables question.

Submitted to bugfix.redhat.com

Updated yet still incomplete firewall configuration.

# Generated by iptables-save v1.2.11 on Sun Apr 10 12:11:05 2005
*filter
:INPUT ACCEPT [6:747]
:FORWARD DROP [0:0]
:OUTPUT DROP [4:447]
-A INPUT -s 192.168.0.0/255.255.0.0 -i eth1 -j ACCEPT
-A INPUT -s 192.168.0.20 -i eth1 -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -s 127.0.0.1 -i lo -j ACCEPT
-A INPUT -s 127.0.0.1 -i eth1 -j ACCEPT
-A INPUT -s 127.0.0.1 -i eth0 -j ACCEPT
-A INPUT -s 192.168.0.40 -i lo -j ACCEPT
-A INPUT -s 66.92.143.196 -i lo -j ACCEPT
-A INPUT -s 66.92.143.196 -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 66.92.143.196 -i eth0 -p udp -m udp --dport 113 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j DROP
-A INPUT -i eth1 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i eth1 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -s 127.0.0.1 -i eth1 -j ACCEPT
-A INPUT -s 192.168.0.10 -i eth1 -j ACCEPT
-A INPUT -s 192.168.0.20 -i eth1 -j ACCEPT
-A INPUT -s 192.168.0.40 -i eth1 -j ACCEPT
-A INPUT -s 192.168.0.41 -i eth1 -j ACCEPT
-A INPUT -s 192.168.0.50 -i eth1 -j ACCEPT
-A INPUT -s 192.168.0.70 -i eth1 -j ACCEPT
-A INPUT -s 192.168.0.80 -i eth1 -j ACCEPT
-A FORWARD -f -j ACCEPT
-A FORWARD -s 192.168.0.20 -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --dport 21 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 21 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --sport 21 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 21 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 21 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 21 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 21 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 21 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 21 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 21 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --dport 22 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 22 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --sport 22 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 22 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --dport 25 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 25 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --sport 25 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 25 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 25 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 25 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 25 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 25 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 25 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 25 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --dport 80 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 80 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --sport 80 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 80 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --dport 110 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 110 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --sport 110 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 110 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 110 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 110 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 110 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 110 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 110 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 110 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --dport 111 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 111 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --sport 111 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 111 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 111 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 111 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 111 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 111 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 111 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 111 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --dport 113 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 113 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --sport 113 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 113 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 113 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 113 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 113 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 113 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 113 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 113 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --dport 123 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 123 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --sport 123 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 123 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 123 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 123 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 123 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 123 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 123 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 123 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --dport 143 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 143 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --sport 143 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 143 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 143 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 143 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 143 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 143 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 143 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 143 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --dport 443 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 443 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --sport 443 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 443 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 443 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 443 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --dport 993 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 993 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --sport 993 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 993 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 993 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 993 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 993 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 993 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 993 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 993 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --dport 995 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 995 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --sport 995 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 995 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 995 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 995 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 995 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 995 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 995 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 995 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 137 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 137 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 137 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 137 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 137 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 137 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 137 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 137 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 137 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 137 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 139 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 139 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 139 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 139 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 139 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 445 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 445 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 445 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 445 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 445 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A OUTPUT -s 192.168.0.20 -j ACCEPT
-A OUTPUT -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -s 127.0.0.1 -j ACCEPT
-A OUTPUT -s 192.168.0.10 -j ACCEPT
-A OUTPUT -s 192.168.0.20 -j ACCEPT
-A OUTPUT -s 192.168.0.40 -j ACCEPT
-A OUTPUT -s 192.168.0.41 -j ACCEPT
-A OUTPUT -s 192.168.0.50 -j ACCEPT
-A OUTPUT -s 192.168.0.70 -j ACCEPT
-A OUTPUT -s 192.168.0.80 -j ACCEPT
-A OUTPUT -s 127.0.0.1 -j ACCEPT
-A OUTPUT -s 66.92.143.196 -j ACCEPT
-A OUTPUT -s 192.168.0.40 -j ACCEPT
-A OUTPUT -s 192.168.0.20 -j ACCEPT
-A OUTPUT -s 192.168.0.0/255.255.0.0 -j ACCEPT
-A OUTPUT -s 127.0.0.1 -j ACCEPT
-A OUTPUT -s 192.168.0.10 -j ACCEPT
-A OUTPUT -s 192.168.0.20 -j ACCEPT
-A OUTPUT -s 192.168.0.40 -j ACCEPT
-A OUTPUT -s 192.168.0.41 -j ACCEPT
-A OUTPUT -s 192.168.0.50 -j ACCEPT
-A OUTPUT -s 192.168.0.70 -j ACCEPT
-A OUTPUT -s 192.168.0.80 -j ACCEPT
COMMIT
# Completed on Sun Apr 10 12:11:05 2005

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Stuart Browne
Honored Contributor

тАО04-11-2005 01:42 PM

тАО04-11-2005 01:42 PM

Re: Port 80 abuse, iptables question.

Wow, it's been a while since I've seen a non-drop policy firewall..

I'd start by re-thinking the policy.

This is a gateway box to the network, yes? Anyway, I'll go on with that thought in mind, running one or two internal-only services.

Anyway, some comments...

-A INPUT -s 127.0.0.1 -i lo -j ACCEPT
-A INPUT -s 127.0.0.1 -i eth1 -j ACCEPT
-A INPUT -s 127.0.0.1 -i eth0 -j ACCEPT

Only the first one should *EVER* is valid. The other two should *NEVER*NEVER*NEVER* be valid.

-A INPUT -s 192.168.0.40 -i lo -j ACCEPT
-A INPUT -s 66.92.143.196 -i lo -j ACCEPT

These two are also *BAD*BAD*BAD*. Nothing other than 127.0.0.1, or from the 'lo' interface should *EVER* hit 127.0.0.1!

-A INPUT -s 192.168.0.0/255.255.0.0 -i eth1 -j ACCEPT
-A INPUT -s 192.168.0.20 -i eth1 -j ACCEPT
-A INPUT -i eth1 -j ACCEPT

I take it 'eth1' is your internal network? In any case, these three, along with the 7 below are just covering each other over and over.

So this leaves 4 rules to note..

-A INPUT -s 66.92.143.196 -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 66.92.143.196 -i eth0 -p udp -m udp --dport 113 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j DROP

Drop ICMP 8 & 11, ok, nice. Explicitly allow name-server and ident traffic.. Cool.. You running your own name server?

The input chain should be able to be reduced to the following:

iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -i eth0 -s 66.92.143.196 -p udp --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -s 66.92.143.196 -p udp --dport 113 -j ACCEPT

As a catch-all to be happy about locally generated traffic:

iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

But only if you're expecting a fair amount of things to be initiated from this machine.

Now, the FORWARD chain.. This looks messy..

Drop policy is good on the Forward.

First rule (after the flush) is to accept everything coming from 192.168.0.20. Ok, although you might want to restrict that to coming from eth1 and going to eth0, otherwise it shouldn't be hitting this box and traversing interfaces.

By the looks of it, you're trying to do with '--tcp-flags'/'! --tcp-flags' the same as '-m state ESTABLISHED,RELATED' does. Any particular reason you're not just using that? The 'ip_conntrack' module is very powerful, and makes things much easier in my opinion. Apart from that, for FTP, SSH, SMTP, HTTP, POP, portmap (? huh? why?), identd, 123 (that's an MS VPN thing, right?), IMAP, SSL HTTPD, 993 & 995 (MS VPN again right?) from external sites, and Samba based ports for local 'nets.. It all looks ok.

Now, as for the Output chain, as this chain is only for packets originating from *THIS BOX*, as against being forwarded from another net, why so many rules? Especially 3 of some!

iptables -A OUTPUT -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -s 127.0.0.1 -j ACCEPT

Would be all I think you'd need, with possibly:

iptables -A OUTPUT -s 66.92.143.196 -j ACCEPT

If that IP is eth0's IP address (and why open it up this much ? If you're going to use a DROP OUTPUT policy, restrict the ports more!).

Anyway, my thoughts..
One long-haired git at your service...
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО04-11-2005 05:28 PM

тАО04-11-2005 05:28 PM

Re: Port 80 abuse, iptables question.

Initial answer, because I'm not working the firewall right now.
>>
Cool.. You running your own name server?
>>
Yes. this is my test server. I am hardening the firewall due to the abuse.

>>
Now, the FORWARD chain.. This looks messy..

Drop policy is good on the Forward.

First rule (after the flush) is to accept everything coming from 192.168.0.20. Ok, although you might want to restrict that to coming from eth1 and going to eth0, otherwise it shouldn't be hitting this box and traversing interfaces.
>>

This was an effort to restore CIFS/Samba connection to this box. That box is where all the web content lives.

>>
By the looks of it, you're trying to do with '--tcp-flags'/'! --tcp-flags' the same as '-m state ESTABLISHED,RELATED' does.
>>>
Yes, I have been making progress based on a older document that came up in and google search. Based onyour expertise, I'll make the conversion.
>>
Any particular reason you're not just using that? The 'ip_conntrack' module is very powerful, and makes things much easier in my opinion.
>>
You've exceeded myt pharoich expertise here. Can you elaborate??

>>
Apart from that, for FTP, SSH, SMTP, HTTP, POP, portmap (? huh? why?), identd, 123
>>
(ntpd,like to have it.)
(that's an MS VPN thing, right?)
>>
Remember our VPN forwarding issue last summer that was actually the lack of a certificate server on windows 2003. This is the relic. I will probably do VPN forwarding once the darned firewall stops getting violated.
>>
, IMAP, SSL HTTPD, 993 & 995 (MS VPN again right?) from external sites, and Samba based ports for local 'nets.. It all looks ok.
>>
My customers want secure imap and pop, but some of the older ones still use pop and imap. Squirrelmail uses imap, but thats probably not relavent.

Stuart, You are going to be 10 points closer to the Linux Dunes.

My plan is to work through this post and update the firewall. I understand most of what you said except where indicated.

Lihitraot Chaver Shly

Until we talk again my friend.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО04-11-2005 05:53 PM

тАО04-11-2005 05:53 PM

Re: Port 80 abuse, iptables question.

>>
Wow, it's been a while since I've seen a non-drop policy firewall..
>>

Any time I set INPUT DROP, NO traffic goes through.

Decided to stay up and work on your recommendations. So far nothing is broken.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Stuart Browne
Honored Contributor

тАО04-11-2005 06:36 PM

тАО04-11-2005 06:36 PM

Re: Port 80 abuse, iptables question.

Ok, here's what needs confirming..

What's running on this box?

For every service that's running on the box, you need INPUT chain rules.

For things of which are only passing through, then FORWARD is your friend.

iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth1 -s 192.168.0.0/24 -m state --state NEW -j ACCEPT

A start. This gives us local-net access to the machine, and the machine access to it's self. Currently not allowing any external (eth0) traffic to hit it.

iptables -A INPUT -i eth0 -s 66.92.143.196 -p udp --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -s 66.92.143.196 -p udp --dport 113 -j ACCEPT

'udp' is stateless, so no point doing any state stuff. This allows only that IP access to Name server and something that does ident on UDP (huh? didn't think this existed any more. Most use TCP).

From here, we head to FORWARD:

iptables -P FORWARD DROP
iptables -A FORWARD -j ACCEPT -m state --state ESTABLISHED,RELATED
iptables -A FORWARD -i eth1 -o eth0 -s 192.168.0.0/24 -m state --state NEW -j ACCEPT

This takes care of most of it strangely enough :) This allows anything on the local network out, and any existing connections through. Now add some specific allow's for inbound traffic forwarded through the box:

iptables -A FORWARD -i eth0 -p tcp --dport 21 -m state --state NEW -d 66.92.143.0/24 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp --dport 22 -m state --state NEW -d 66.92.143.0/24 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp --dport 25 -m state --state NEW -d 66.92.143.0/24 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp --dport 80 -m state --state NEW -d 66.92.143.0/24 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp --dport 110 -m state --state NEW -d 66.92.143.0/24 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp --dport 111 -m state --state NEW -d 66.92.143.0/24 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp --dport 113 -m state --state NEW -d 66.92.143.0/24 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp --dport 123 -m state --state NEW -d 66.92.143.0/24 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp --dport 143 -m state --state NEW -d 66.92.143.0/24 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp --dport 443 -m state --state NEW -d 66.92.143.0/24 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp --dport 993 -m state --state NEW -d 66.92.143.0/24 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp --dport 995 -m state --state NEW -d 66.92.143.0/24 -j ACCEPT

This allows FTP, SSH, SMTP, HTTP, POP, Portmap (still wondering why?), IDent, NTP, IMAP, HTTPs, IMAPs, POPs through (but not *in*) this machine.

As we're already allowing everything on eth1, there's no need to specifically allow the Samba ports (139/445 tcp, 137/138 udp).

At worst, you'll need to insert the 'ip_conntrack_ftp' module (and if this machine is doing NAT, then 'ip_nat_ftp' as well) to help with things.

As for the OUTPUT, what is coming out of this machine? I tend to leave my machines with '-P OUTPUT ACCEPT'.. but I do a fair bit from my linux boxen ;)

Hope this helps..

As for what caused this to start with, I've never heard of apache doing that sort of thing without having been exploited *shrug*, but you've bugzilla'd it so hopefully it'll be fixed soon.

And yes.. a step closer to the dunes :) You're pretty much there in the Linux groups now too..

Take a few months off, and see what happens?! 1500 points difference *shakes head at self* ah well.. new job 'n all..
One long-haired git at your service...
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО04-11-2005 07:09 PM

тАО04-11-2005 07:09 PM

Re: Port 80 abuse, iptables question.

Went through most of Stuart's changes

Here is more detail on the violation after the change.

04:34:32.975248 IP (tos 0x20, ttl 109, id 61984, offset 0, flags [DF], proto 6, length: 236) 222.47.10.104.2260 > dns3.investmenttool.com.http: P 1:197(196) ack 1 win 64440
04:34:32.975389 IP (tos 0x0, ttl 64, id 62771, offset 0, flags [DF], proto 6, length: 40) dns3.investmenttool.com.http > 222.47.10.104.2260: . [tcp sum ok] 1:1(0) ack 197 win 1728
04:34:33.004002 IP (tos 0x0, ttl 64, id 62773, offset 0, flags [DF], proto 6, length: 1480) dns3.investmenttool.com.http > 222.47.10.104.2260: . 1:1441(1440) ack 197 win 1728
04:34:33.004039 IP (tos 0x0, ttl 64, id 62775, offset 0, flags [DF], proto 6, length: 1480) dns3.investmenttool.com.http > 222.47.10.104.2260: . 1441:2881(1440) ack 197 win 1728
04:34:33.552083 IP (tos 0x20, ttl 109, id 62071, offset 0, flags [DF], proto 6, length: 40) 222.47.10.104.2260 > dns3.investmenttool.com.http: . [tcp sum ok] 197:197(0) ack 2881 win 64440
04:34:33.552199 IP (tos 0x0, ttl 64, id 62777, offset 0, flags [DF], proto 6, length: 1480) dns3.investmenttool.com.http > 222.47.10.104.2260: . 2881:4321(1440) ack 197 win 1728
04:34:33.552217 IP (tos 0x0, ttl 64, id 62779, offset 0, flags [DF], proto 6, length: 1480) dns3.investmenttool.com.http > 222.47.10.104.2260: . 4321:5761(1440) ack 197 win 1728
04:34:33.552227 IP (tos 0x0, ttl 64, id 62781, offset 0, flags [DF], proto 6, length: 315) dns3.investmenttool.com.http > 222.47.10.104.2260: FP 5761:6036(275) ack 197 win 1728
04:34:34.100340 IP (tos 0x20, ttl 109, id 62149, offset 0, flags [DF], proto 6, length: 40) 222.47.10.104.2260 > dns3.investmenttool.com.http: . [tcp sum ok] 197:197(0) ack 5761 win 64440
04:34:34.100611 IP (tos 0x20, ttl 109, id 62150, offset 0, flags [DF], proto 6, length: 40) 222.47.10.104.2260 > dns3.investmenttool.com.http: . [tcp sum ok] 197:197(0) ack 6037 win 64371
04:34:34.110426 IP (tos 0x20, ttl 109, id 62152, offset 0, flags [DF], proto 6, length: 40) 222.47.10.104.2260 > dns3.investmenttool.com.http: F [tcp sum ok] 197:197(0) ack 6037 win 64371

Here is the updated firewall.

# Generated by iptables-save v1.2.11 on Mon Apr 11 04:15:26 2005
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.0.40 -i eth1 -j ACCEPT
-A INPUT -s 66.92.143.196 -i eth0 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 113 -j ACCEPT
-A INPUT -s 66.92.143.196 -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 66.92.143.196 -i eth0 -p udp -m udp --dport 113 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j DROP
-A INPUT -i eth1 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i eth1 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A FORWARD -f -j ACCEPT
-A FORWARD -s 192.168.0.20 -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --dport 21 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 21 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --sport 21 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 21 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 21 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 21 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 21 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 21 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 21 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 21 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --dport 22 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 22 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --sport 22 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 22 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --dport 25 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 25 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --sport 25 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 25 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 25 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 25 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 25 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 25 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 25 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 25 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --dport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --sport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --dport 110 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 110 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --sport 110 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 110 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 110 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 110 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 110 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 110 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 110 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 110 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --dport 111 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 111 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --sport 111 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 111 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 111 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 111 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 111 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 111 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 111 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 111 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --dport 113 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 113 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --sport 113 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 113 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 113 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 113 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 113 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 113 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 113 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 113 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --dport 123 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 123 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --sport 123 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 123 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 123 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 123 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 123 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 123 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 123 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 123 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --dport 143 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 143 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --sport 143 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 143 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 143 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 143 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 143 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 143 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 143 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 143 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --dport 443 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 443 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --sport 443 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 443 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 443 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 443 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --dport 993 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 993 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --sport 993 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 993 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 993 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 993 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 993 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 993 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 993 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 993 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --dport 995 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 995 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --sport 995 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 995 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 995 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 995 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 995 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 995 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 995 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 995 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 137 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 137 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 137 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 137 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 137 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 137 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 137 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 137 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 137 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 137 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 139 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 139 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 139 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 139 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 139 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 445 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 445 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 445 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 445 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 445 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A OUTPUT -s 192.168.0.20 -j ACCEPT
-A OUTPUT -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -s 127.0.0.1 -j ACCEPT
-A OUTPUT -s 66.92.143.196 -j ACCEPT
COMMIT
# Completed on Mon Apr 11 04:15:26 2005


SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Stuart Browne
Honored Contributor

тАО04-11-2005 07:21 PM

тАО04-11-2005 07:21 PM

Re: Port 80 abuse, iptables question.

Guess I should have said Flush first.. ;)

Take a copy of '/etc/sysconfig/iptables', flush all the changes, change OUTPUT's policy to ACCEPT, put in the new rules, change INPUT's policy to DROP..
One long-haired git at your service...
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО04-12-2005 02:46 AM

тАО04-12-2005 02:46 AM

Re: Port 80 abuse, iptables question.

Okay, I'll give it a try.

I'm 2,000 miles from the machine but:

* iptables is not set to autostart with chkcfg
* I have remote power management working and can power the server down.

Will report results back and post new configuration shortly.

SEP
Linux Giza is great!!
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО04-12-2005 03:18 AM

тАО04-12-2005 03:18 AM

Re: Port 80 abuse, iptables question.

Tried the change. Access froze the minute the firewall came back online.

I will dump and post the policy, since obviously further analysis is required by me.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО04-12-2005 03:30 AM

тАО04-12-2005 03:30 AM

Re: Port 80 abuse, iptables question.

Here is the iptables file after Stuart's recomended change. Wondering why it didn't work.

Ideas? Suggestions. There be bunies in them thar hills. System clock is off on this box in case someone notices, worry not.

# Generated by iptables-save v1.2.11 on Mon Apr 11 12:53:18 2005
*filter
:INPUT DROP [1:40]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.0.40 -i eth1 -j ACCEPT
-A INPUT -s 66.92.143.196 -i eth0 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 113 -j ACCEPT
-A INPUT -s 66.92.143.196 -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 66.92.143.196 -i eth0 -p udp -m udp --dport 113 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j DROP
-A INPUT -i eth1 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i eth1 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A FORWARD -f -j ACCEPT
-A FORWARD -s 192.168.0.20 -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --dport 21 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 21 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --sport 21 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 21 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 21 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 21 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 21 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 21 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 21 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 21 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --dport 22 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 22 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --sport 22 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 22 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --dport 25 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 25 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --sport 25 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 25 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 25 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 25 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 25 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 25 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 25 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 25 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --dport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --sport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --dport 110 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 110 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --sport 110 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 110 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 110 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 110 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 110 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 110 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 110 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 110 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --dport 111 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 111 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --sport 111 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 111 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 111 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 111 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 111 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 111 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 111 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 111 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --dport 113 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 113 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --sport 113 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 113 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 113 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 113 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 113 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 113 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 113 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 113 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --dport 123 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 123 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --sport 123 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 123 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 123 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 123 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 123 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 123 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 123 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 123 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --dport 143 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 143 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --sport 143 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 143 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 143 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 143 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 143 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 143 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 143 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 143 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --dport 443 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 443 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --sport 443 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 443 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 443 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 443 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --dport 993 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 993 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --sport 993 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 993 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 993 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 993 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 993 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 993 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 993 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 993 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --dport 995 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 995 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --sport 995 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 995 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 995 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 995 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 995 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 995 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 995 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 995 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 137 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 137 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 137 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 137 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 137 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 137 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 137 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 137 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 137 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 137 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 139 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 139 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 139 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 139 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 139 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 445 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 445 ! --tcp-flags SYN,ACK ACK -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 445 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 445 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 445 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A OUTPUT -s 192.168.0.20 -j ACCEPT
-A OUTPUT -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -s 127.0.0.1 -j ACCEPT
-A OUTPUT -s 66.92.143.196 -j ACCEPT
COMMIT
# Completed on Mon Apr 11 12:53:18 2005
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Stuart Browne
Honored Contributor

тАО04-12-2005 11:23 AM

тАО04-12-2005 11:23 AM

Re: Port 80 abuse, iptables question.

How are you accessing the machine?

SSH directly from remote?

Needs a rule in the INPUT chain to allow you.

WIth the rules I gave, it only allows SSH to pass through it (FORWARD), or from the 'local' network (192.168.0.0/24 on eth1 somewhere).
One long-haired git at your service...
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО04-12-2005 11:34 AM

тАО04-12-2005 11:34 AM

Re: Port 80 abuse, iptables question.

This may be the final cut.

The firewall posted in the previous post lacked input rules. This prevented any input after the INPUT drop change Stuart recommended was implemented.

Note to those playing at home. Sometimes you need to get away from the keyboard. I was going over this configuration at a place called Zuma beach, chasing my kids around when it struck me why the INPUT DROP policy was failing.

Two more firewall revisions and the violations appear to have stopped and firewall performance is about as good as its ever been.

Stuart needs to evaluate this setup to get his bunny, because it was his critical analysis that led to solution.

Here is the firewall once again.

# Generated by iptables-save v1.2.11 on Mon Apr 11 21:03:14 2005
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth0 -j SNAT --to-source 66.92.143.196
COMMIT
# Completed on Mon Apr 11 21:03:14 2005
# Generated by iptables-save v1.2.11 on Mon Apr 11 21:03:14 2005
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.0.40 -i eth1 -j ACCEPT
-A INPUT -s 66.92.143.196 -i eth0 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 21 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --sport 21 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 22 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --sport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 25 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --sport 25 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 80 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --sport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 110 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --sport 110 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 111 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 111 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 111 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --sport 111 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 113 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --sport 113 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 123 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 123 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 123 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --sport 123 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 143 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --sport 143 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 443 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --sport 443 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 993 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --sport 993 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 995 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --sport 995 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 137 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --sport 137 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 137 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --sport 137 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 139 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --sport 139 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 445 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --sport 445 -j ACCEPT
-A INPUT -s 66.92.143.196 -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 66.92.143.196 -i eth0 -p udp -m udp --dport 113 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j DROP
-A INPUT -i eth1 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i eth1 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A FORWARD -f -j ACCEPT
-A FORWARD -s 192.168.0.20 -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --dport 21 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 21 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --sport 21 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 21 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 21 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 21 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 21 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 21 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 21 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 21 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --dport 22 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 22 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --sport 22 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 22 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --dport 25 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 25 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --sport 25 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 25 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 25 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 25 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 25 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 25 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 25 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 25 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --dport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --sport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --dport 110 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 110 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --sport 110 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 110 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 110 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 110 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 110 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 110 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 110 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 110 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --dport 111 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 111 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --sport 111 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 111 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 111 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 111 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 111 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 111 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 111 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 111 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --dport 113 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 113 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --sport 113 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 113 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 113 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 113 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 113 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 113 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 113 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 113 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --dport 123 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 123 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --sport 123 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 123 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 123 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 123 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 123 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 123 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 123 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 123 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --dport 143 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 143 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --sport 143 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 143 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 143 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 143 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 143 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 143 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 143 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 143 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --dport 443 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 443 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --sport 443 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 443 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 443 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 443 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --dport 993 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 993 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --sport 993 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 993 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 993 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 993 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 993 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 993 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 993 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 993 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --dport 995 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 995 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -p tcp -m tcp --sport 995 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 995 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 995 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 995 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 66.92.143.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 995 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 995 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 995 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 995 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 137 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 137 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 137 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 137 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 137 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 137 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 137 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 137 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 137 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 137 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 139 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 139 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 139 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 139 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 139 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 445 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -p tcp -m tcp --sport 445 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 445 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --sport 445 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 445 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A OUTPUT -s 192.168.0.20 -j ACCEPT
-A OUTPUT -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -s 127.0.0.1 -j ACCEPT
-A OUTPUT -s 66.92.143.196 -j ACCEPT
COMMIT
# Completed on Mon Apr 11 21:03:14 2005
# Note the system date on this box is off by 13 hours or so.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО04-12-2005 01:14 PM

тАО04-12-2005 01:14 PM

Re: Port 80 abuse, iptables question.

Seems the violations are still ocurring.

Still the firewall configuration is both stable and fast.

The violation pattern is the same as documented previously.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Stuart Browne
Honored Contributor

тАО04-13-2005 01:30 AM

тАО04-13-2005 01:30 AM

Solution

Re: Port 80 abuse, iptables question.

Ok..

The --sport's in the INPUT chain should be removed.

A single '-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT' should cover all such conversations, and be more secure, as it only accepts packets to related outgoing streams or already existing incoming streams (currently, if someone intiates a TCP session to any port on your box *from* TCP 21, you'll accept it.. bad.. very bad).

There's no need to explicitly have these two:

-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j DROP

It's DROP policy, they'll be dropped anyway, especially since they are at the end..

The FORWARD chain is still messed up. You don't quite have a grasp of the '-m state' stuff yet it seems.

Get rid of all rules which contain '--tcp-flags'. Don't need 'em.

For each port/subnet of which you're going to forward through the box (i.e. not sourced, and not destined for this box), use a rule similar to:

-A FORWARD -m state --state NEW -p tcp --dport -s / -j ACCEPT

You should also tie these down per interface for better security. After all of those (there's what, 12 ports, 2 subnets, so 24), plus those few for samba (3 rules), and the global-accept for 192.168.0.20 (28 rules total), add this single rule:

-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

** ONLY ONE **. It covers all of those above.

Once again here, no --sport stuff!

OUTPUT chain as ACCEPT is good, so doesn't actually need any rules.
One long-haired git at your service...
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.