|
|
|
|
|
|
| Author |
Message |
mikedawg@gmail.com
*nix forums beginner
Joined: 09 Sep 2005
Posts: 18
|
 Posted: Thu Jun 22, 2006 4:02 pm Post subject:
iptables only allowing tcp packets with PSH set
|
|
|
I'm having a weird problem with iptables 1.2.11 on my linux system.
For some reason, it is only allowing packets through from allowed
hosts/ports that have the TCP flag PSH set on them, it will deny all
others. I have no rules set in iptables about allowing/disallowing
this tcp flags, and I'm not quite sure what could be causing my
problems.
Does anyone have any ideas why my linux system would be doing this?
Thanks
Mike
Here is an output of my iptables-save (with a few edits for mac and ip
security):
# Generated by iptables-save v1.2.11 on Thu Jun 22 09:38:48 2006
*filter
:INPUT ACCEPT [23:1292]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [35:43479]
:Cid449952DF.0 - [0:0]
:Cid449952E9.0 - [0:0]
:Cid449952E9.1 - [0:0]
:Cid449952F3.0 - [0:0]
:Cid44995307.0 - [0:0]
:Cid44995307.1 - [0:0]
:Cid4499B94F.0 - [0:0]
:RULE_2 - [0:0]
:RULE_3 - [0:0]
:RULE_4 - [0:0]
:RULE_5 - [0:0]
:RULE_7 - [0:0]
:RULE_8 - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s <firewall host> -m state --state NEW -j ACCEPT
-A INPUT -d <firewall host> -m state --state NEW -j Cid44995307.0
-A INPUT -d <firewall host> -p tcp -m tcp --dport 22 -m state --state
NEW -j Cid449952F3.0
-A INPUT -d <firewall host> -m state --state NEW -j Cid449952E9.0
-A INPUT -d <firewall host> -p tcp -m tcp --dport 10000:10500 -m state
--state NEW -j Cid449952DF.0
-A INPUT -s <priv subnet>/255.255.255.0 -d <firewall host> -p tcp -m
tcp --sport 1520:1522 -m state --state NEW -j RULE_5
-A INPUT -s <priv subnet 1>/255.255.255.0 -d <firewall host> -p tcp -m
tcp --sport 445 -j DROP
-A INPUT -s <priv subnet 2>/255.255.255.0 -d <firewall host> -m state
--state NEW -j Cid4499B94F.0
-A INPUT -d <firewall host> -j RULE_8
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s <firewall host> -m state --state NEW -j ACCEPT
-A OUTPUT -d <firewall host> -j RULE_8
-A Cid449952DF.0 -s 10.0.0.0/255.0.0.0 -j RULE_4
-A Cid449952DF.0 -s <priv subnet 3>/255.255.0.0 -j RULE_4
-A Cid449952DF.0 -s <priv subnet 5>/<priv subnet range> -j RULE_4
-A Cid449952DF.0 -s <priv subnet 6>/<priv subnet range> -j RULE_4
-A Cid449952DF.0 -s <priv subnet 6>/<priv subnet range> -j RULE_4
-A Cid449952DF.0 -s <priv subnet 7>/<priv subnet range> -j RULE_4
-A Cid449952DF.0 -s <priv subnet 8>/<priv subnet range> -j RULE_4
-A Cid449952E9.0 -p tcp -m tcp -m multiport --dports 80,443 -j
Cid449952E9.1
-A Cid449952E9.1 -s 10.0.0.0/255.0.0.0 -j RULE_3
-A Cid449952E9.1 -s <priv subnet 3>/255.255.0.0 -j RULE_3
-A Cid449952E9.1 -s <priv subnet 5>/<priv subnet range> -j RULE_3
-A Cid449952E9.1 -s <priv subnet 6>/<priv subnet range> -j RULE_3
-A Cid449952E9.1 -s <priv subnet 6>/<priv subnet range> -j RULE_3
-A Cid449952E9.1 -s <priv subnet 7>/<priv subnet range> -j RULE_3
-A Cid449952E9.1 -s <priv subnet 8>/<priv subnet range> -j RULE_3
-A Cid449952F3.0 -s 10.0.0.0/255.0.0.0 -j RULE_2
-A Cid449952F3.0 -s <priv subnet 3>/255.255.0.0 -j RULE_2
-A Cid449952F3.0 -s <priv subnet 5>/<priv subnet range> -j RULE_2
-A Cid449952F3.0 -s <priv subnet 6>/<priv subnet range> -j RULE_2
-A Cid449952F3.0 -s <priv subnet 6>/<priv subnet range> -j RULE_2
-A Cid449952F3.0 -s <priv subnet 7>/<priv subnet range> -j RULE_2
-A Cid449952F3.0 -s <priv subnet 8>/<priv subnet range> -j RULE_2
-A Cid44995307.0 -f -j Cid44995307.1
-A Cid44995307.0 -p icmp -m icmp --icmp-type 11/0 -j Cid44995307.1
-A Cid44995307.0 -p icmp -m icmp --icmp-type 11/1 -j Cid44995307.1
-A Cid44995307.0 -p icmp -m icmp --icmp-type 0/0 -j Cid44995307.1
-A Cid44995307.0 -p icmp -m icmp --icmp-type 3 -j Cid44995307.1
-A Cid44995307.0 -p icmp -m icmp --icmp-type 8/0 -j Cid44995307.1
-A Cid44995307.1 -s 10.0.0.0/255.0.0.0 -j ACCEPT
-A Cid44995307.1 -s <priv subnet 3>/255.255.0.0 -j ACCEPT
-A Cid44995307.1 -s <priv subnet 5>/<priv subnet range> -j ACCEPT
-A Cid44995307.1 -s <priv subnet 6>/<priv subnet range> -j ACCEPT
-A Cid44995307.1 -s <priv subnet 6>/<priv subnet range> -j ACCEPT
-A Cid44995307.1 -s <priv subnet 7>/<priv subnet range> -j ACCEPT
-A Cid44995307.1 -s <priv subnet 8>/<priv subnet range> -j ACCEPT
-A Cid4499B94F.0 -p tcp -m tcp -m multiport --dports 445,139 -j RULE_7
-A Cid4499B94F.0 -p udp -m udp -m multiport --dports 138,137 -j RULE_7
-A RULE_2 -j LOG --log-prefix "ALLOWED-SSH " --log-level 6
-A RULE_2 -j ACCEPT
-A RULE_3 -j LOG --log-prefix "ALLOWED-WEB " --log-level 6
-A RULE_3 -j ACCEPT
-A RULE_4 -j LOG --log-prefix "ALLOWED-APP " --log-level 6
-A RULE_4 -j ACCEPT
-A RULE_5 -j LOG --log-prefix "ALLOWED-DB " --log-level 6
-A RULE_5 -j ACCEPT
-A RULE_7 -j LOG --log-prefix "ALLOWED-SMB " --log-level 6
-A RULE_7 -j ACCEPT
-A RULE_8 -j LOG --log-prefix "DENIED " --log-level 6
-A RULE_8 -j DROP
COMMIT
# Completed on Thu Jun 22 09:38:48 2006 |
|
| Back to top |
|
 |
Google
|
|
| Back to top |
|
|
|
|
The time now is Sat Jan 10, 2009 12:24 am | All times are GMT
|
|
Bankruptcy | Repair Bad Credit | Remortgages | Credit Card | Debt Consolidation
|
|
Copyright © 2004-2005 DeniX Solutions SRL
|
|
|
|
Other DeniX Solutions sites:
Unix/Linux blog |
electronics forum |
medicine forum |
science forum |
|
|
Privacy Policy
|
Powered by phpBB © 2001, 2005 phpBB Group
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
Forum index
»
*nix
»
Linux
»
security
