RE: lug-bg: iptables
- Subject: RE: lug-bg: iptables
- From: larry@xxxxxxxxxxxxxxxxxxxx (Kostadin Karaivanov)
- Date: Wed, 3 Jul 2002 11:14:06 +0300
izvinqwam se kat ne sam si izpil kafeto e taka....
dokolkoto widqh entry-to w loga e ot fp=UDP:2 a towa koeto si paste-nal se
otnasq za
ICMP koeto si e syffsem druga bira......
ogledai si 4asta ot scripta koqto preglejda UDP-to .......
Kostadin Karaivanov
Senior System Administrator @ Ministry Of Finace
tel: +359 2 98592062
larry@xxxxxxxxxxxxxxxxxxxx
-----Original Message-----
From: owner-lug-bg@xxxxxxxxxxxxxxxxxx
[mailto:owner-lug-bg@xxxxxxxxxxxxxxxxxx]On Behalf Of Qsin
Sent: Wednesday, July 03, 2002 08:52
To: lug-bg@xxxxxxxxxxxxxxxxxx
Subject: Re: lug-bg: iptables
Za suzhalenie i az kato Ivan Dobrinov ne sum mnogo najsno s
iptables, zatova mozhe moja vupros sushto da izglezhda mngo laishki
za koeto predvaritelno se izvinjvam, NO:
Pri opit da sverja chasovnika pod Windows XP Pro v log-a se pojavjava
slednoto:
Jul 3 08:43:51 firewall kernel: fp=UDP:2 a=DROP IN=eth0 OUT=eth1
SRC=192.168.xxx.yyy DST=129.6.15.28 LEN=76 TOS=0x00 PREC=0x00 TTL=127
ID=60553 PROTO=UDP SPT=123 DPT=123 LEN=56
i chasovnika ne se sverjava.
V iptables otnosno ICMP ima slednite neshta:
[0:0] -A INPUT -s 192.168.xxx.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport
41031:41900 -j REJECT --reject-with icmp-port-unreachable
[0:0] -A INPUT -i eth1 -p icmp -j ICMPINBOUND
[0:0] -A FORWARD -s 192.168.xxx.0/255.255.255.0 -d !
192.168.xxx.0/255.255.255.0 -p tcp -m tcp --dport 41031:41900 -j
REJECT --reject-with icmp-port-unreachable
[0:0] -A FORWARD -s 192.168.xxx.0/255.255.255.0 -i eth0 -o eth1 -p icmp -j
ACCEPT
[0:0] -A FORWARD -i eth1 -p icmp -m state --state RELATED -j ACCEPT
[0:0] -A OUTPUT -o eth1 -p icmp -j ICMPOUTBOUND
[0:0] -A ICMPINBOUND -p icmp -m icmp --icmp-type 8 -m limit --limit
5/sec --limit-burst 10 -j ACCEPT
[0:0] -A ICMPINBOUND -p icmp -m icmp --icmp-type 8 -j LPINGFLOOD
[0:0] -A ICMPINBOUND -p icmp -m icmp --icmp-type 5 -j LDROP
[0:0] -A ICMPINBOUND -p icmp -m icmp --icmp-type 13 -j LDROP
[0:0] -A ICMPINBOUND -p icmp -m icmp --icmp-type 14 -j LDROP
[0:0] -A ICMPINBOUND -p icmp -m icmp --icmp-type 17 -j LDROP
[0:0] -A ICMPINBOUND -p icmp -m icmp --icmp-type 18 -j LDROP
[0:0] -A ICMPINBOUND -p icmp -j ACCEPT
[0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 5 -j LDROP
[0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 11/0 -j LDROP
[0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 11/1 -j LDROP
[0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 12 -j LDROP
[0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 13 -j LDROP
[0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 14 -j LDROP
[0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 17 -j LDROP
[0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 18 -j LDROP
[0:0] -A ICMPOUTBOUND -p icmp -j ACCEPT
[0:0] -A LDROP -p icmp -m limit --limit 2/sec --limit-burst 10 -j
LOG --log-prefix "fp=ICMP:3 a=DROP "
[0:0] -A LREJECT -p icmp -m limit --limit 2/sec --limit-burst 10 -j
LOG --log-prefix "fp=ICMP:3 a=REJECT "
[0:0] -A LREJECT -p udp -j REJECT --reject-with icmp-port-unreachable
[0:0] -A LREJECT -j REJECT --reject-with icmp-port-unreachable
Zadadoh vuprosa na choveka kojto e napravil nastrojkite, no toj ne mozha da
mi otgovori
koe spira sverjavaneto na chasovnika. Chetejki po-dolu posochenata stranica
(ne che shvanah neshto:)
se zamislih dali imenno filtracijata na ICMP ne e vinovna za tozi problem.
Znam che RTFM e zlatno pravilo
no chestno kazano v momenta sum malko orjazan otkum vreme zatova i zadavam
vuprosa.
Ako vuprosa e mnogo tup ili vi drazni - prosto ne otgovarjajte za da ne
suzdavame izlishen i
bezmislen trafik.
Yavor Atanasov
P.S. Che sum tup si go znam i bez da mi kazvate :))))
----- Original Message -----
From: "Boyan Krosnov" <bkrosnov@xxxxxxxx>
To: <lug-bg@xxxxxxxxxxxxxxxxxx>
Sent: Wednesday, July 03, 2002 1:29 AM
Subject: RE: lug-bg: iptables
> > Hmm, dosta e glupavo da zabraniavash ICMP paketite, tui kato te
> > nosiat mnogo cenna informacia. No ponezhe v dobrite unix tradicii
> > horata ti davat dostatychno vyzhe za da se zastreliash v kraka
> > probvai tova:
> mnogo dobre go kaza. Ne nablegna spored men dostatychno na fakta che
> _NE_ trqbwa da se filtrirat wsichki ICMP-ta po nikakyv powod.
> http://boyan.ludost.net/papers/pmtu.html za poweche informaciq.
>
> BR,
> Boyan
============================================================================
A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers).
http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora
To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
============================================================================
============================================================================
A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers).
http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora
To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
============================================================================
|