Hello all.
Over the weekend, one of our servers pooped out (still looking into
WHY...) and we were forced to have Visi reboot the thing. After a
reboot, everything seemed to be working a-ok with one exception. Some
websites were completely unaccessible.
After briefly looking at logs, it seems that the IPTables firewall on
the machine was dropping incoming packets for port 80. I ran my script
to remove all the FW rules and completely open it up, and the site was
accessible again. I then ran the fw script and added all the rules back
again and it still worked. The fw should be set up to allow incoming
"NEW" connections from anyone on ports 80 and 443. Another rule allows
established connections as well. This leads me to believe that the
connection tracking somehow got messed up (although I'm not sure).
What I am wondering is:
1) what causes this?
2) how can i prevent this?
3) is there anything wrong with my script?
I use fwbuilder locally to manage the fw script. This tends to create a
somewhat complex iptables script, but I am familiar with it and it
should be working just fine. It's not too bad once you understand how it
decides to do things. If anyone wants a brief overview of the script to
help a little bit with my issue I'll gladly provide it. Does anyone have
any insight or tips to deal with this strange issue?
Here is my script:
===============================================================================
#!/bin/sh
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v2.0.12-1
#
# Generated Mon Sep 18 16:52:34 2006 Central Daylight Time by mbditt
#
# files: * silverback.fw
#
#
#
#
#
#
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
export PATH
#
# Prolog script
#
#
# End of prolog script
#
log() {
echo "$1"
test -x "$LOGGER" && $LOGGER -p info "$1"
}
va_num=1
add_addr() {
addr=$1
nm=$2
dev=$3
type=""
aadd=""
L=`$IP -4 link ls $dev | head -n1`
if test -n "$L"; then
OIFS=$IFS
IFS=" /:,<"
set $L
type=$4
IFS=$OIFS
L=`$IP -4 addr ls $dev to $addr | grep inet | grep -v :`
if test -n "$L"; then
OIFS=$IFS
IFS=" /"
set $L
aadd=$2
IFS=$OIFS
fi
fi
if test -z "$aadd"; then
if test "$type" = "POINTOPOINT"; then
$IP -4 addr add $addr dev $dev scope global label $dev:FWB${va_num}
va_num=`expr $va_num + 1`
fi
if test "$type" = "BROADCAST"; then
$IP -4 addr add $addr/$nm dev $dev brd + scope global label
$dev:FWB${va_num}
va_num=`expr $va_num + 1`
fi
fi
}
getInterfaceVarName() {
echo $1 | sed 's/\./_/'
}
getaddr() {
dev=$1
name=$2
L=`$IP -4 addr show dev $dev | grep inet | grep -v :`
test -z "$L" && {
eval "$name=''"
return
}
OIFS=$IFS
IFS=" /"
set $L
eval "$name=$2"
IFS=$OIFS
}
getinterfaces() {
NAME=$1
$IP link show | grep ": $NAME" | while read L; do
OIFS=$IFS
IFS=" :"
set $L
IFS=$OIFS
echo $2
done
}
LSMOD="/bin/lsmod"
MODPROBE="/sbin/modprobe"
IPTABLES="/sbin/iptables"
IPTABLES_RESTORE="iptables-restore"
IP="/sbin/ip"
LOGGER="logger"
if $IP link ls >/dev/null 2>&1; then
echo;
else
echo "iproute not found"
exit 1
fi
INTERFACES="eth1 lo eth0 "
for i in $INTERFACES ; do
$IP link show "$i" > /dev/null 2>&1 || {
log "Interface $i does not exist"
exit 1
}
done
$IP -4 neigh flush dev eth1 >/dev/null 2>&1
$IP -4 addr flush dev eth1 secondary label "eth1:FWB*" >/dev/null 2>&1
$IP -4 neigh flush dev eth0 >/dev/null 2>&1
$IP -4 addr flush dev eth0 secondary label "eth0:FWB*" >/dev/null 2>&1
MODULE_DIR="/lib/modules/`uname -r`/kernel/net/ipv4/netfilter/"
MODULES=`(cd $MODULE_DIR; ls *_conntrack* | sed -n -e 's/\.ko$//p' -e
's/\.o$//p' -e 's/\.ko\.gz$//p' -e 's/\.o\.gz$//p')`
for module in $MODULES; do
if $LSMOD | grep ${module} >/dev/null; then continue; fi
$MODPROBE ${module} || exit 1
done
log 'Activating firewall script generated Mon Sep 18 16:52:34 2006 by
mbditt'
$IPTABLES -P OUTPUT DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
ip6tables -L -n > /dev/null 2>&1 && {
ip6tables -P OUTPUT DROP
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
}
cat /proc/net/ip_tables_names | while read table; do
test "X$table" = "Xmangle" && continue
$IPTABLES -t $table -L -n | while read c chain rest; do
if test "X$c" = "XChain" ; then
$IPTABLES -t $table -F $chain
fi
done
$IPTABLES -t $table -X
done
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Rule 0 (eth1)
#
echo "Rule 0 (eth1)"
#
#
#
$IPTABLES -A INPUT -i eth1 -s 63.87.118.237 -m state --state NEW -j
ACCEPT
$IPTABLES -A FORWARD -i eth1 -s 63.87.118.237 -m state --state NEW
-j ACCEPT
$IPTABLES -A FORWARD -o eth1 -s 63.87.118.237 -m state --state NEW
-j ACCEPT
#
# Rule 1 (eth1)
#
echo "Rule 1 (eth1)"
#
#
#
$IPTABLES -A INPUT -i eth1 -s 208.42.166.161 -m state --state NEW -j
ACCEPT
$IPTABLES -A INPUT -i eth1 -s 208.42.166.162 -m state --state NEW -j
ACCEPT
$IPTABLES -A INPUT -i eth1 -s 208.42.166.163 -m state --state NEW -j
ACCEPT
$IPTABLES -A INPUT -i eth1 -s 208.42.166.164 -m state --state NEW -j
ACCEPT
$IPTABLES -A INPUT -i eth1 -s 208.42.166.165 -m state --state NEW -j
ACCEPT
$IPTABLES -A INPUT -i eth1 -s 10.60.100.18 -m state --state NEW -j
ACCEPT
$IPTABLES -A FORWARD -i eth1 -s 208.42.166.161 -m state --state NEW
-j ACCEPT
$IPTABLES -A FORWARD -i eth1 -s 208.42.166.162 -m state --state NEW
-j ACCEPT
$IPTABLES -A FORWARD -i eth1 -s 208.42.166.163 -m state --state NEW
-j ACCEPT
$IPTABLES -A FORWARD -i eth1 -s 208.42.166.164 -m state --state NEW
-j ACCEPT
$IPTABLES -A FORWARD -i eth1 -s 208.42.166.165 -m state --state NEW
-j ACCEPT
$IPTABLES -A FORWARD -i eth1 -s 10.60.100.18 -m state --state NEW -j
ACCEPT
$IPTABLES -A OUTPUT -o eth1 -s 208.42.166.161 -m state --state NEW
-j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -s 208.42.166.162 -m state --state NEW
-j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -s 208.42.166.163 -m state --state NEW
-j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -s 208.42.166.164 -m state --state NEW
-j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -s 208.42.166.165 -m state --state NEW
-j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -s 10.60.100.18 -m state --state NEW -j
ACCEPT
#
# Rule 2 (eth1)
#
echo "Rule 2 (eth1)"
#
#
#
$IPTABLES -N eth1_In_RULE_2
$IPTABLES -A INPUT -i eth1 -s 218.25.62.92 -j eth1_In_RULE_2
$IPTABLES -A INPUT -i eth1 -s 69.226.3.135 -j eth1_In_RULE_2
$IPTABLES -A INPUT -i eth1 -s 207.54.140.114 -j eth1_In_RULE_2
$IPTABLES -A INPUT -i eth1 -s 202.131.224.36 -j eth1_In_RULE_2
$IPTABLES -A INPUT -i eth1 -s 203.131.100.37 -j eth1_In_RULE_2
$IPTABLES -A INPUT -i eth1 -s 219.154.95.4 -j eth1_In_RULE_2
$IPTABLES -A INPUT -i eth1 -s 213.80.123.21 -j eth1_In_RULE_2
$IPTABLES -A INPUT -i eth1 -s 207.176.226.30 -j eth1_In_RULE_2
$IPTABLES -A INPUT -i eth1 -s 210.244.225.13 -j eth1_In_RULE_2
$IPTABLES -A INPUT -i eth1 -s 12.110.109.8 -j eth1_In_RULE_2
$IPTABLES -A INPUT -i eth1 -s 193.255.156.236 -j eth1_In_RULE_2
$IPTABLES -A INPUT -i eth1 -s 211.233.15.187 -j eth1_In_RULE_2
$IPTABLES -A INPUT -i eth1 -s 210.9.92.124 -j eth1_In_RULE_2
$IPTABLES -A INPUT -i eth1 -s 61.131.98.198 -j eth1_In_RULE_2
$IPTABLES -A INPUT -i eth1 -s 69.64.50.175 -j eth1_In_RULE_2
$IPTABLES -A INPUT -i eth1 -s 212.50.21.10 -j eth1_In_RULE_2
$IPTABLES -A INPUT -i eth1 -s 211.234.125.141 -j eth1_In_RULE_2
$IPTABLES -A INPUT -i eth1 -s 210.13.41.1 -j eth1_In_RULE_2
$IPTABLES -A INPUT -i eth1 -s 163.16.187.253 -j eth1_In_RULE_2
$IPTABLES -A INPUT -i eth1 -s 125.251.116.2 -j eth1_In_RULE_2
$IPTABLES -A INPUT -i eth1 -s 200.245.0.170 -j eth1_In_RULE_2
$IPTABLES -A FORWARD -i eth1 -s 218.25.62.92 -j eth1_In_RULE_2
$IPTABLES -A FORWARD -i eth1 -s 69.226.3.135 -j eth1_In_RULE_2
$IPTABLES -A FORWARD -i eth1 -s 207.54.140.114 -j eth1_In_RULE_2
$IPTABLES -A FORWARD -i eth1 -s 202.131.224.36 -j eth1_In_RULE_2
$IPTABLES -A FORWARD -i eth1 -s 203.131.100.37 -j eth1_In_RULE_2
$IPTABLES -A FORWARD -i eth1 -s 219.154.95.4 -j eth1_In_RULE_2
$IPTABLES -A FORWARD -i eth1 -s 213.80.123.21 -j eth1_In_RULE_2
$IPTABLES -A FORWARD -i eth1 -s 207.176.226.30 -j eth1_In_RULE_2
$IPTABLES -A FORWARD -i eth1 -s 210.244.225.13 -j eth1_In_RULE_2
$IPTABLES -A FORWARD -i eth1 -s 12.110.109.8 -j eth1_In_RULE_2
$IPTABLES -A FORWARD -i eth1 -s 193.255.156.236 -j eth1_In_RULE_2
$IPTABLES -A FORWARD -i eth1 -s 211.233.15.187 -j eth1_In_RULE_2
$IPTABLES -A FORWARD -i eth1 -s 210.9.92.124 -j eth1_In_RULE_2
$IPTABLES -A FORWARD -i eth1 -s 61.131.98.198 -j eth1_In_RULE_2
$IPTABLES -A FORWARD -i eth1 -s 69.64.50.175 -j eth1_In_RULE_2
$IPTABLES -A FORWARD -i eth1 -s 212.50.21.10 -j eth1_In_RULE_2
$IPTABLES -A FORWARD -i eth1 -s 211.234.125.141 -j eth1_In_RULE_2
$IPTABLES -A FORWARD -i eth1 -s 210.13.41.1 -j eth1_In_RULE_2
$IPTABLES -A FORWARD -i eth1 -s 163.16.187.253 -j eth1_In_RULE_2
$IPTABLES -A FORWARD -i eth1 -s 125.251.116.2 -j eth1_In_RULE_2
$IPTABLES -A FORWARD -i eth1 -s 200.245.0.170 -j eth1_In_RULE_2
$IPTABLES -A eth1_In_RULE_2 -j LOG --log-level info --log-prefix
"RULE 2 -- DENY "
$IPTABLES -A eth1_In_RULE_2 -j DROP
$IPTABLES -N eth1_Out_RULE_2
$IPTABLES -A FORWARD -o eth1 -s 218.25.62.92 -j eth1_Out_RULE_2
$IPTABLES -A FORWARD -o eth1 -s 69.226.3.135 -j eth1_Out_RULE_2
$IPTABLES -A FORWARD -o eth1 -s 207.54.140.114 -j eth1_Out_RULE_2
$IPTABLES -A FORWARD -o eth1 -s 202.131.224.36 -j eth1_Out_RULE_2
$IPTABLES -A FORWARD -o eth1 -s 203.131.100.37 -j eth1_Out_RULE_2
$IPTABLES -A FORWARD -o eth1 -s 219.154.95.4 -j eth1_Out_RULE_2
$IPTABLES -A FORWARD -o eth1 -s 213.80.123.21 -j eth1_Out_RULE_2
$IPTABLES -A FORWARD -o eth1 -s 207.176.226.30 -j eth1_Out_RULE_2
$IPTABLES -A FORWARD -o eth1 -s 210.244.225.13 -j eth1_Out_RULE_2
$IPTABLES -A FORWARD -o eth1 -s 12.110.109.8 -j eth1_Out_RULE_2
$IPTABLES -A FORWARD -o eth1 -s 193.255.156.236 -j eth1_Out_RULE_2
$IPTABLES -A FORWARD -o eth1 -s 211.233.15.187 -j eth1_Out_RULE_2
$IPTABLES -A FORWARD -o eth1 -s 210.9.92.124 -j eth1_Out_RULE_2
$IPTABLES -A FORWARD -o eth1 -s 61.131.98.198 -j eth1_Out_RULE_2
$IPTABLES -A FORWARD -o eth1 -s 69.64.50.175 -j eth1_Out_RULE_2
$IPTABLES -A FORWARD -o eth1 -s 212.50.21.10 -j eth1_Out_RULE_2
$IPTABLES -A FORWARD -o eth1 -s 211.234.125.141 -j eth1_Out_RULE_2
$IPTABLES -A FORWARD -o eth1 -s 210.13.41.1 -j eth1_Out_RULE_2
$IPTABLES -A FORWARD -o eth1 -s 163.16.187.253 -j eth1_Out_RULE_2
$IPTABLES -A FORWARD -o eth1 -s 125.251.116.2 -j eth1_Out_RULE_2
$IPTABLES -A FORWARD -o eth1 -s 200.245.0.170 -j eth1_Out_RULE_2
$IPTABLES -A eth1_Out_RULE_2 -j LOG --log-level info --log-prefix
"RULE 2 -- DENY "
$IPTABLES -A eth1_Out_RULE_2 -j DROP
#
# Rule 3 (eth1)
#
echo "Rule 3 (eth1)"
#
# Allow web service.
#
$IPTABLES -N Cid4411F136.0
$IPTABLES -A INPUT -i eth1 -p tcp -m tcp -m multiport --dports
80,443 -m state --state NEW -j Cid4411F136.0
$IPTABLES -A Cid4411F136.0 -d 208.42.166.161 -j ACCEPT
$IPTABLES -A Cid4411F136.0 -d 208.42.166.162 -j ACCEPT
$IPTABLES -A Cid4411F136.0 -d 208.42.166.163 -j ACCEPT
$IPTABLES -A Cid4411F136.0 -d 208.42.166.164 -j ACCEPT
$IPTABLES -A Cid4411F136.0 -d 208.42.166.165 -j ACCEPT
$IPTABLES -A Cid4411F136.0 -d 10.60.100.18 -j ACCEPT
#
# Rule 4 (eth1)
#
echo "Rule 4 (eth1)"
#
#
#
$IPTABLES -N Cid4411DDEC.0
$IPTABLES -A INPUT -i eth1 -p tcp -m tcp --dport 22 -m state --state
NEW -j Cid4411DDEC.0
$IPTABLES -A Cid4411DDEC.0 -d 208.42.166.161 -j ACCEPT
$IPTABLES -A Cid4411DDEC.0 -d 208.42.166.162 -j ACCEPT
$IPTABLES -A Cid4411DDEC.0 -d 208.42.166.163 -j ACCEPT
$IPTABLES -A Cid4411DDEC.0 -d 208.42.166.164 -j ACCEPT
$IPTABLES -A Cid4411DDEC.0 -d 208.42.166.165 -j ACCEPT
$IPTABLES -A Cid4411DDEC.0 -d 10.60.100.18 -j ACCEPT
#
# Rule 5 (eth1)
#
echo "Rule 5 (eth1)"
#
# Allow DNS queries.
#
$IPTABLES -N Cid441AFEAF.0
$IPTABLES -A INPUT -i eth1 -p tcp -m tcp --dport 53 -m state --state
NEW -j Cid441AFEAF.0
$IPTABLES -A INPUT -i eth1 -p udp -m udp --dport 53 -m state --state
NEW -j Cid441AFEAF.0
$IPTABLES -A Cid441AFEAF.0 -d 208.42.166.161 -j ACCEPT
$IPTABLES -A Cid441AFEAF.0 -d 208.42.166.162 -j ACCEPT
$IPTABLES -A Cid441AFEAF.0 -d 208.42.166.163 -j ACCEPT
$IPTABLES -A Cid441AFEAF.0 -d 208.42.166.164 -j ACCEPT
$IPTABLES -A Cid441AFEAF.0 -d 208.42.166.165 -j ACCEPT
$IPTABLES -A Cid441AFEAF.0 -d 10.60.100.18 -j ACCEPT
#
# Rule 6 (eth1)
#
echo "Rule 6 (eth1)"
#
# Allow Email
#
$IPTABLES -N Cid441B04DF.0
$IPTABLES -A INPUT -i eth1 -p tcp -m tcp -m multiport --dports
143,25 -m state --state NEW -j Cid441B04DF.0
$IPTABLES -A Cid441B04DF.0 -d 208.42.166.161 -j ACCEPT
$IPTABLES -A Cid441B04DF.0 -d 208.42.166.162 -j ACCEPT
$IPTABLES -A Cid441B04DF.0 -d 208.42.166.163 -j ACCEPT
$IPTABLES -A Cid441B04DF.0 -d 208.42.166.164 -j ACCEPT
$IPTABLES -A Cid441B04DF.0 -d 208.42.166.165 -j ACCEPT
$IPTABLES -A Cid441B04DF.0 -d 10.60.100.18 -j ACCEPT
$IPTABLES -N Cid441B04DF.1
$IPTABLES -A OUTPUT -o eth1 -p tcp -m tcp -m multiport --dports
143,25 -m state --state NEW -j Cid441B04DF.1
$IPTABLES -A Cid441B04DF.1 -d 208.42.166.161 -j ACCEPT
$IPTABLES -A Cid441B04DF.1 -d 208.42.166.162 -j ACCEPT
$IPTABLES -A Cid441B04DF.1 -d 208.42.166.163 -j ACCEPT
$IPTABLES -A Cid441B04DF.1 -d 208.42.166.164 -j ACCEPT
$IPTABLES -A Cid441B04DF.1 -d 208.42.166.165 -j ACCEPT
$IPTABLES -A Cid441B04DF.1 -d 10.60.100.18 -j ACCEPT
$IPTABLES -N Cid441B04DF.2
$IPTABLES -A FORWARD -o eth1 -p tcp -m tcp -m multiport --dports
143,25 -m state --state NEW -j Cid441B04DF.2
$IPTABLES -A Cid441B04DF.2 -d 208.42.166.161 -j ACCEPT
$IPTABLES -A Cid441B04DF.2 -d 208.42.166.162 -j ACCEPT
$IPTABLES -A Cid441B04DF.2 -d 208.42.166.163 -j ACCEPT
$IPTABLES -A Cid441B04DF.2 -d 208.42.166.164 -j ACCEPT
$IPTABLES -A Cid441B04DF.2 -d 208.42.166.165 -j ACCEPT
$IPTABLES -A Cid441B04DF.2 -d 10.60.100.18 -j ACCEPT
#
# Rule 7 (eth1)
#
echo "Rule 7 (eth1)"
#
# Allow Pings
#
$IPTABLES -N Cid4509C13E.0
$IPTABLES -A INPUT -i eth1 -p icmp -m icmp --icmp-type 8/0 -m state
--state NEW -j Cid4509C13E.0
$IPTABLES -A Cid4509C13E.0 -d 208.42.166.161 -j ACCEPT
$IPTABLES -A Cid4509C13E.0 -d 208.42.166.162 -j ACCEPT
$IPTABLES -A Cid4509C13E.0 -d 208.42.166.163 -j ACCEPT
$IPTABLES -A Cid4509C13E.0 -d 208.42.166.164 -j ACCEPT
$IPTABLES -A Cid4509C13E.0 -d 208.42.166.165 -j ACCEPT
$IPTABLES -A Cid4509C13E.0 -d 10.60.100.18 -j ACCEPT
#
# Rule 0 (lo)
#
echo "Rule 0 (lo)"
#
#
#
$IPTABLES -A INPUT -i lo -s 208.42.166.161 -m state --state NEW -j
ACCEPT
$IPTABLES -A INPUT -i lo -s 208.42.166.162 -m state --state NEW -j
ACCEPT
$IPTABLES -A INPUT -i lo -s 208.42.166.163 -m state --state NEW -j
ACCEPT
$IPTABLES -A INPUT -i lo -s 208.42.166.164 -m state --state NEW -j
ACCEPT
$IPTABLES -A INPUT -i lo -s 208.42.166.165 -m state --state NEW -j
ACCEPT
$IPTABLES -A INPUT -i lo -s 127.0.0.1 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i lo -s 10.60.100.18 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i lo -s 208.42.166.161 -m state --state NEW -j
ACCEPT
$IPTABLES -A FORWARD -i lo -s 208.42.166.162 -m state --state NEW -j
ACCEPT
$IPTABLES -A FORWARD -i lo -s 208.42.166.163 -m state --state NEW -j
ACCEPT
$IPTABLES -A FORWARD -i lo -s 208.42.166.164 -m state --state NEW -j
ACCEPT
$IPTABLES -A FORWARD -i lo -s 208.42.166.165 -m state --state NEW -j
ACCEPT
$IPTABLES -A FORWARD -i lo -s 127.0.0.1 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i lo -s 10.60.100.18 -m state --state NEW -j
ACCEPT
$IPTABLES -A OUTPUT -o lo -s 208.42.166.161 -m state --state NEW -j
ACCEPT
$IPTABLES -A OUTPUT -o lo -s 208.42.166.162 -m state --state NEW -j
ACCEPT
$IPTABLES -A OUTPUT -o lo -s 208.42.166.163 -m state --state NEW -j
ACCEPT
$IPTABLES -A OUTPUT -o lo -s 208.42.166.164 -m state --state NEW -j
ACCEPT
$IPTABLES -A OUTPUT -o lo -s 208.42.166.165 -m state --state NEW -j
ACCEPT
$IPTABLES -A OUTPUT -o lo -s 127.0.0.1 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o lo -s 10.60.100.18 -m state --state NEW -j
ACCEPT
#
# Rule 1 (eth0)
#
echo "Rule 1 (eth0)"
#
#
#
$IPTABLES -N Cid448ED21F.0
$IPTABLES -A INPUT -i eth0 -d 10.60.100.18 -m state --state NEW -j
Cid448ED21F.0
$IPTABLES -A Cid448ED21F.0 -p icmp -m icmp --icmp-type any -j ACCEPT
$IPTABLES -A Cid448ED21F.0 -p tcp -m tcp --dport 873 -j ACCEPT
#
# Rule 2 (eth0)
#
echo "Rule 2 (eth0)"
#
#
#
$IPTABLES -A INPUT -i eth0 -s 208.42.166.161 -m state --state NEW -j
ACCEPT
$IPTABLES -A INPUT -i eth0 -s 208.42.166.162 -m state --state NEW -j
ACCEPT
$IPTABLES -A INPUT -i eth0 -s 208.42.166.163 -m state --state NEW -j
ACCEPT
$IPTABLES -A INPUT -i eth0 -s 208.42.166.164 -m state --state NEW -j
ACCEPT
$IPTABLES -A INPUT -i eth0 -s 208.42.166.165 -m state --state NEW -j
ACCEPT
$IPTABLES -A INPUT -i eth0 -s 10.60.100.18 -m state --state NEW -j
ACCEPT
$IPTABLES -A FORWARD -i eth0 -s 208.42.166.161 -m state --state NEW
-j ACCEPT
$IPTABLES -A FORWARD -i eth0 -s 208.42.166.162 -m state --state NEW
-j ACCEPT
$IPTABLES -A FORWARD -i eth0 -s 208.42.166.163 -m state --state NEW
-j ACCEPT
$IPTABLES -A FORWARD -i eth0 -s 208.42.166.164 -m state --state NEW
-j ACCEPT
$IPTABLES -A FORWARD -i eth0 -s 208.42.166.165 -m state --state NEW
-j ACCEPT
$IPTABLES -A FORWARD -i eth0 -s 10.60.100.18 -m state --state NEW -j
ACCEPT
$IPTABLES -A OUTPUT -o eth0 -s 208.42.166.161 -m state --state NEW
-j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -s 208.42.166.162 -m state --state NEW
-j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -s 208.42.166.163 -m state --state NEW
-j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -s 208.42.166.164 -m state --state NEW
-j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -s 208.42.166.165 -m state --state NEW
-j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -s 10.60.100.18 -m state --state NEW -j
ACCEPT
#
# Rule 0 (global)
#
echo "Rule 0 (global)"
#
#
#
$IPTABLES -A OUTPUT -p tcp -m tcp --dport 139 -j DROP
$IPTABLES -A OUTPUT -p udp -m udp -m multiport --dports 138,137,68,67
-j DROP
$IPTABLES -A INPUT -p tcp -m tcp --dport 139 -j DROP
$IPTABLES -A INPUT -p udp -m udp -m multiport --dports 138,137,68,67
-j DROP
$IPTABLES -A FORWARD -p tcp -m tcp --dport 139 -j DROP
$IPTABLES -A FORWARD -p udp -m udp -m multiport --dports
138,137,68,67 -j DROP
#
# Rule 1 (global)
#
echo "Rule 1 (global)"
#
#
#
$IPTABLES -N RULE_1
$IPTABLES -A OUTPUT -j RULE_1
$IPTABLES -A INPUT -j RULE_1
$IPTABLES -A FORWARD -j RULE_1
$IPTABLES -A RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- DENY "
$IPTABLES -A RULE_1 -j DROP
#
#
echo 1 > /proc/sys/net/ipv4/ip_forward
#
# Epilog script
#
# End of epilog script
#
===============================================================================
Matt Dittbenner