iptables messaggio sul log

Bruno Aleci brunoaleci a virgilio.it
Gio 27 Maggio 2004 12:37:52 UTC


ciao a tutti

nel log c' una voce molto strana

IPT INPUT packet died: IN=eth0 OUT= 
MAC=ff:ff:ff:ff:ff:ff:00:08:0d:06:4f:05:08:00 SRC=192.168.100.15 
DST=192.168.100.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=43380 PROTO=UDP 
SPT=137 DPT=137 LEN=58

questa  la mia configurazione del firewall

# Generated by iptables-save v1.2.9 on Thu May 27 14:33:56 2004
*filter
:INPUT ACCEPT [192:15249]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:allowed - [0:0]
:bad_tcp_packets - [0:0]
:icmp_packets - [0:0]
:tcp_packets - [0:0]
:udpincoming_packets - [0:0]
-A INPUT -d 192.168.100.255 -i eth1 -j ACCEPT
-A INPUT -s 192.168.100.0 -d 192.168.100.150 -p tcp -m tcp -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp -j ACCEPT
-A INPUT -i eth1 -p udp -m udp -j ACCEPT
-A INPUT -s indirizzo brocastpub -i eth0 -j ACCEPT
-A INPUT -d ip pubblico -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 127.0.0.1 -i lo -j ACCEPT
-A INPUT -s 192.168.100.0 -i lo -j ACCEPT
-A INPUT -s ip pubblico -i lo -j ACCEPT
-A INPUT -p tcp -m tcp -j bad_tcp_packets
-A INPUT -i eth0 -p tcp -m tcp -j tcp_packets
-A INPUT -i eth0 -p udp -m udp -j udpincoming_packets
-A INPUT -m limit --limit 3/sec --limit-burst 3 -j LOG --log-prefix "IPT 
INPUT packet died: " --log-level 7
-A FORWARD -p tcp -m tcp -j bad_tcp_packets
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m limit --limit 3/sec --limit-burst 3 -j LOG --log-prefix 
"IPT FORWARD packet died: " --log-level 7
-A OUTPUT -s 192.168.100.0 -j ACCEPT
-A OUTPUT -p tcp -m tcp -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -p udp -m udp -j ACCEPT
-A OUTPUT -s 127.0.0.1 -j ACCEPT
-A OUTPUT -s ip pubblico -j ACCEPT
-A OUTPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix 
"IPT OUTPUT packet died: " --log-level 7
-A allowed -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A allowed -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A allowed -p tcp -m tcp -j DROP
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state 
--state NEW -j LOG --log-prefix "IPT New not syn:"
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state 
--state NEW -j DROP
-A bad_tcp_packets -s 192.168.0.0/255.255.0.0 -i eth0 -j DROP
-A bad_tcp_packets -s 10.0.0.0/255.0.0.0 -i eth0 -j DROP
-A bad_tcp_packets -s 172.16.0.0/255.240.0.0 -i eth0 -j DROP
-A icmp_packets -p icmp -m icmp ! --icmp-type 8 -j ACCEPT
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A tcp_packets -p tcp -m tcp -m multiport --dports 21,20 -j allowed
-A tcp_packets -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A tcp_packets -p tcp -m tcp -m multiport --dports 80,2121 -j allowed
-A tcp_packets -i eth0 -p tcp -m tcp --dport 113 -j DROP
-A tcp_packets -i eth0 -p tcp -m tcp --dport 25 -j DROP
-A tcp_packets -p tcp -m tcp --dport 10000 -j allowed
-A tcp_packets -p tcp -m tcp --dport 443 -j allowed
-A tcp_packets -p tcp -m tcp -m multiport --dports 
23,8476,8470,8475,8473,8471,449 -j allowed
-A udpincoming_packets -i eth0 -p udp -m udp --sport 2074 -j DROP
-A udpincoming_packets -i eth0 -p udp -m udp --sport 4000 -j DROP
COMMIT
# Completed on Thu May 27 14:33:56 2004
# Generated by iptables-save v1.2.9 on Thu May 27 14:33:56 2004
*mangle
:PREROUTING ACCEPT [4293:1099667]
:INPUT ACCEPT [800:65156]
:FORWARD ACCEPT [3493:1034511]
:OUTPUT ACCEPT [608:203168]
:POSTROUTING ACCEPT [4101:1237679]
COMMIT
# Completed on Thu May 27 14:33:56 2004
# Generated by iptables-save v1.2.9 on Thu May 27 14:33:56 2004
*nat
:PREROUTING ACCEPT [112:8353]
:POSTROUTING ACCEPT [6:324]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 
192.168.100.100
-A PREROUTING -i eth0 -p tcp -m tcp --dport 2121 -j DNAT 
--to-destination 192.168.100.100
-A PREROUTING -i eth0 -p tcp -m tcp -m multiport --dports 
23,8476,8470,8475,8473,21,20,8471,449 -j DNAT --to-destination 
192.168.100.201
-A POSTROUTING -o eth0 -j SNAT --to-source X.X.X.X
COMMIT
# Completed on Thu May 27 14:33:56 2004




More information about the Talking mailing list