[Dshield] IPTables filter chains help - Just noticed that perhaps I'm not l ogging port 135

Brenden Walker BKWalker at DRBSystems.com
Thu Aug 14 18:48:57 GMT 2003


Whoops.. Time to re-evaluate my IPTables filtering/NAT'ing..  Any help would
be greatly appreciates.

After making sure modules are loaded, and setting flags in proc/sys/net, I
do the following:


echo "   clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

$IPTABLES -N DUMP
$IPTABLES -F DUMP
$IPTABLES -A DUMP -p tcp -j LOG
$IPTABLES -A DUMP -p udp -j LOG
$IPTABLES -A DUMP -j DROP
 
<selected opened ports, http, ssh, citrix (to specific servers) etc.>

echo "   FWD: Allow all connections OUT and only existing and related ones
IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG

echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

-- Now after looking that over, what I think I need to do is change the
policy on INPUT to DUMP but I'm not 100% sure how that'll affect the clients
behind me.. I suppose I could try, but I thought I'd ask folks here.

As I wasn't specifically DUMP'ing 135, that would explain why I saw no hits
on it.. I would prefer to dump everything (ie: log to kernel log to Dshield
gets the information) rather than just the things I've specifically dumped.




More information about the list mailing list