- Offline.....
- IP R
- -------
- root@slackware:/etc/shorewall# ip r
- 80.74.157.215 via 192.168.1.1 dev eth0
- 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.8 metric 202
- 10.203.0.0/16 dev tun0 proto kernel scope link src 10.203.0.228
- 127.0.0.0/8 dev lo scope link
- 0.0.0.0/1 via 10.203.0.1 dev tun0
- 128.0.0.0/1 via 10.203.0.1 dev tun0
- default via 192.168.1.1 dev eth0 metric 202
- IFCONFIG
- -----------
- root@slackware:/etc/shorewall# ifconfig
- eth0 Link encap:Ethernet HWaddr 00:07:03:1B:D2:1D
- inet addr:192.168.1.8 Bcast:192.168.1.255 Mask:255.255.255.0
- inet6 addr: fe80::207:3ff:fe1b:d21d/64 Scope:Link
- UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
- RX packets:121577 errors:0 dropped:0 overruns:0 frame:0
- TX packets:77160 errors:0 dropped:0 overruns:0 carrier:1
- collisions:0 txqueuelen:1000
- RX bytes:163289735 (155.7 Mb) TX bytes:13798270 (13.1 Mb)
- Interrupt:41
- lo Link encap:Local Loopback
- inet addr:127.0.0.1 Mask:255.0.0.0
- inet6 addr: ::1/128 Scope:Host
- UP LOOPBACK RUNNING MTU:16436 Metric:1
- RX packets:65 errors:0 dropped:0 overruns:0 frame:0
- TX packets:65 errors:0 dropped:0 overruns:0 carrier:0
- collisions:0 txqueuelen:0
- RX bytes:6628 (6.4 Kb) TX bytes:6628 (6.4 Kb)
- tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
- inet addr:10.203.0.228 P-t-P:10.203.0.228 Mask:255.255.0.0
- UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
- RX packets:117631 errors:0 dropped:0 overruns:0 frame:0
- TX packets:73583 errors:0 dropped:0 overruns:0 carrier:0
- collisions:0 txqueuelen:100
- RX bytes:151584576 (144.5 Mb) TX bytes:6783662 (6.4 Mb)
- wlan0 Link encap:Ethernet HWaddr 0C:60:76:51:82:C2
- UP BROADCAST MULTICAST MTU:1500 Metric:1
- RX packets:0 errors:0 dropped:0 overruns:0 frame:0
- TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
- collisions:0 txqueuelen:1000
- RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
- IPTABLES-SAVE
- ---------------
- # Generated by iptables-save v1.4.10 on Thu Jul 21 14:37:52 2011
- *nat
- :PREROUTING ACCEPT [5:528]
- :INPUT ACCEPT [1:328]
- :OUTPUT ACCEPT [323:20127]
- :POSTROUTING ACCEPT [323:20127]
- COMMIT
- # Completed on Thu Jul 21 14:37:52 2011
- # Generated by iptables-save v1.4.10 on Thu Jul 21 14:37:52 2011
- *raw
- :PREROUTING ACCEPT [5395:4161995]
- :OUTPUT ACCEPT [5433:1031313]
- COMMIT
- # Completed on Thu Jul 21 14:37:52 2011
- # Generated by iptables-save v1.4.10 on Thu Jul 21 14:37:52 2011
- *mangle
- :PREROUTING ACCEPT [5395:4161995]
- :INPUT ACCEPT [5391:4161795]
- :FORWARD ACCEPT [0:0]
- :OUTPUT ACCEPT [5433:1031313]
- :POSTROUTING ACCEPT [5433:1031313]
- :tcfor - [0:0]
- :tcin - [0:0]
- :tcout - [0:0]
- :tcpost - [0:0]
- :tcpre - [0:0]
- -A PREROUTING -j tcpre
- -A INPUT -j tcin
- -A FORWARD -j MARK --set-xmark 0x0/0xff
- -A FORWARD -j tcfor
- -A OUTPUT -j tcout
- -A POSTROUTING -j tcpost
- COMMIT
- # Completed on Thu Jul 21 14:37:52 2011
- # Generated by iptables-save v1.4.10 on Thu Jul 21 14:37:52 2011
- *filter
- :INPUT DROP [0:0]
- :FORWARD DROP [0:0]
- :OUTPUT DROP [0:0]
- :Drop - [0:0]
- :Reject - [0:0]
- :dropBcast - [0:0]
- :dropInvalid - [0:0]
- :dropNotSyn - [0:0]
- :dynamic - [0:0]
- :eth0_fwd - [0:0]
- :eth0_in - [0:0]
- :fw2net - [0:0]
- :fw2vpn - [0:0]
- :logdrop - [0:0]
- :logflags - [0:0]
- :logreject - [0:0]
- :net2fw - [0:0]
- :net2vpn - [0:0]
- :net_frwd - [0:0]
- :reject - [0:0]
- :sfilter - [0:0]
- :shorewall - [0:0]
- :smurflog - [0:0]
- :smurfs - [0:0]
- :tcpflags - [0:0]
- :vpn2fw - [0:0]
- :vpn2net - [0:0]
- :vpn_frwd - [0:0]
- :wlan0_fwd - [0:0]
- :wlan0_in - [0:0]
- -A INPUT -m conntrack --ctstate INVALID,NEW -j dynamic
- -A INPUT -i eth0 -j eth0_in
- -A INPUT -i wlan0 -j wlan0_in
- -A INPUT -i tun0 -j vpn2fw
- -A INPUT -i tap0 -j vpn2fw
- -A INPUT -i lo -j ACCEPT
- -A INPUT -j Reject
- -A INPUT -j ULOG --ulog-prefix "Shorewall:INPUT:REJECT:"
- -A INPUT -g reject
- -A FORWARD -i eth0 -j eth0_fwd
- -A FORWARD -i wlan0 -j wlan0_fwd
- -A FORWARD -i tun0 -j vpn_frwd
- -A FORWARD -i tap0 -j vpn_frwd
- -A FORWARD -j Reject
- -A FORWARD -j ULOG --ulog-prefix "Shorewall:FORWARD:REJECT:"
- -A FORWARD -g reject
- -A OUTPUT -o eth0 -j fw2net
- -A OUTPUT -o wlan0 -j fw2net
- -A OUTPUT -o tun0 -j fw2vpn
- -A OUTPUT -o tap0 -j fw2vpn
- -A OUTPUT -o lo -j ACCEPT
- -A OUTPUT -j Reject
- -A OUTPUT -j ULOG --ulog-prefix "Shorewall:OUTPUT:REJECT:"
- -A OUTPUT -g reject
- -A Drop
- -A Drop -p tcp -m tcp --dport 113 -m comment --comment "Auth" -j reject
- -A Drop -j dropBcast
- -A Drop -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -j ACCEPT
- -A Drop -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -j ACCEPT
- -A Drop -j dropInvalid
- -A Drop -p udp -m multiport --dports 135,445 -m comment --comment "SMB" -j DROP
- -A Drop -p udp -m udp --dport 137:139 -m comment --comment "SMB" -j DROP
- -A Drop -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment "SMB" -j DROP
- -A Drop -p tcp -m multiport --dports 135,139,445 -m comment --comment "SMB" -j DROP
- -A Drop -p udp -m udp --dport 1900 -m comment --comment "UPnP" -j DROP
- -A Drop -p tcp -j dropNotSyn
- -A Drop -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j DROP
- -A Reject
- -A Reject -p tcp -m tcp --dport 113 -m comment --comment "Auth" -j reject
- -A Reject -j dropBcast
- -A Reject -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -j ACCEPT
- -A Reject -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -j ACCEPT
- -A Reject -j dropInvalid
- -A Reject -p udp -m multiport --dports 135,445 -m comment --comment "SMB" -j reject
- -A Reject -p udp -m udp --dport 137:139 -m comment --comment "SMB" -j reject
- -A Reject -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment "SMB" -j reject
- -A Reject -p tcp -m multiport --dports 135,139,445 -m comment --comment "SMB" -j reject
- -A Reject -p udp -m udp --dport 1900 -m comment --comment "UPnP" -j DROP
- -A Reject -p tcp -j dropNotSyn
- -A Reject -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j DROP
- -A dropBcast -m addrtype --dst-type BROADCAST -j DROP
- -A dropBcast -d 224.0.0.0/4 -j DROP
- -A dropInvalid -m conntrack --ctstate INVALID -j DROP
- -A dropNotSyn -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
- -A eth0_fwd -o eth0 -g sfilter
- -A eth0_fwd -m conntrack --ctstate INVALID,NEW -j dynamic
- -A eth0_fwd -m conntrack --ctstate INVALID,NEW -j smurfs
- -A eth0_fwd -p tcp -j tcpflags
- -A eth0_fwd -j net_frwd
- -A eth0_in -m conntrack --ctstate INVALID,NEW -j dynamic
- -A eth0_in -m conntrack --ctstate INVALID,NEW -j smurfs
- -A eth0_in -p udp -m udp --dport 67:68 -j ACCEPT
- -A eth0_in -p tcp -j tcpflags
- -A eth0_in -j net2fw
- -A fw2net -p udp -m udp --dport 67:68 -j ACCEPT
- -A fw2net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A fw2net -j ACCEPT
- -A fw2vpn -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A fw2vpn -j ACCEPT
- -A logdrop -j DROP
- -A logflags -j ULOG --ulog-prefix "Shorewall:logflags:DROP:"
- -A logflags -j DROP
- -A logreject -j reject
- -A net2fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A net2fw -p tcp -m tcp --dport 113 -j DROP
- -A net2fw -j Drop
- -A net2fw -j ULOG --ulog-prefix "Shorewall:net2fw:DROP:"
- -A net2fw -j DROP
- -A net2vpn -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A net2vpn -j Drop
- -A net2vpn -j ULOG --ulog-prefix "Shorewall:net2vpn:DROP:"
- -A net2vpn -j DROP
- -A net_frwd -o tun0 -j net2vpn
- -A net_frwd -o tap0 -j net2vpn
- -A reject -m addrtype --src-type BROADCAST -j DROP
- -A reject -s 224.0.0.0/4 -j DROP
- -A reject -p igmp -j DROP
- -A reject -p tcp -j REJECT --reject-with tcp-reset
- -A reject -p udp -j REJECT --reject-with icmp-port-unreachable
- -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
- -A reject -j REJECT --reject-with icmp-host-prohibited
- -A sfilter -j ULOG --ulog-prefix "Shorewall:sfilter:DROP:"
- -A sfilter -j DROP
- -A smurflog -j ULOG --ulog-prefix "Shorewall:smurfs:DROP:"
- -A smurflog -j DROP
- -A smurfs -s 0.0.0.0/32 -j RETURN
- -A smurfs -m addrtype --src-type BROADCAST -g smurflog
- -A smurfs -s 224.0.0.0/4 -g smurflog
- -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g logflags
- -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g logflags
- -A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g logflags
- -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g logflags
- -A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g logflags
- -A vpn2fw -m conntrack --ctstate INVALID,NEW -j dynamic
- -A vpn2fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A vpn2fw -j Reject
- -A vpn2fw -j ULOG --ulog-prefix "Shorewall:vpn2fw:REJECT:"
- -A vpn2fw -g reject
- -A vpn2net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- -A vpn2net -j Reject
- -A vpn2net -j ULOG --ulog-prefix "Shorewall:vpn2net:REJECT:"
- -A vpn2net -g reject
- -A vpn_frwd -o tun0 -g sfilter
- -A vpn_frwd -o tap0 -g sfilter
- -A vpn_frwd -m conntrack --ctstate INVALID,NEW -j dynamic
- -A vpn_frwd -o eth0 -j vpn2net
- -A vpn_frwd -o wlan0 -j vpn2net
- -A vpn_frwd -o tun0 -j ACCEPT
- -A vpn_frwd -o tap0 -j ACCEPT
- -A wlan0_fwd -o wlan0 -g sfilter
- -A wlan0_fwd -m conntrack --ctstate INVALID,NEW -j dynamic
- -A wlan0_fwd -m conntrack --ctstate INVALID,NEW -j smurfs
- -A wlan0_fwd -p tcp -j tcpflags
- -A wlan0_fwd -j net_frwd
- -A wlan0_in -m conntrack --ctstate INVALID,NEW -j dynamic
- -A wlan0_in -m conntrack --ctstate INVALID,NEW -j smurfs
- -A wlan0_in -p udp -m udp --dport 67:68 -j ACCEPT
- -A wlan0_in -p tcp -j tcpflags
- -A wlan0_in -j net2fw
- COMMIT
- # Completed on Thu Jul 21 14:37:52 2011
Don't like ads? PRO users don't see any ads ;-)
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
create a new version of this paste
RAW Paste Data