| View previous topic :: View next topic |
| Author |
Message |
lo-jay
l33t
Joined: 27 Feb 2005
Posts: 862
|
 Posted: Sat Jan 18, 2014 4:36 pm Post subject: Are this IPTABLES OK??? |
 |
|
Do suffer from dropouts & super bad bandwidth lately.
My ISP claims the prob is not on his side.
Am behind a Tomato router, didn't alt anything there.
Here the iptables:
| Code: | #!/bin/bash
# vars
IPT=/sbin/iptables
# Flush old rules, old custom tables
echo " * flushing old rules"
$IPT --flush
$IPT --delete-chain
# Set default policies for all three default chains
echo " * setting default policies"
$IPT -P INPUT DROP
#$IPT -A FORWARD -o tun0 -j ACCEPT
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
# Enable free use of loopback interfaces
echo " * allowing loopback devices"
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# All TCP sessions should begin with SYN
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Allow established and related packets
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
# Enable free use of loopback interfaces
echo " * allowing loopback devices"
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# All TCP sessions should begin with SYN
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Allow established and related packets
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Open the following ports
echo " * allowing ssh on port 22"
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
echo " * allowing dns on port 53"
$IPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT
echo " * allowing http on port 80"
$IPT -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
echo " * allowing https on port 443"
$IPT -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
#echo " * Possible YouTube speed help"
#$IPT -A INPUT -s 173.194.55.0/24 -j REJECT
#$IPT -A INPUT -s 206.111.0.0/16 -j REJECT
echo " * allowing udp on port 1194"
$IPT -A INPUT -p udp --dport 1194 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p udp --dport 1194 -m state --state NEW -j ACCEPT
echo " * allowing udp on port 10010"
$IPT -A INPUT -p udp --dport 10010 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p udp --dport 10010 -m state --state NEW -j ACCEPT
echo " * allowing udp on port 10020"
$IPT -A INPUT -p udp --dport 10020 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p udp --dport 10020 -m state --state NEW -j ACCEPT
#echo " * allowing tun"
#$IPT -A INPUT -i tun+ -j ACCEPT
#$IPT -A OUTPUT -o tun+ -j ACCEPT
#$IPT -A FORWARD -i tun+ -j ACCEPT
echo " * allowing ping responses"
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
# DROP everything else and Log it
$IPT -A INPUT -j LOG
$IPT -A INPUT -j DROP
#
# Save settings
#
echo " * saving settings"
/etc/init.d/iptables save
|
Cheers!
_________________
lo-jay
The mechanic "One of 'em Dodge Chargers - let him go by."
The driver "Not today!"
taken from "Two Lane Blacktop" |
|
| Back to top |
|
 |
PaulBredbury
Watchman
Joined: 14 Jul 2005
Posts: 7310
|
| Posted: Sat Jan 18, 2014 6:24 pm Post subject: |
|
|
Two of your rules should be in *this* order:
| Code: | # Allow established and related packets
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# All TCP sessions should begin with SYN
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP |
You screwed up the copy-paste, some of the rules at your top of your script are duplicated  |
|
| Back to top |
|
|
litan
n00b
Joined: 13 Aug 2012
Posts: 51
|
| Posted: Sat Jan 18, 2014 7:10 pm Post subject: |
|
|
I think this could possibly result in very big log files, if something goes wrong:
| Code: | | $IPT -A INPUT -j LOG |
Maybe you want to limit a bit:
| Code: | | $IPT -A INPUT -m limit --limit 1/sec -j LOG |
|
|
| Back to top |
|
|
lo-jay
l33t
Joined: 27 Feb 2005
Posts: 862
|
| Posted: Sat Jan 18, 2014 7:37 pm Post subject: |
|
|
ok, now looks like this:
| Code: |
#!/bin/bash
# vars
IPT=/sbin/iptables
# Flush old rules, old custom tables
echo " * flushing old rules"
$IPT --flush
$IPT --delete-chain
# Set default policies for all three default chains
echo " * setting default policies"
$IPT -P INPUT DROP
#$IPT -A FORWARD -o tun0 -j ACCEPT
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
# Enable free use of loopback interfaces
echo " * allowing loopback devices"
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# Allow established and related packets
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# All TCP sessions should begin with SYN
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Open the following ports
echo " * allowing ssh on port 22"
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
echo " * allowing dns on port 53"
$IPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT
echo " * allowing http on port 80"
$IPT -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
echo " * allowing https on port 443"
$IPT -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
#echo " * Possible YouTube speed help"
#$IPT -A INPUT -s 173.194.55.0/24 -j REJECT
#$IPT -A INPUT -s 206.111.0.0/16 -j REJECT
echo " * allowing udp on port 1194"
$IPT -A INPUT -p udp --dport 1194 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p udp --dport 1194 -m state --state NEW -j ACCEPT
echo " * allowing udp on port 10010"
$IPT -A INPUT -p udp --dport 10010 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p udp --dport 10010 -m state --state NEW -j ACCEPT
echo " * allowing udp on port 10020"
$IPT -A INPUT -p udp --dport 10020 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p udp --dport 10020 -m state --state NEW -j ACCEPT
#echo " * allowing tun"
#$IPT -A INPUT -i tun+ -j ACCEPT
#$IPT -A OUTPUT -o tun+ -j ACCEPT
#$IPT -A FORWARD -i tun+ -j ACCEPT
echo " * allowing ping responses"
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
# DROP everything else and Log it
$IPT -A INPUT -m limit --limit 1/sec -j LOG
$IPT -A INPUT -j DROP
#
# Save settings
#
echo " * saving settings"
/etc/init.d/iptables save
|
anymore stuff wrong - please bring it on guys!
cheers!
_________________
lo-jay
The mechanic "One of 'em Dodge Chargers - let him go by."
The driver "Not today!"
taken from "Two Lane Blacktop" |
|
| Back to top |
|
|
lo-jay
l33t
Joined: 27 Feb 2005
Posts: 862
|
| Posted: Sat Jan 18, 2014 7:50 pm Post subject: |
|
|
but getting an error now?
| Code: | # /root/rules.sh
* flushing old rules
* setting default policies
* allowing loopback devices
* allowing ssh on port 22
* allowing dns on port 53
* allowing http on port 80
* allowing https on port 443
* allowing udp on port 1194
* allowing udp on port 10010
* allowing udp on port 10020
* allowing ping responses
iptables: No chain/target/match by that name.
* saving settings
* Saving iptables state ... |
| Code: | # iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:https state NEW
ACCEPT udp -- anywhere anywhere udp dpt:openvpn state NEW
ACCEPT udp -- anywhere anywhere udp dpt:10010 state NEW
ACCEPT udp -- anywhere anywhere udp dpt:10020 state NEW
ACCEPT icmp -- anywhere anywhere icmp echo-request
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:openvpn state NEW
ACCEPT udp -- anywhere anywhere udp dpt:10010 state NEW
ACCEPT udp -- anywhere anywhere udp dpt:10020 state NEW
|
any insights?
cheers!!!
_________________
lo-jay
The mechanic "One of 'em Dodge Chargers - let him go by."
The driver "Not today!"
taken from "Two Lane Blacktop" |
|
| Back to top |
|
|
litan
n00b
Joined: 13 Aug 2012
Posts: 51
|
| Posted: Sat Jan 18, 2014 8:19 pm Post subject: |
|
|
The logging rule is failing, which means you don't have the limit match.
Check if you have support in the iptables command line tool with:
| Code: | # iptables -m limit -h
[...]
limit match options:
--limit avg max average match rate: default 3/hour
[Packets per second unless followed by
/sec /minute /hour /day postfixes]
--limit-burst number number to match in a burst, default 5
|
and check if you have the kernel module:
| Code: | # lsmod | grep xt_limit
xt_limit 1857 14
# grep CONFIG_NETFILTER_XT_MATCH_LIMIT /usr/src/linux/.config
CONFIG_NETFILTER_XT_MATCH_LIMIT=m
|
By the way, you have to consider that while limiting the LOG target might prevent log file flooding,
it might also miss some packets which might be interesting to you.
If you don't want to miss some specific packets, you should log them separately, e.g:
| Code: | $IPT -A INPUT -p tcp --dport 22 ! -s ${trusted_host} -m limit --limit 1/sec -j LOG --log-prefix "ssh: "
$IPT -A INPUT -p tcp --dport 22 ! -s ${trusted_host} -j DROP
$IPT -A INPUT -m limit --limit 1/sec -j LOG
$IPT -A INPUT -j DROP |
edit: added --log-prefix
Last edited by litan on Sat Jan 18, 2014 8:26 pm; edited 1 time in total |
|
| Back to top |
|
|
PaulBredbury
Watchman
Joined: 14 Jul 2005
Posts: 7310
|
| Posted: Sat Jan 18, 2014 8:19 pm Post subject: |
|
|
More up-to-date is, instead of -m state:
| Code: | | $IPT -A INPUT -p tcp -m conntrack --ctstate INVALID -j DROP |
Then , you don't need all those "-m state --state NEW" checks, since the state can only be NEW.
Don't block icmp unless you actually have a problem you're trying to solve |
|
| Back to top |
|
|
lo-jay
l33t
Joined: 27 Feb 2005
Posts: 862
|
| Posted: Sat Jan 18, 2014 9:35 pm Post subject: |
|
|
hey,
is this essential???
| Code: | # lsmod | grep xt_limit
xt_limit 1857 14
# grep CONFIG_NETFILTER_XT_MATCH_LIMIT /usr/src/linux/.config
CONFIG_NETFILTER_XT_MATCH_LIMIT=m |
i did just recompile my kernel, but it is still not showing up...
where exactly would that option be hiding;-)
cheers,
_________________
lo-jay
The mechanic "One of 'em Dodge Chargers - let him go by."
The driver "Not today!"
taken from "Two Lane Blacktop" |
|
| Back to top |
|
|
mv
Watchman
Joined: 20 Apr 2005
Posts: 6780
|
| Posted: Sat Jan 18, 2014 9:59 pm Post subject: |
|
|
| PaulBredbury wrote: | | Don't block icmp |
I guess this is the origin of the dropouts and bandwidth problems. |
|
| Back to top |
|
|
lo-jay
l33t
Joined: 27 Feb 2005
Posts: 862
|
| Posted: Sat Jan 18, 2014 10:04 pm Post subject: |
|
|
ok,
so how should i alter this line to not block it?
| Code: | | $IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT |
thanks again!
_________________
lo-jay
The mechanic "One of 'em Dodge Chargers - let him go by."
The driver "Not today!"
taken from "Two Lane Blacktop" |
|
| Back to top |
|
|
mv
Watchman
Joined: 20 Apr 2005
Posts: 6780
|
| Posted: Sat Jan 18, 2014 10:25 pm Post subject: |
|
|
You should at least allow 'destination-unreachable' 'source-quench' 'time-exceeded' 'parameter-problem' (and perhaps hash-limitted 'echo-reply' and 'echo-request').
As a side note, instead of DROP a (hash-limited) REJECT is a cleaner way: This will actually lower traffic since (at least reasonably written) programs will not repeat their request. |
|
| Back to top |
|
|
lo-jay
l33t
Joined: 27 Feb 2005
Posts: 862
|
| Posted: Sat Jan 18, 2014 10:31 pm Post subject: |
|
|
did put | Code: | $IPT -A INPUT -p icmp -j ACCEPT
|
still the same dropouts...
cheers!
_________________
lo-jay
The mechanic "One of 'em Dodge Chargers - let him go by."
The driver "Not today!"
taken from "Two Lane Blacktop" |
|
| Back to top |
|
|
litan
n00b
Joined: 13 Aug 2012
Posts: 51
|
| Posted: Sat Jan 18, 2014 10:34 pm Post subject: |
|
|
| lo-jay wrote: | hey,
is this essential???
| Code: | # lsmod | grep xt_limit
xt_limit 1857 14
# grep CONFIG_NETFILTER_XT_MATCH_LIMIT /usr/src/linux/.config
CONFIG_NETFILTER_XT_MATCH_LIMIT=m |
i did just recompile my kernel, but it is still not showing up...
where exactly would that option be hiding;-)
cheers, |
If you can't find the kernel option, it is under
| Code: | Networking support --->
Networking options --->
Network packet filtering framework (Netfilter) --->
Core Netfilter Configuration --->
< > "limit" match support
|
Is it essential? I guess it kind of depends on your network and your risk tolerance.
If I understand correctly, this is the configuration of a machine
in your local network, right?. One should hope that there are no DoS attacks from the local network, but that's not the only
thing that could go wrong. I think it is enough to forget to allow some traffic or other hickups and your log file
can become very big in a very short time, slowing down your harddrive and possibly filling up your file system,
if you log all dropped packets without limiting.
I would not recommend it. |
|
| Back to top |
|
|
lo-jay
l33t
Joined: 27 Feb 2005
Posts: 862
|
| Posted: Sat Jan 18, 2014 11:12 pm Post subject: |
|
|
ok, gladly followed your advice & compiled it as a module:
| Code: | # find /lib/modules/$(uname -r)/kernel/net -iname '*.ko'
/lib/modules/3.6.11-gentoo/kernel/net/netfilter/xt_limit.ko
/lib/modules/3.6.11-gentoo/kernel/net/netfilter/ipvs/ip_vs.ko
/lib/modules/3.6.11-gentoo/kernel/net/netfilter/xt_mark.ko
/lib/modules/3.6.11-gentoo/kernel/net/netfilter/ipset/ip_set.ko
/lib/modules/3.6.11-gentoo/kernel/net/netfilter/xt_LOG.ko
/lib/modules/3.6.11-gentoo/kernel/net/ipv4/esp4.ko
/lib/modules/3.6.11-gentoo/kernel/net/ipv4/xfrm4_mode_transport.ko
/lib/modules/3.6.11-gentoo/kernel/net/ipv4/xfrm4_mode_beet.ko
/lib/modules/3.6.11-gentoo/kernel/net/ipv4/xfrm4_mode_tunnel.ko
/lib/modules/3.6.11-gentoo/kernel/net/ipv4/udp_diag.ko
/lib/modules/3.6.11-gentoo/kernel/net/ipv4/xfrm4_tunnel.ko
/lib/modules/3.6.11-gentoo/kernel/net/ipv4/ipcomp.ko
/lib/modules/3.6.11-gentoo/kernel/net/ipv4/ah4.ko
/lib/modules/3.6.11-gentoo/kernel/net/xfrm/xfrm_ipcomp.ko
|
still wondering if there is anyway to strip down my iptables conf ?
thanks again!
_________________
lo-jay
The mechanic "One of 'em Dodge Chargers - let him go by."
The driver "Not today!"
taken from "Two Lane Blacktop" |
|
| Back to top |
|
|
PaulBredbury
Watchman
Joined: 14 Jul 2005
Posts: 7310
|
| Posted: Sun Jan 19, 2014 9:12 am Post subject: |
|
|
| lo-jay wrote: | | still the same dropouts... |
Show what you've got in the firewall rules. Easy way to show:
"Dropouts" could also be caused by something else, e.g. incorrect MTU setting on interface. |
|
| Back to top |
|
|
lo-jay
l33t
Joined: 27 Feb 2005
Posts: 862
|
| Posted: Sun Jan 19, 2014 11:58 am Post subject: |
|
|
here we go
| Code: | iptables-save
# Generated by iptables-save v1.4.20 on Sun Jan 19 14:27:38 2014
*nat
:PREROUTING ACCEPT [3:704]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [5077:278311]
:POSTROUTING ACCEPT [5077:278311]
COMMIT
# Completed on Sun Jan 19 14:27:38 2014
# Generated by iptables-save v1.4.20 on Sun Jan 19 14:27:38 2014
*mangle
:PREROUTING ACCEPT [49899:47444940]
:INPUT ACCEPT [49896:47444236]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [52426:5384762]
:POSTROUTING ACCEPT [52426:5384762]
COMMIT
# Completed on Sun Jan 19 14:27:38 2014
# Generated by iptables-save v1.4.20 on Sun Jan 19 14:27:38 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [2498:200012]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 10010 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 10020 -m state --state NEW -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m limit --limit 1/sec -j LOG
-A INPUT -j DROP
-A FORWARD -i tun+ -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p udp -m udp --dport 1194 -m state --state NEW -j ACCEPT
-A OUTPUT -p udp -m udp --dport 10010 -m state --state NEW -j ACCEPT
-A OUTPUT -p udp -m udp --dport 10020 -m state --state NEW -j ACCEPT
COMMIT
# Completed on Sun Jan 19 14:27:38 2014
|
cheers again!
_________________
lo-jay
The mechanic "One of 'em Dodge Chargers - let him go by."
The driver "Not today!"
taken from "Two Lane Blacktop" |
|
| Back to top |
|
|
PaulBredbury
Watchman
Joined: 14 Jul 2005
Posts: 7310
|
| Posted: Sun Jan 19, 2014 3:35 pm Post subject: |
|
|
Get rid of that --tcp-flags FIN,SYN,RST,ACK SYN line, especially with your unresolved dropout issue. As I mentioned earlier, check for INVALID instead, if anything. Here's an example I'm currently playing with, to see what gets caught:
| Code: | $ipt -N invalid
# Reject google (youtube)
$ipt -A invalid -s 173.194.0.0/16 -j REJECT
$ipt -A invalid -s 74.125.0.0/16 -j REJECT
# Drop twitter
$ipt -A invalid -s 199.16.156.0/22 -j DROP
# Drop incapsula
$ipt -A invalid -s 199.83.128.0/21 -j DROP
# Log the remainder
$ipt -A invalid -m limit --limit 1/min --limit-burst 1 -j LOG --log-level warning --log-prefix "invalid: "
$ipt -A invalid -j DROP
$ipt -A INPUT -m conntrack --ctstate INVALID -j invalid |
But I don't recommend you try anything like the above, until you're resolved the dropouts - which may require analysis using e.g. wireshark.
All that --state NEW checking you've got, is inelegant - I would put that in a chain called "new".
All of your OUTPUT rules at the bottom are useless, because they just ACCEPT, and that's your default policy anyway
Edit: Changed from 2/sec to 1/min with limit-burst
Last edited by PaulBredbury on Sun Feb 02, 2014 11:48 am; edited 2 times in total |
|
| Back to top |
|
|
lo-jay
l33t
Joined: 27 Feb 2005
Posts: 862
|
| Posted: Sun Jan 19, 2014 4:05 pm Post subject: |
|
|
well,
commented some lines out. here the result:
| Code: | # iptables-save
# Generated by iptables-save v1.4.20 on Sun Jan 19 17:02:42 2014
*nat
:PREROUTING ACCEPT [121:9118]
:INPUT ACCEPT [90:4700]
:OUTPUT ACCEPT [12220:709783]
:POSTROUTING ACCEPT [12220:709783]
COMMIT
# Completed on Sun Jan 19 17:02:42 2014
# Generated by iptables-save v1.4.20 on Sun Jan 19 17:02:42 2014
*mangle
:PREROUTING ACCEPT [284085:338108189]
:INPUT ACCEPT [284078:338106700]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [289099:26426757]
:POSTROUTING ACCEPT [289099:26426757]
COMMIT
# Completed on Sun Jan 19 17:02:42 2014
# Generated by iptables-save v1.4.20 on Sun Jan 19 17:02:42 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [49:8005]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 433 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 10010 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 10020 -m state --state NEW -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m limit --limit 1/sec -j LOG
-A INPUT -j DROP
-A FORWARD -i tun+ -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
COMMIT
# Completed on Sun Jan 19 17:02:42 2014
|
should i also get rid of OUTPUT for the loopback line?
ps: thanks a lot 
_________________
lo-jay
The mechanic "One of 'em Dodge Chargers - let him go by."
The driver "Not today!"
taken from "Two Lane Blacktop" |
|
| Back to top |
|
|
PaulBredbury
Watchman
Joined: 14 Jul 2005
Posts: 7310
|
| Posted: Sun Jan 19, 2014 4:47 pm Post subject: |
|
|
| lo-jay wrote: | | should i also get rid of OUTPUT for the loopback line? |
You can.
With the rules you've got, INVALID traffic will mostly be dropped by your rules. Which is more liable than REJECT (which I think Linux would do with them) to cause "dropouts". So your enthusiastic firewalling may be making the situation worse |
|
| Back to top |
|
|
|
Networking & Security
