Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Is my iptables fine?
Top Forums UNIX for Dummies Questions & Answers Is my iptables fine? Post 302910720 by Smiling Dragon on Sunday 27th of July 2014 05:15:53 PM
Old 07-27-2014
Your default policy on your INPUT chain is "DROP" but you end with a global REJECT (meaning the DROP will never happen), I'd recommend removing that last line, or changing your default policy to ACCEPT, having both could be confusing during debugging.

I'm a fan of DROP over REJECT as it slows scanners and helps differentiate between something being offline or broken, and something being blocked by your firewall.

I think you are probably accepting too many INPUT ports, I'd wager you don't need pop,pops,imap & imaps?

Are you sure you want to be allowing incoming DNS requests?

Change your default policy of the FORWARD chain to either REJECT or DROP (or at least add a few rules to ensure you are only forwarding for things on your internal network).

Near the start, you are accepting Related and Established replies, then further down near the end of the INPUT chain you accept Established again, don't need that second one.

The three DROP rules near the top also have some redundancy in them (dropping FIN packets in two different rules for instance).

Your OUTPUT chain's default policy is ACCEPT, but you also have a bunch of rules that ACCEPT certain outbound connections, I'd assume that you probably meant to have the default policy as REJECT or DROP?

---------- Post updated at 09:15 AM ---------- Previous update was at 09:15 AM ----------

Edit: These are relatively small points, though, overall I think you are on the right track with this.
 

8 More Discussions You Might Find Interesting

1. Linux

which linux products is used(fine) to me ?

which linux products is used(fine) to me ? I am learning linux now ,and a new memeber of linux ,hoping to know it more . (4 Replies)
Discussion started by: lsxymn
4 Replies

2. IP Networking

recv() not workin fine.....

hi ! In my program I have a structure as shown below: struct data { int a; char *b; long c; }str; i have assigned the following values to it: strcpy(str.b,"John"); str.a=10; str.c=123435; The client is tryin to send struct data to the server using send(sock,(char *... (2 Replies)
Discussion started by: mridula
2 Replies

3. Shell Programming and Scripting

Script works fine until I | more

Hello all, This beats me. I have a script that executes some commands and redirects their output to some text files that I will parse. The commands are along the lines of: dsmadmc -id=admin -pa=admin -outfile=/home/tools/qlog.txt q log f=d If I just run the script it works. If I execute... (2 Replies)
Discussion started by: Skovian
2 Replies

4. Shell Programming and Scripting

NAWK Script not working fine

Hello to all can any one help me out with a nawk script. Actually i am having a shell script which uses nawk pattern searching and it is not parsing the file properly. I have been debugging it since long time, but nt able 2 find the root cause.. If any one can help me out with this one .. (3 Replies)
Discussion started by: dheeraj19584
3 Replies

5. AIX

fine grained audit control

I'm working with the audit system on aix 5.1 and 5.3 . But after lots of googling and RTFM, I can't figure out how to audit all files in a given directory rather than specifying each file individually like /etc. And how can I exclude a directory such as /var/tmp so I don't get records for every... (0 Replies)
Discussion started by: vaporlock
0 Replies

6. UNIX for Advanced & Expert Users

How to know whether my perodic thread is working fine

Dear All, I am using xenomai-2.4 along with linux kernel 2.6 In my application having following threads. 8ms perodic thread (RT TASK) 1ms perodic thread(RT TASK) 16ms perodic thread(RT TASK) 256ms perodic thread(RT TASK) 22 - pthread are condition based it may execute or else in... (1 Reply)
Discussion started by: rajamohan
1 Replies

7. Shell Programming and Scripting

Script runs fine, but not in a cron

Okay, I have the following script that runs fine from a command line as well as an executable .sh file. It just moves any file/folder with movie* in the name to a folder called _Movies. The issue I'm running into is when it's call from a cron. find /mnt/HD_a2/BT/complete -iname "movie.*" -exec... (4 Replies)
Discussion started by: sammyk
4 Replies

8. Shell Programming and Scripting

Script works fine but not with crontab

Hello All, This is driving me nuts. Wrote a very simple script (it's in csh so sorry about that). Just something very simple though. Here is the catch. Works great from command line sometimes. Other times it runs no errors or anything but I never receive an email. Never runs from crontab... (6 Replies)
Discussion started by: jacktay
6 Replies

LEARN ABOUT DEBIAN

iptables::parse

IPTables::Parse(3pm)					User Contributed Perl Documentation				      IPTables::Parse(3pm)

NAME

       IPTables::Parse - Perl extension for parsing iptables and ip6tables policies

SYNOPSIS

	 use IPTables::Parse;

	 my $ipt_bin = '/sbin/iptables'; # can set this to /sbin/ip6tables

	 my %opts = (
	     'iptables' => $ipt_bin,
	     'iptout'	=> '/tmp/iptables.out',
	     'ipterr'	=> '/tmp/iptables.err',
	     'debug'	=> 0,
	     'verbose'	=> 0
	 );

	 my $ipt_obj = new IPTables::Parse(%opts)
	     or die "[*] Could not acquire IPTables::Parse object";

	 my $rv = 0;

	 my $table = 'filter';
	 my $chain = 'INPUT';

	 my ($ipt_hr, $rv) = $ipt_obj->default_drop($table, $chain);
	 if ($rv) {
	     if (defined $ipt_hr->{'all'}) {
		 print "The INPUT chain has a default DROP rule for all protocols.
";
	     } else {
		 for my $proto (qw/tcp udp icmp/) {
		     if (defined $ipt_hr->{$proto}) {
			 print "The INPUT chain drops $proto by default.
";
		     }
		 }
	     }
	 } else {
	     print "[-] Could not parse $ipt_obj->{'_ipt_bin_name'} policy
";
	 }

	 ($ipt_hr, $rv) = $ipt_obj->default_log($table, $chain);
	 if ($rv) {
	     if (defined $ipt_hr->{'all'}) {
		 print "The INPUT chain has a default LOG rule for all protocols.
";
	     } else {
		 for my $proto (qw/tcp udp icmp/) {
		     if (defined $ipt_hr->{$proto}) {
			 print "The INPUT chain logs $proto by default.
";
		     }
		 }
	     }
	 } else {
	     print "[-] Could not parse $ipt_obj->{'_ipt_bin_name'} policy
";
	 }

DESCRIPTION

       The "IPTables::Parse" package provides an interface to parse iptables or ip6tables rules on Linux systems through the direct execution of
       iptables/ip6tables commands, or from parsing a file that contains an iptables/ip6tables policy listing.	You can get the current policy
       applied to a table/chain, look for a specific user-defined chain, check for a default DROP policy, or determing whether or not logging
       rules exist.

FUNCTIONS

       The IPTables::Parse extension provides an object interface to the following functions:

       chain_policy($table, $chain)
	   This function returns the policy (e.g. 'DROP', 'ACCEPT', etc.) for the specified table and chain:

	     print "INPUT policy: ", $ipt_obj->chain_policy('filter', 'INPUT'), "
";

       chain_rules($table, $chain)
	   This function parses the specified chain and table and returns an array reference for all rules in the chain.  Each element in the
	   array reference is a hash with the following keys (that contain values depending on the rule): "src", "dst", "protocol", "s_port",
	   "d_port", "target", "packets", "bytes", "intf_in", "intf_out", "to_ip", "to_port", "state", "raw", and "extended".  The "extended"
	   element contains the rule output past the protocol information, and the "raw" element contains the complete rule itself as reported by
	   iptables or ip6tables.

       default_drop($table, $chain)
	   This function parses the running iptables or ip6tables policy in order to determine if the specified chain contains a default DROP
	   rule.  Two values are returned, a hash reference whose keys are the protocols that are dropped by default if a global ACCEPT rule has
	   not accepted matching packets first, along with a return value that tells the caller if parsing the iptables or ip6tables policy was
	   successful.	Note that if all protocols are dropped by default, then the hash key 'all' will be defined.

	     ($ipt_hr, $rv) = $ipt_obj->default_drop('filter', 'INPUT');

       default_log($table, $chain)
	   This function parses the running iptables or ip6tables policy in order to determine if the specified chain contains a default LOG rule.
	   Two values are returned, a hash reference whose keys are the protocols that are logged by default if a global ACCEPT rule has not
	   accepted matching packets first, along with a return value that tells the caller if parsing the iptables or ip6tables policy was
	   successful.	Note that if all protocols are logged by default, then the hash key 'all' will be defined.  An example invocation is:

	     ($ipt_hr, $rv) = $ipt_obj->default_log('filter', 'INPUT');

AUTHOR

       Michael Rash, <mbr@cipherdyne.org>

SEE ALSO

       The IPTables::Parse is used by the IPTables::ChainMgr extension in support of the psad and fwsnort projects to parse iptables or ip6tables
       policies (see the psad(8), and fwsnort(8) man pages).  As always, the iptables(8) and ip6tables(8) man pages provide the best information
       on command line execution and theory behind iptables and ip6tables.

       Although there is no mailing that is devoted specifically to the IPTables::Parse extension, questions about the extension will be answered
       on the following lists:

	 The psad mailing list: http://lists.sourceforge.net/lists/listinfo/psad-discuss
	 The fwsnort mailing list: http://lists.sourceforge.net/lists/listinfo/fwsnort-discuss

       The latest version of the IPTables::Parse extension can be found on CPAN and also here:

	 http://www.cipherdyne.org/modules/

       Source control is provided by git:

	 http://www.cipherdyne.org/git/IPTables-Parse.git
	 http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=IPTables-Parse.git;a=summary

CREDITS

       Thanks to the following people:

	 Franck Joncourt <franck.mail@dthconnex.com>
	 Grant Ferley

AUTHOR

       The IPTables::Parse extension was written by Michael Rash <mbr@cipherdyne.org> to support the psad and fwsnort projects.  Please send email
       to this address if there are any questions, comments, or bug reports.

COPYRIGHT AND LICENSE

       Copyright (C) 2005-2012 Michael Rash.  All rights reserved.

       This module is free software.  You can redistribute it and/or modify it under the terms of the Artistic License 2.0.  More information can
       be found here: http://www.perl.com/perl/misc/Artistic.html

       This program is distributed "as is" in the hope that it will be useful, but without any warranty; without even the implied warranty of
       merchantability or fitness for a particular purpose.

perl v5.14.2							    2012-03-05						      IPTables::Parse(3pm)
All times are GMT -4. The time now is 04:21 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy