I've been trying to get port forwarding working on my Toshiba Magnia appliance that runs RedHat 7.2
It has two modes of operation basically, firewall ON and OFF.
I can get it to work as expected only when the firewall is off,
something about turning the firewall on prevents the port from being
open or something.
I'm trying to forward port 4662 to my XP machine at 192.168.1.2:4662
The magic command that makes it work with the firewall OFF is:
-A PREROUTING -p tcp -m tcp --dport 4662 -j DNAT --to-destination
192.168.1.2:4662
With the firewall on it doesn't work. No response whatsoever. The as
far as I can tell the NAT table is the same, but the filter table
gets loaded with default stuff by the Magnia. Below are outputs of
my iptables-save, first the Firewall OFF (works) and 2nd with
firewall ON (doesn't work). Anyone see the problem?
<firewall off with 4662 forwarded>
# Generated by iptables-save v1.2.5 on Tue Mar 11 06:22:28 2003
*mangle
😛REROUTING ACCEPT [511:75905]
:INPUT ACCEPT [418:39708]
:FORWARD ACCEPT [141:42313]
😱UTPUT ACCEPT [370:83306]
😛OSTROUTING ACCEPT [600:136767]
COMMIT
# Completed on Tue Mar 11 06:22:28 2003
# Generated by iptables-save v1.2.5 on Tue Mar 11 06:22:28 2003
*nat
😛REROUTING ACCEPT [31:2680]
😛OSTROUTING ACCEPT [15:1211]
😱UTPUT ACCEPT [15:1259]
-A PREROUTING -p tcp -m tcp --dport 4662 -j DNAT --to-destination
192.168.1.2:4662
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Tue Mar 11 06:22:28 2003
# Generated by iptables-save v1.2.5 on Tue Mar 11 06:22:28 2003
*filter
:INPUT ACCEPT [181:18491]
:FORWARD ACCEPT [81:35670]
😱UTPUT ACCEPT [412:88938]
-A INPUT -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4662 -j ACCEPT
COMMIT
# Completed on Tue Mar 11 06:22:28 2003
<Beginning of firewall ON with 4662 still forwarded>
# Generated by iptables-save v1.2.5 on Tue Mar 11 06:30:38 2003
*mangle
😛REROUTING ACCEPT [131:14822]
:INPUT ACCEPT [162:18284]
:FORWARD ACCEPT [0:0]
😱UTPUT ACCEPT [178:48552]
😛OSTROUTING ACCEPT [209:52398]
COMMIT
# Completed on Tue Mar 11 06:30:38 2003
# Generated by iptables-save v1.2.5 on Tue Mar 11 06:30:38 2003
*nat
😛REROUTING ACCEPT [3:144]
😛OSTROUTING ACCEPT [6:536]
😱UTPUT ACCEPT [7:777]
-A PREROUTING -p tcp -m tcp --dport 4662 -j DNAT --to-destination
192.168.1.2:4662
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Tue Mar 11 06:30:38 2003
# Generated by iptables-save v1.2.5 on Tue Mar 11 06:30:38 2003
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
😱UTPUT DROP [2:98]
:CHECKBADFLAG - [0:0]
:ICMPINBOUND - [0:0]
:ICMPOUTBOUND - [0:0]
:LBADFLAG - [0:0]
:LDROP - [0:0]
:LINVALID - [0:0]
:LPINGFLOOD - [0:0]
:LREJECT - [0:0]
:LSPECIALPORT - [0:0]
:LSYNFLOOD - [0:0]
:SMB - [0:0]
:SPECIALPORTS - [0:0]
:TCPACCEPT - [0:0]
-A INPUT -p tcp -m tcp --dport 4662 -j ACCEPT
-A INPUT -m state --state INVALID -j LINVALID
-A INPUT -p tcp -j CHECKBADFLAG
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/255.0.0.0 -j LREJECT
-A INPUT -s 192.168.1.0/255.255.255.0 -i brg0 -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -j LREJECT
-A INPUT -i eth1 -p icmp -j ICMPINBOUND
-A INPUT -p udp -m udp --dport 33434:33523 -j LDROP
-A INPUT -i eth1 -p tcp -m tcp --dport 113 -j REJECT --reject-with
tcp-reset
-A INPUT -i eth1 -j SPECIALPORTS
-A INPUT -i eth1 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 1024:65535 -m state --state
RELATED -j TCPACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 1024:65535 -m state --state
RELATED -j ACCEPT
-A INPUT -i brg0 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A INPUT -d 65.33.22.131 -i eth1 -p udp -m udp --sport 4000 --dport
1024:65535 -j ACCEPT
-A INPUT -s 65.33.22.131 -i eth1 -p udp -m udp --sport 1024:65535 --
dport 4000 -j ACCEPT
-A INPUT -d 65.33.22.131 -i eth1 -p udp -m udp --sport 1024:65535 --
dport 6970:6999 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -i eth1 -p esp -j ACCEPT
-A INPUT -i eth1 -p ah -j ACCEPT
-A INPUT -i ipsec0 -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -i ipsec0 -p esp -j ACCEPT
-A INPUT -i ipsec0 -p ah -j ACCEPT
-A INPUT -i ipsec0 -j ACCEPT
-A INPUT -j LDROP
-A FORWARD -m state --state INVALID -j LINVALID
-A FORWARD -p tcp -j CHECKBADFLAG
-A FORWARD -s 192.168.1.0/255.255.255.0 -i brg0 -o brg0 -j ACCEPT
-A FORWARD -s 192.168.1.0/255.255.255.0 -i brg0 -o eth1 -p tcp -m
tcp --sport 1024:65535 -j ACCEPT
-A FORWARD -s 192.168.1.0/255.255.255.0 -i brg0 -o eth1 -p udp -m
udp --sport 1024:65535 -j ACCEPT
-A FORWARD -s 192.168.1.0/255.255.255.0 -i brg0 -o eth1 -p icmp -j
ACCEPT
-A FORWARD -i eth1 -j SMB
-A FORWARD -i eth1 -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 1024:65535 -m state --state
RELATED -j TCPACCEPT
-A FORWARD -i eth1 -p udp -m udp --dport 1024:65535 -m state --state
RELATED -j ACCEPT
-A FORWARD -i eth1 -p icmp -m state --state RELATED -j ACCEPT
-A FORWARD -j LDROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -d 192.168.1.0/255.255.255.0 -o brg0 -j ACCEPT
-A OUTPUT -o eth1 -p icmp -j ICMPOUTBOUND
-A OUTPUT -o eth1 -p tcp -m tcp --sport 113 -j REJECT --reject-with
tcp-reset
-A OUTPUT -o eth1 -p tcp -m tcp --sport 20 -j ACCEPT
-A OUTPUT -o eth1 -p tcp -m tcp --sport 21 -j ACCEPT
-A OUTPUT -o eth1 -p tcp -m tcp --sport 22 -m state --state
ESTABLISHED -j ACCEPT
-A OUTPUT -o eth1 -p tcp -m tcp --sport 23 -m state --state
ESTABLISHED -j ACCEPT
-A OUTPUT -o eth1 -p tcp -m tcp --sport 53 -j ACCEPT
-A OUTPUT -o eth1 -p udp -m udp --sport 53 -j ACCEPT
-A OUTPUT -o eth1 -p tcp -m tcp --sport 80 -m state --state
ESTABLISHED -j ACCEPT
-A OUTPUT -o eth1 -p tcp -m tcp --sport 443 -m state --state
ESTABLISHED -j ACCEPT
-A OUTPUT -s 65.33.22.131 -o eth1 -p tcp -m tcp --sport 1024:65535 -
j ACCEPT
-A OUTPUT -s 65.33.22.131 -o eth1 -p udp -m udp --sport 1024:65535 -
j ACCEPT
-A OUTPUT -o brg0 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A OUTPUT -o eth1 -p udp -m udp --sport 500 -j ACCEPT
-A OUTPUT -o eth1 -p esp -j ACCEPT
-A OUTPUT -o eth1 -p ah -j ACCEPT
-A OUTPUT -o ipsec0 -p udp -m udp --sport 500 -j ACCEPT
-A OUTPUT -o ipsec0 -p esp -j ACCEPT
-A OUTPUT -o ipsec0 -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -j LDROP
-A CHECKBADFLAG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,PSH,URG -j LBADFLAG
-A CHECKBADFLAG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,SYN,RST,ACK,URG -j LBADFLAG
-A CHECKBADFLAG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,SYN,RST,PSH,ACK,URG -j LBADFLAG
-A CHECKBADFLAG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
NONE -j LBADFLAG
-A CHECKBADFLAG -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j
LBADFLAG
-A CHECKBADFLAG -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j
LBADFLAG
-A ICMPINBOUND -p icmp -m icmp --icmp-type 8 -m limit --limit 5/sec -
-limit-burst 10 -j ACCEPT
-A ICMPINBOUND -p icmp -m icmp --icmp-type 8 -j LPINGFLOOD
-A ICMPINBOUND -p icmp -m icmp --icmp-type 5 -j LDROP
-A ICMPINBOUND -p icmp -m icmp --icmp-type 13 -j LDROP
-A ICMPINBOUND -p icmp -m icmp --icmp-type 14 -j LDROP
-A ICMPINBOUND -p icmp -m icmp --icmp-type 17 -j LDROP
-A ICMPINBOUND -p icmp -m icmp --icmp-type 18 -j LDROP
-A ICMPINBOUND -p icmp -j ACCEPT
-A ICMPOUTBOUND -p icmp -m icmp --icmp-type 5 -j LDROP
-A ICMPOUTBOUND -p icmp -m icmp --icmp-type 11/0 -j LDROP
-A ICMPOUTBOUND -p icmp -m icmp --icmp-type 11/1 -j LDROP
-A ICMPOUTBOUND -p icmp -m icmp --icmp-type 12 -j LDROP
-A ICMPOUTBOUND -p icmp -m icmp --icmp-type 13 -j LDROP
-A ICMPOUTBOUND -p icmp -m icmp --icmp-type 14 -j LDROP
-A ICMPOUTBOUND -p icmp -m icmp --icmp-type 17 -j LDROP
-A ICMPOUTBOUND -p icmp -m icmp --icmp-type 18 -j LDROP
-A ICMPOUTBOUND -p icmp -j ACCEPT
-A LBADFLAG -j DROP
-A LDROP -j DROP
-A LINVALID -j DROP
-A LPINGFLOOD -j DROP
-A LREJECT -p tcp -j REJECT --reject-with tcp-reset
-A LREJECT -p udp -j REJECT --reject-with icmp-port-unreachable
-A LREJECT -j REJECT --reject-with icmp-port-unreachable
-A LSPECIALPORT -j DROP
-A LSYNFLOOD -j DROP
-A SMB -p tcp -m tcp --dport 137 -j DROP
-A SMB -p tcp -m tcp --dport 138 -j DROP
-A SMB -p tcp -m tcp --dport 139 -j DROP
-A SMB -p tcp -m tcp --dport 445 -j DROP
-A SMB -p udp -m udp --dport 137 -j DROP
-A SMB -p udp -m udp --dport 138 -j DROP
-A SMB -p udp -m udp --dport 139 -j DROP
-A SMB -p udp -m udp --dport 445 -j DROP
-A SMB -p tcp -m tcp --sport 137 -j DROP
-A SMB -p tcp -m tcp --sport 138 -j DROP
-A SMB -p tcp -m tcp --sport 139 -j DROP
-A SMB -p tcp -m tcp --sport 445 -j DROP
-A SMB -p udp -m udp --sport 137 -j DROP
-A SMB -p udp -m udp --sport 138 -j DROP
-A SMB -p udp -m udp --sport 139 -j DROP
-A SMB -p udp -m udp --sport 445 -j DROP
-A SPECIALPORTS -p tcp -m tcp --dport 6670 -j LSPECIALPORT
-A SPECIALPORTS -p tcp -m tcp --dport 1243 -j LSPECIALPORT
-A SPECIALPORTS -p udp -m udp --dport 1243 -j LSPECIALPORT
-A SPECIALPORTS -p tcp -m tcp --dport 27374 -j LSPECIALPORT
-A SPECIALPORTS -p udp -m udp --dport 27374 -j LSPECIALPORT
-A SPECIALPORTS -p tcp -m tcp --dport 6711:6713 -j LSPECIALPORT
-A SPECIALPORTS -p tcp -m tcp --dport 12345:12346 -j LSPECIALPORT
-A SPECIALPORTS -p tcp -m tcp --dport 20034 -j LSPECIALPORT
-A SPECIALPORTS -p udp -m udp --dport 31337:31338 -j LSPECIALPORT
-A SPECIALPORTS -p tcp -m tcp --dport 6000:6063 -j LSPECIALPORT
-A SPECIALPORTS -p udp -m udp --dport 28431 -j LSPECIALPORT
-A TCPACCEPT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --
limit 5/sec --limit-burst 10 -j ACCEPT
-A TCPACCEPT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j LSYNFLOOD
-A TCPACCEPT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
COMMIT
# Completed on Tue Mar 11 06:30:38 2003
It has two modes of operation basically, firewall ON and OFF.
I can get it to work as expected only when the firewall is off,
something about turning the firewall on prevents the port from being
open or something.
I'm trying to forward port 4662 to my XP machine at 192.168.1.2:4662
The magic command that makes it work with the firewall OFF is:
-A PREROUTING -p tcp -m tcp --dport 4662 -j DNAT --to-destination
192.168.1.2:4662
With the firewall on it doesn't work. No response whatsoever. The as
far as I can tell the NAT table is the same, but the filter table
gets loaded with default stuff by the Magnia. Below are outputs of
my iptables-save, first the Firewall OFF (works) and 2nd with
firewall ON (doesn't work). Anyone see the problem?
<firewall off with 4662 forwarded>
# Generated by iptables-save v1.2.5 on Tue Mar 11 06:22:28 2003
*mangle
😛REROUTING ACCEPT [511:75905]
:INPUT ACCEPT [418:39708]
:FORWARD ACCEPT [141:42313]
😱UTPUT ACCEPT [370:83306]
😛OSTROUTING ACCEPT [600:136767]
COMMIT
# Completed on Tue Mar 11 06:22:28 2003
# Generated by iptables-save v1.2.5 on Tue Mar 11 06:22:28 2003
*nat
😛REROUTING ACCEPT [31:2680]
😛OSTROUTING ACCEPT [15:1211]
😱UTPUT ACCEPT [15:1259]
-A PREROUTING -p tcp -m tcp --dport 4662 -j DNAT --to-destination
192.168.1.2:4662
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Tue Mar 11 06:22:28 2003
# Generated by iptables-save v1.2.5 on Tue Mar 11 06:22:28 2003
*filter
:INPUT ACCEPT [181:18491]
:FORWARD ACCEPT [81:35670]
😱UTPUT ACCEPT [412:88938]
-A INPUT -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4662 -j ACCEPT
COMMIT
# Completed on Tue Mar 11 06:22:28 2003
<Beginning of firewall ON with 4662 still forwarded>
# Generated by iptables-save v1.2.5 on Tue Mar 11 06:30:38 2003
*mangle
😛REROUTING ACCEPT [131:14822]
:INPUT ACCEPT [162:18284]
:FORWARD ACCEPT [0:0]
😱UTPUT ACCEPT [178:48552]
😛OSTROUTING ACCEPT [209:52398]
COMMIT
# Completed on Tue Mar 11 06:30:38 2003
# Generated by iptables-save v1.2.5 on Tue Mar 11 06:30:38 2003
*nat
😛REROUTING ACCEPT [3:144]
😛OSTROUTING ACCEPT [6:536]
😱UTPUT ACCEPT [7:777]
-A PREROUTING -p tcp -m tcp --dport 4662 -j DNAT --to-destination
192.168.1.2:4662
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Tue Mar 11 06:30:38 2003
# Generated by iptables-save v1.2.5 on Tue Mar 11 06:30:38 2003
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
😱UTPUT DROP [2:98]
:CHECKBADFLAG - [0:0]
:ICMPINBOUND - [0:0]
:ICMPOUTBOUND - [0:0]
:LBADFLAG - [0:0]
:LDROP - [0:0]
:LINVALID - [0:0]
:LPINGFLOOD - [0:0]
:LREJECT - [0:0]
:LSPECIALPORT - [0:0]
:LSYNFLOOD - [0:0]
:SMB - [0:0]
:SPECIALPORTS - [0:0]
:TCPACCEPT - [0:0]
-A INPUT -p tcp -m tcp --dport 4662 -j ACCEPT
-A INPUT -m state --state INVALID -j LINVALID
-A INPUT -p tcp -j CHECKBADFLAG
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/255.0.0.0 -j LREJECT
-A INPUT -s 192.168.1.0/255.255.255.0 -i brg0 -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -j LREJECT
-A INPUT -i eth1 -p icmp -j ICMPINBOUND
-A INPUT -p udp -m udp --dport 33434:33523 -j LDROP
-A INPUT -i eth1 -p tcp -m tcp --dport 113 -j REJECT --reject-with
tcp-reset
-A INPUT -i eth1 -j SPECIALPORTS
-A INPUT -i eth1 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 1024:65535 -m state --state
RELATED -j TCPACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 1024:65535 -m state --state
RELATED -j ACCEPT
-A INPUT -i brg0 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A INPUT -d 65.33.22.131 -i eth1 -p udp -m udp --sport 4000 --dport
1024:65535 -j ACCEPT
-A INPUT -s 65.33.22.131 -i eth1 -p udp -m udp --sport 1024:65535 --
dport 4000 -j ACCEPT
-A INPUT -d 65.33.22.131 -i eth1 -p udp -m udp --sport 1024:65535 --
dport 6970:6999 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -i eth1 -p esp -j ACCEPT
-A INPUT -i eth1 -p ah -j ACCEPT
-A INPUT -i ipsec0 -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -i ipsec0 -p esp -j ACCEPT
-A INPUT -i ipsec0 -p ah -j ACCEPT
-A INPUT -i ipsec0 -j ACCEPT
-A INPUT -j LDROP
-A FORWARD -m state --state INVALID -j LINVALID
-A FORWARD -p tcp -j CHECKBADFLAG
-A FORWARD -s 192.168.1.0/255.255.255.0 -i brg0 -o brg0 -j ACCEPT
-A FORWARD -s 192.168.1.0/255.255.255.0 -i brg0 -o eth1 -p tcp -m
tcp --sport 1024:65535 -j ACCEPT
-A FORWARD -s 192.168.1.0/255.255.255.0 -i brg0 -o eth1 -p udp -m
udp --sport 1024:65535 -j ACCEPT
-A FORWARD -s 192.168.1.0/255.255.255.0 -i brg0 -o eth1 -p icmp -j
ACCEPT
-A FORWARD -i eth1 -j SMB
-A FORWARD -i eth1 -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 1024:65535 -m state --state
RELATED -j TCPACCEPT
-A FORWARD -i eth1 -p udp -m udp --dport 1024:65535 -m state --state
RELATED -j ACCEPT
-A FORWARD -i eth1 -p icmp -m state --state RELATED -j ACCEPT
-A FORWARD -j LDROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -d 192.168.1.0/255.255.255.0 -o brg0 -j ACCEPT
-A OUTPUT -o eth1 -p icmp -j ICMPOUTBOUND
-A OUTPUT -o eth1 -p tcp -m tcp --sport 113 -j REJECT --reject-with
tcp-reset
-A OUTPUT -o eth1 -p tcp -m tcp --sport 20 -j ACCEPT
-A OUTPUT -o eth1 -p tcp -m tcp --sport 21 -j ACCEPT
-A OUTPUT -o eth1 -p tcp -m tcp --sport 22 -m state --state
ESTABLISHED -j ACCEPT
-A OUTPUT -o eth1 -p tcp -m tcp --sport 23 -m state --state
ESTABLISHED -j ACCEPT
-A OUTPUT -o eth1 -p tcp -m tcp --sport 53 -j ACCEPT
-A OUTPUT -o eth1 -p udp -m udp --sport 53 -j ACCEPT
-A OUTPUT -o eth1 -p tcp -m tcp --sport 80 -m state --state
ESTABLISHED -j ACCEPT
-A OUTPUT -o eth1 -p tcp -m tcp --sport 443 -m state --state
ESTABLISHED -j ACCEPT
-A OUTPUT -s 65.33.22.131 -o eth1 -p tcp -m tcp --sport 1024:65535 -
j ACCEPT
-A OUTPUT -s 65.33.22.131 -o eth1 -p udp -m udp --sport 1024:65535 -
j ACCEPT
-A OUTPUT -o brg0 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A OUTPUT -o eth1 -p udp -m udp --sport 500 -j ACCEPT
-A OUTPUT -o eth1 -p esp -j ACCEPT
-A OUTPUT -o eth1 -p ah -j ACCEPT
-A OUTPUT -o ipsec0 -p udp -m udp --sport 500 -j ACCEPT
-A OUTPUT -o ipsec0 -p esp -j ACCEPT
-A OUTPUT -o ipsec0 -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -j LDROP
-A CHECKBADFLAG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,PSH,URG -j LBADFLAG
-A CHECKBADFLAG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,SYN,RST,ACK,URG -j LBADFLAG
-A CHECKBADFLAG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,SYN,RST,PSH,ACK,URG -j LBADFLAG
-A CHECKBADFLAG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
NONE -j LBADFLAG
-A CHECKBADFLAG -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j
LBADFLAG
-A CHECKBADFLAG -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j
LBADFLAG
-A ICMPINBOUND -p icmp -m icmp --icmp-type 8 -m limit --limit 5/sec -
-limit-burst 10 -j ACCEPT
-A ICMPINBOUND -p icmp -m icmp --icmp-type 8 -j LPINGFLOOD
-A ICMPINBOUND -p icmp -m icmp --icmp-type 5 -j LDROP
-A ICMPINBOUND -p icmp -m icmp --icmp-type 13 -j LDROP
-A ICMPINBOUND -p icmp -m icmp --icmp-type 14 -j LDROP
-A ICMPINBOUND -p icmp -m icmp --icmp-type 17 -j LDROP
-A ICMPINBOUND -p icmp -m icmp --icmp-type 18 -j LDROP
-A ICMPINBOUND -p icmp -j ACCEPT
-A ICMPOUTBOUND -p icmp -m icmp --icmp-type 5 -j LDROP
-A ICMPOUTBOUND -p icmp -m icmp --icmp-type 11/0 -j LDROP
-A ICMPOUTBOUND -p icmp -m icmp --icmp-type 11/1 -j LDROP
-A ICMPOUTBOUND -p icmp -m icmp --icmp-type 12 -j LDROP
-A ICMPOUTBOUND -p icmp -m icmp --icmp-type 13 -j LDROP
-A ICMPOUTBOUND -p icmp -m icmp --icmp-type 14 -j LDROP
-A ICMPOUTBOUND -p icmp -m icmp --icmp-type 17 -j LDROP
-A ICMPOUTBOUND -p icmp -m icmp --icmp-type 18 -j LDROP
-A ICMPOUTBOUND -p icmp -j ACCEPT
-A LBADFLAG -j DROP
-A LDROP -j DROP
-A LINVALID -j DROP
-A LPINGFLOOD -j DROP
-A LREJECT -p tcp -j REJECT --reject-with tcp-reset
-A LREJECT -p udp -j REJECT --reject-with icmp-port-unreachable
-A LREJECT -j REJECT --reject-with icmp-port-unreachable
-A LSPECIALPORT -j DROP
-A LSYNFLOOD -j DROP
-A SMB -p tcp -m tcp --dport 137 -j DROP
-A SMB -p tcp -m tcp --dport 138 -j DROP
-A SMB -p tcp -m tcp --dport 139 -j DROP
-A SMB -p tcp -m tcp --dport 445 -j DROP
-A SMB -p udp -m udp --dport 137 -j DROP
-A SMB -p udp -m udp --dport 138 -j DROP
-A SMB -p udp -m udp --dport 139 -j DROP
-A SMB -p udp -m udp --dport 445 -j DROP
-A SMB -p tcp -m tcp --sport 137 -j DROP
-A SMB -p tcp -m tcp --sport 138 -j DROP
-A SMB -p tcp -m tcp --sport 139 -j DROP
-A SMB -p tcp -m tcp --sport 445 -j DROP
-A SMB -p udp -m udp --sport 137 -j DROP
-A SMB -p udp -m udp --sport 138 -j DROP
-A SMB -p udp -m udp --sport 139 -j DROP
-A SMB -p udp -m udp --sport 445 -j DROP
-A SPECIALPORTS -p tcp -m tcp --dport 6670 -j LSPECIALPORT
-A SPECIALPORTS -p tcp -m tcp --dport 1243 -j LSPECIALPORT
-A SPECIALPORTS -p udp -m udp --dport 1243 -j LSPECIALPORT
-A SPECIALPORTS -p tcp -m tcp --dport 27374 -j LSPECIALPORT
-A SPECIALPORTS -p udp -m udp --dport 27374 -j LSPECIALPORT
-A SPECIALPORTS -p tcp -m tcp --dport 6711:6713 -j LSPECIALPORT
-A SPECIALPORTS -p tcp -m tcp --dport 12345:12346 -j LSPECIALPORT
-A SPECIALPORTS -p tcp -m tcp --dport 20034 -j LSPECIALPORT
-A SPECIALPORTS -p udp -m udp --dport 31337:31338 -j LSPECIALPORT
-A SPECIALPORTS -p tcp -m tcp --dport 6000:6063 -j LSPECIALPORT
-A SPECIALPORTS -p udp -m udp --dport 28431 -j LSPECIALPORT
-A TCPACCEPT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --
limit 5/sec --limit-burst 10 -j ACCEPT
-A TCPACCEPT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j LSYNFLOOD
-A TCPACCEPT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
COMMIT
# Completed on Tue Mar 11 06:30:38 2003
