I recently moved my server over to some new hardware, this was a leap fro x86 to EMT64. I noticed a lot of changes in the kernel config pertaining to iptables and related net functions. Since I was not technically making a new server, simply upgrading it, the majority of my config files were still valid. One of these was a hefty firewall script I have been working on through the days.
Long story short! the only thing I can't get working is a high-id for the mule. This machine acts as the router / nat / gateway and has all the fancy dns and other servers one might expect. I don't know what may have changed, but I know I am using a newer kernel, newer amule and everything else worked with little or no mods.
here is a dump of iptables -L - I will reveal the whole script if needed, but maybe someone can figure it out from this.
Chain INPUT (policy DROP)
target prot opt source destination
DROP all -- 192.0.0.0/8 anywhere
DROP all -- 10.0.0.0/8 anywhere
DROP all -- 84-38-19-129.metrolink.pl anywhere
DROP all -- 211.140.0.0/16 anywhere
DROP all -- 202.205.0.0/16 anywhere
DROP all -- 219.142.0.0/16 anywhere
DROP all -- 60.12.0.0/16 anywhere
DROP all -- 0.0.191.220.broad.hz.zj.dynamic.163data.com.cn/16 anywhere
DROP all -- host81-157-231-47.range81-157.btcentralplus.com anywhere
ACCEPT all -- anywhere anywhere
bad_packets all -- anywhere anywhere
DROP all -- anywhere ALL-SYSTEMS.MCAST.NET
ACCEPT all -- 172.24.0.0/24 anywhere
ACCEPT all -- anywhere 172.24.0.255
ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:bootps
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
tcp_inbound tcp -- anywhere anywhere
udp_inbound udp -- anywhere anywhere
icmp_packets icmp -- anywhere anywhere
DROP all -- anywhere anywhere PKTTYPE = broadcast
Chain FORWARD (policy DROP)
target prot opt source destination
bad_packets all -- anywhere anywhere
tcp_outbound tcp -- anywhere anywhere
udp_outbound udp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere alpha.fruitwerks.us tcp dpt:4776
ACCEPT udp -- anywhere alpha.fruitwerks.us udp dpt:4780
ACCEPT udp -- anywhere alpha.fruitwerks.us udp dpt:4779
LOG all -- anywhere anywhere LOG level warning prefix `fp=FORWARD:99 a=DROP '
Chain OUTPUT (policy DROP)
target prot opt source destination
DROP icmp -- anywhere anywhere state INVALID
ACCEPT all -- www.doubleclick.net anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- alpha.fruitwerks.us anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level warning prefix `fp=OUTPUT:99 a=DROP '
Chain bad_packets (2 references)
target prot opt source destination
LOG all -- 172.24.0.0/24 anywhere LOG level warning prefix `fp=bad_packets:2 a=DROP '
DROP all -- 172.24.0.0/24 anywhere
DROP all -- anywhere anywhere state INVALID
bad_tcp_packets tcp -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain bad_tcp_packets (1 references)
target prot opt source destination
RETURN tcp -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
LOG tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW LOG level warning prefix `fp=bad_tcp_packets:1 a=DROP '
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE LOG level warning prefix `fp=bad_tcp_packets:2 a=DROP '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG LOG level warning prefix `fp=bad_tcp_packets:3 a=DROP '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG LOG level warning prefix `fp=bad_tcp_packets:4 a=DROP '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG LOG level warning prefix `fp=bad_tcp_packets:5 a=DROP '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
LOG tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST LOG level warning prefix `fp=bad_tcp_packets:6 a=DROP '
DROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN LOG level warning prefix `fp=bad_tcp_packets:7 a=DROP '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
RETURN tcp -- anywhere anywhere
Chain icmp_packets (1 references)
target prot opt source destination
LOG icmp -f anywhere anywhere LOG level warning prefix `fp=icmp_packets:1 a=DROP '
DROP icmp -f anywhere anywhere
DROP icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
RETURN icmp -- anywhere anywhere
Chain tcp_inbound (1 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp dpt:auth reject-with icmp-port-unreachable
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:imap
ACCEPT tcp -- anywhere anywhere tcp dpts:5000:5100
ACCEPT tcp -- anywhere anywhere tcp dpts:6891:6900
ACCEPT tcp -- anywhere anywhere tcp dpts:900:swat
RETURN tcp -- anywhere anywhere
Chain tcp_outbound (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere
Chain udp_inbound (1 references)
target prot opt source destination
DROP udp -- anywhere anywhere udp dpt:netbios-ns
DROP udp -- anywhere anywhere udp dpt:netbios-dgm
REJECT udp -- anywhere anywhere udp dpt:auth reject-with icmp-port-unreachable
ACCEPT udp -- anywhere anywhere udp dpt:ntp
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
RETURN udp -- anywhere anywhere
Chain udp_outbound (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere
alpha is the host amule...
well it is probably not a good idea to nat to / from localhost! amule used to run on a machine other than the router. I removed the nat rules and restarted iptables and amuled, still firewalled. I guess I need to allow it like any other service... I will reply later with the results.
Thanks
