Hi! The machine is a standalone web server. I've been getting a bunch of portscans and some weird logs in my webserver logs. I'd like to block those ip's completely. However, I'm nut quite sure where in this setup I'd put them. I was thinking they'd go into PAROLE.
Here's the output of "iptables -L -n -v": Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- !lo * 0.0.0.0/0 127.0.0.0/8 74607 20M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 1 208 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0 331K 39M PUB_IN all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 2 packets, 244 bytes) pkts bytes target prot opt in out source destination 77803 17M PUB_OUT all -- * eth0 0.0.0.0/0 0.0.0.0/0 Chain INT_IN (0 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain INT_OUT (0 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain PAROLE (4 references) pkts bytes target prot opt in out source destination 443 22260 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain PUB_IN (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0 1 56 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11 384 19428 PAROLE tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 5 240 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 state INVALID,NEW limit: avg 5/sec burst 8 LOG flags 0 level 4 prefix `audit' 51 2524 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 state INVALID,NEW limit: avg 5/sec burst 8 LOG flags 0 level 4 prefix `audit' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 state INVALID,NEW limit: avg 5/sec burst 8 LOG flags 0 level 4 prefix `audit' 3 140 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 state INVALID,NEW limit: avg 5/sec burst 8 LOG flags 0 level 4 prefix `audit' 7 332 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:79 state INVALID,NEW limit: avg 5/sec burst 8 LOG flags 0 level 4 prefix `audit' 6 360 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:111 state INVALID,NEW limit: avg 5/sec burst 8 LOG flags 0 level 4 prefix `audit' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:512 state INVALID,NEW limit: avg 5/sec burst 8 LOG flags 0 level 4 prefix `audit' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:513 state INVALID,NEW limit: avg 5/sec burst 8 LOG flags 0 level 4 prefix `audit' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:98 state INVALID,NEW limit: avg 5/sec burst 8 LOG flags 0 level 4 prefix `audit' 7 380 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state INVALID,NEW limit: avg 5/sec burst 8 LOG flags 0 level 4 prefix `audit' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1980 state INVALID,NEW limit: avg 5/sec burst 8 LOG flags 0 level 4 prefix `audit' 0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:31337 state INVALID,NEW limit: avg 5/sec burst 8 LOG flags 0 level 4 prefix `audit' 145 47167 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 331K 39M DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain PUB_OUT (1 references) pkts bytes target prot opt in out source destination 77803 17M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ----- Original Message ----- From: "DEFFONTAINES Vincent" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, December 04, 2002 2:45 PM Subject: RE: IPTables configuration. > To correctly audit your configuration, I need an output of > "/sbin/iptables -L -n -v" > The mere "/sbin/iptables -L [-n]" is not sufficient to me, cause it won't > reveal the per interface filters. > > Vincent > > > > > > -----Original Message----- > > From: Tore Nilsson [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday 4 December 2002 14:23 > > To: [EMAIL PROTECTED] > > Subject: IPTables configuration. > > > > > > Hello! > > > > Can someone review my iptables configuration and give suggestions? > > Btw. if I'd want to block someone completely using this configuration > > should I put them in "Parole" by using this command: > > > > iptables -A PAROLE -s [ip-number] -j DROP > > > > //Tore Nilsson > > > > here's my configuration. btw, it was made with Bastille: > > > > Chain INPUT (policy DROP) > > target prot opt source destination > > DROP tcp -- anywhere 127.0.0.0/8 > > ACCEPT all -- anywhere anywhere state > > RELATED,ESTABLISHED > > ACCEPT all -- anywhere anywhere > > DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere > > PUB_IN all -- anywhere anywhere > > DROP all -- anywhere anywhere > > > > Chain FORWARD (policy DROP) > > target prot opt source destination > > ACCEPT all -- anywhere anywhere state > > RELATED,ESTABLISHED > > DROP all -- anywhere anywhere > > > > Chain OUTPUT (policy ACCEPT) > > target prot opt source destination > > PUB_OUT all -- anywhere anywhere > > > > Chain INT_IN (0 references) > > target prot opt source destination > > ACCEPT icmp -- anywhere anywhere > > DROP all -- anywhere anywhere > > > > Chain INT_OUT (0 references) > > target prot opt source destination > > ACCEPT icmp -- anywhere anywhere > > ACCEPT all -- anywhere anywhere > > > > Chain PAROLE (4 references) > > target prot opt source destination > > ACCEPT all -- anywhere anywhere > > > > Chain PUB_IN (1 references) > > target prot opt source destination > > ACCEPT icmp -- anywhere anywhere icmp > > destination-unreachable > > ACCEPT icmp -- anywhere anywhere > > icmp echo-reply > > ACCEPT icmp -- anywhere anywhere icmp > > time-exceeded > > PAROLE tcp -- anywhere anywhere > > tcp dpt:www > > LOG tcp -- anywhere anywhere > > tcp dpt:telnet > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning > > prefix `audit' > > LOG tcp -- anywhere anywhere > > tcp dpt:ftp > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning > > prefix `audit' > > LOG tcp -- anywhere anywhere > > tcp dpt:imap2 > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning > > prefix `audit' > > LOG tcp -- anywhere anywhere > > tcp dpt:pop3 > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning > > prefix `audit' > > LOG tcp -- anywhere anywhere > > tcp dpt:finger > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning > > prefix `audit' > > LOG tcp -- anywhere anywhere > > tcp dpt:sunrpc > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning > > prefix `audit' > > LOG tcp -- anywhere anywhere > > tcp dpt:exec > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning > > prefix `audit' > > LOG tcp -- anywhere anywhere > > tcp dpt:login > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning > > prefix `audit' > > LOG tcp -- anywhere anywhere tcp > > dpt:linuxconf state INVALID,NEW limit: avg 5/sec burst 8 LOG > > level warning > > prefix `audit' > > LOG tcp -- anywhere anywhere > > tcp dpt:ssh > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning > > prefix `audit' > > LOG tcp -- anywhere anywhere > > tcp dpt:1980 > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning > > prefix `audit' > > LOG udp -- anywhere anywhere > > udp dpt:31337 > > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning > > prefix `audit' > > DROP icmp -- anywhere anywhere > > DROP all -- anywhere anywhere > > > > Chain PUB_OUT (1 references) > > target prot opt source destination > > ACCEPT all -- anywhere anywhere > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > > [EMAIL PROTECTED] > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]