[prev in list] [next in list] [prev in thread] [next in thread]
List: tor-cvs
Subject: [or-cvs] r14858: Remove stuff that we don't need and add two iptables firewal (in torwall/trunk: . i
From: ioerror () seul ! org
Date: 2008-05-31 7:38:56
Message-ID: 20080531073856.3290B140E0EE () moria ! seul ! org
[Download RAW message or body]
Author: ioerror
Date: 2008-05-31 03:38:55 -0400 (Sat, 31 May 2008)
New Revision: 14858
Added:
torwall/trunk/iptable-state/
torwall/trunk/iptable-state/iptables-accept-all
torwall/trunk/iptable-state/torrules
Removed:
torwall/trunk/autom4te.cache/
torwall/trunk/src/.deps/
Log:
Remove stuff that we don't need and add two iptables firewalls that aren't entirely \
useful but are good place holders.
Added: torwall/trunk/iptable-state/iptables-accept-all
===================================================================
--- torwall/trunk/iptable-state/iptables-accept-all (rev 0)
+++ torwall/trunk/iptable-state/iptables-accept-all 2008-05-31 07:38:55 UTC (rev \
14858) @@ -0,0 +1,7 @@
+# Generated by iptables-save v1.3.6 on Fri May 30 21:13:01 2008
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+# Completed on Fri May 30 21:13:01 2008
Added: torwall/trunk/iptable-state/torrules
===================================================================
--- torwall/trunk/iptable-state/torrules (rev 0)
+++ torwall/trunk/iptable-state/torrules 2008-05-31 07:38:55 UTC (rev 14858)
@@ -0,0 +1,201 @@
+# Generated by iptables-save v1.3.3 on Wed Feb 27 16:02:36 2008
+*raw
+:PREROUTING ACCEPT [83389:68605019]
+:OUTPUT ACCEPT [37909:2510292]
+COMMIT
+# Completed on Wed Feb 27 16:02:36 2008
+# Generated by iptables-save v1.3.3 on Wed Feb 27 16:02:36 2008
+*mangle
+:PREROUTING ACCEPT [83389:68605019]
+:INPUT ACCEPT [69009:66868847]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [37909:2510292]
+:POSTROUTING ACCEPT [37839:2506220]
+:tcfor - [0:0]
+:tcout - [0:0]
+:tcpost - [0:0]
+:tcpre - [0:0]
+-A PREROUTING -m state --state NEW -j LOG --log-prefix \
"Shorewall:mangle:PREROUTING:" --log-level 7 +-A PREROUTING -j tcpre
+-A INPUT -m state --state NEW -j LOG --log-prefix "Shorewall:mangle:INPUT:" \
--log-level 7 +-A FORWARD -m state --state NEW -j LOG --log-prefix \
"Shorewall:mangle:FORWARD:" --log-level 7 +-A FORWARD -j tcfor
+-A OUTPUT -j tcout
+-A POSTROUTING -m state --state NEW -j LOG --log-prefix \
"Shorewall:mangle:POSTROUTING:" --log-level 7 +-A POSTROUTING -j tcpost
+COMMIT
+# Completed on Wed Feb 27 16:02:36 2008
+# Generated by iptables-save v1.3.3 on Wed Feb 27 16:02:36 2008
+*nat
+:PREROUTING ACCEPT [29537:4154131]
+:POSTROUTING ACCEPT [3294:259343]
+:OUTPUT ACCEPT [3348:262583]
+-A PREROUTING -m state --state NEW -j LOG --log-prefix "Shorewall:nat:PREROUTING:" \
--log-level 7 +-A POSTROUTING -m state --state NEW -j LOG --log-prefix \
"Shorewall:nat:POSTROUTING:" --log-level 7 +-A OUTPUT -m state --state NEW -j LOG \
--log-prefix "Shorewall:nat:OUTPUT:" --log-level 7 +COMMIT
+# Completed on Wed Feb 27 16:02:36 2008
+# Generated by iptables-save v1.3.3 on Wed Feb 27 16:02:36 2008
+*filter
+:Drop - [0:0]
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT DROP [0:0]
+:Reject - [0:0]
+:all2all - [0:0]
+:dropBcast - [0:0]
+:dropInvalid - [0:0]
+:dropNotSyn - [0:0]
+:dynamic - [0:0]
+:eth0_fwd - [0:0]
+:eth0_in - [0:0]
+:fw2all - [0:0]
+:fw2fw - [0:0]
+:fw2net - [0:0]
+:logflags - [0:0]
+:net2all - [0:0]
+:net2fw - [0:0]
+:net2net - [0:0]
+:reject - [0:0]
+:shorewall - [0:0]
+:smurfs - [0:0]
+:tcpflags - [0:0]
+-A Drop -p tcp -m tcp --dport 113 -j reject
+-A Drop -j dropBcast
+-A Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
+-A Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT
+-A Drop -j dropInvalid
+-A Drop -p udp -m multiport --dports 135,445 -j DROP
+-A Drop -p udp -m udp --dport 137:139 -j DROP
+-A Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
+-A Drop -p tcp -m multiport --dports 135,139,445 -j DROP
+-A Drop -p udp -m udp --dport 1900 -j DROP
+-A Drop -p tcp -j dropNotSyn
+-A Drop -p udp -m udp --sport 53 -j DROP
+-A INPUT -m state --state NEW -j LOG --log-prefix "Shorewall:filter:INPUT:" \
--log-level 7 +-A INPUT -i lo -j ACCEPT
+-A INPUT -i eth0 -j eth0_in
+-A INPUT -j Drop
+-A INPUT -j LOG --log-prefix "Shorewall:INPUT:DROP:" --log-level 6
+-A INPUT -j DROP
+-A FORWARD -m state --state NEW -j LOG --log-prefix "Shorewall:filter:FORWARD:" \
--log-level 7 +-A FORWARD -i eth0 -j eth0_fwd
+-A FORWARD -j Drop
+-A FORWARD -j LOG --log-prefix "Shorewall:FORWARD:DROP:" --log-level 6
+-A FORWARD -j DROP
+-A OUTPUT -m state --state NEW -j LOG --log-prefix "Shorewall:filter:OUTPUT:" \
--log-level 7 +-A OUTPUT -o eth0 -j fw2net
+-A OUTPUT -o lo -j fw2fw
+-A OUTPUT -j Drop
+-A OUTPUT -j LOG --log-prefix "Shorewall:OUTPUT:DROP:" --log-level 6
+-A OUTPUT -j DROP
+-A Reject -p tcp -m tcp --dport 113 -j reject
+-A Reject -j dropBcast
+-A Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
+-A Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT
+-A Reject -j dropInvalid
+-A Reject -p udp -m multiport --dports 135,445 -j reject
+-A Reject -p udp -m udp --dport 137:139 -j reject
+-A Reject -p udp -m udp --sport 137 --dport 1024:65535 -j reject
+-A Reject -p tcp -m multiport --dports 135,139,445 -j reject
+-A Reject -p udp -m udp --dport 1900 -j DROP
+-A Reject -p tcp -j dropNotSyn
+-A Reject -p udp -m udp --sport 53 -j DROP
+-A all2all -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A all2all -j Drop
+-A all2all -j LOG --log-prefix "Shorewall:all2all:DROP:" --log-level 6
+-A all2all -j DROP
+-A dropBcast -m pkttype --pkt-type broadcast -j DROP
+-A dropBcast -m pkttype --pkt-type multicast -j DROP
+-A dropInvalid -m state --state INVALID -j DROP
+-A dropNotSyn -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
+-A eth0_fwd -m state --state INVALID,NEW -j dynamic
+-A eth0_fwd -m state --state INVALID,NEW -j smurfs
+-A eth0_fwd -p tcp -j tcpflags
+-A eth0_in -m state --state INVALID,NEW -j dynamic
+-A eth0_in -m state --state INVALID,NEW -j smurfs
+-A eth0_in -p tcp -j tcpflags
+-A eth0_in -j net2fw
+-A fw2all -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A fw2all -j Drop
+-A fw2all -j LOG --log-prefix "Shorewall:fw2all:DROP:" --log-level 6
+-A fw2all -j DROP
+-A fw2fw -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A fw2fw -p tcp -m tcp --dport 9050 -j ACCEPT
+-A fw2fw -p tcp -m tcp --dport 8118 -j ACCEPT
+-A fw2fw -j Drop
+-A fw2fw -j LOG --log-prefix "Shorewall:fw2fw:DROP:" --log-level 6
+-A fw2fw -j DROP
+-A fw2net -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A fw2net -d 10.0.0.0/255.0.0.0 -p icmp -m owner --uid-owner root -j ACCEPT
+-A fw2net -d 10.2.3.1 -p tcp -m tcp --dport 1812 -m owner --uid-owner root -j ACCEPT \
+-A fw2net -d 10.1.3.1 -p tcp -m tcp --dport 1812 -m owner --uid-owner root -j \
ACCEPT +-A fw2net -d 10.2.3.1 -p udp -m udp --dport 1812 -m owner --uid-owner root \
-j ACCEPT +-A fw2net -d 10.1.3.1 -p udp -m udp --dport 1812 -m owner --uid-owner \
root -j ACCEPT +-A fw2net -d 10.2.3.1 -p tcp -m tcp --dport 1813 -m owner \
--uid-owner root -j ACCEPT +-A fw2net -d 10.1.3.1 -p tcp -m tcp --dport 1813 -m \
owner --uid-owner root -j ACCEPT +-A fw2net -d 10.2.3.1 -p udp -m udp --dport 1813 \
-m owner --uid-owner root -j ACCEPT +-A fw2net -d 10.1.3.1 -p udp -m udp --dport \
1813 -m owner --uid-owner root -j ACCEPT +-A fw2net -d 10.2.9.1 -p tcp -m tcp \
--dport 9999 -m owner --uid-owner root -j ACCEPT +-A fw2net -d 86.59.21.35 -p tcp -m \
tcp --dport 9999 -m owner --uid-owner root -j ACCEPT +-A fw2net -d 10.2.2.1 -p udp \
-m owner --uid-owner root -m udp --dport 53 -j LOG --log-prefix \
"Shorewall:fw2net:ACCEPT:" --log-level 6 +-A fw2net -d 10.2.2.1 -p udp -m udp \
--dport 53 -m owner --uid-owner root -j ACCEPT +-A fw2net -d 10.1.2.1 -p udp -m \
owner --uid-owner root -m udp --dport 53 -j LOG --log-prefix \
"Shorewall:fw2net:ACCEPT:" --log-level 6 +-A fw2net -d 10.1.2.1 -p udp -m udp \
--dport 53 -m owner --uid-owner root -j ACCEPT +-A fw2net -d 10.2.2.1 -p tcp -m \
owner --uid-owner root -m tcp --dport 53 -j LOG --log-prefix \
"Shorewall:fw2net:ACCEPT:" --log-level 6 +-A fw2net -d 10.2.2.1 -p tcp -m tcp \
--dport 53 -m owner --uid-owner root -j ACCEPT +-A fw2net -d 10.1.2.1 -p tcp -m \
owner --uid-owner root -m tcp --dport 53 -j LOG --log-prefix \
"Shorewall:fw2net:ACCEPT:" --log-level 6 +-A fw2net -d 10.1.2.1 -p tcp -m tcp \
--dport 53 -m owner --uid-owner root -j ACCEPT +-A fw2net -d 10.2.2.1 -p udp -m udp \
--dport 53 -j LOG --log-prefix "Shorewall:fw2net:DROP:" --log-level 6 +-A fw2net -d \
10.2.2.1 -p udp -m udp --dport 53 -j DROP +-A fw2net -d 10.1.2.1 -p udp -m udp \
--dport 53 -j LOG --log-prefix "Shorewall:fw2net:DROP:" --log-level 6 +-A fw2net -d \
10.1.2.1 -p udp -m udp --dport 53 -j DROP +-A fw2net -d 10.2.2.1 -p tcp -m tcp \
--dport 53 -j LOG --log-prefix "Shorewall:fw2net:DROP:" --log-level 6 +-A fw2net -d \
10.2.2.1 -p tcp -m tcp --dport 53 -j DROP +-A fw2net -d 10.1.2.1 -p tcp -m tcp \
--dport 53 -j LOG --log-prefix "Shorewall:fw2net:DROP:" --log-level 6 +-A fw2net -d \
10.1.2.1 -p tcp -m tcp --dport 53 -j DROP +-A fw2net -d 10.2.4.1 -p tcp -m tcp \
--dport 25 -m owner --uid-owner mail -j ACCEPT +-A fw2net -p tcp -m owner \
--uid-owner debian-tor -j ACCEPT +-A fw2net -j Drop
+-A fw2net -j LOG --log-prefix "Shorewall:fw2net:DROP:" --log-level 6
+-A fw2net -j DROP
+-A logflags -j LOG --log-prefix "Shorewall:logflags:DROP:" --log-level 6 \
--log-ip-options +-A logflags -j DROP
+-A net2all -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A net2all -j Drop
+-A net2all -j LOG --log-prefix "Shorewall:net2all:DROP:" --log-level 6
+-A net2all -j DROP
+-A net2fw -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A net2fw -p icmp -j ACCEPT
+-A net2fw -p tcp -m tcp --dport 22 -j ACCEPT
+-A net2fw -s 10.2.5.10 -p udp -m udp --dport 161:162 -j ACCEPT
+-A net2fw -s 10.2.5.11 -p udp -m udp --dport 161:162 -j ACCEPT
+-A net2fw -s 10.2.5.10 -p tcp -m tcp --dport 161 -j ACCEPT
+-A net2fw -s 10.2.5.11 -p tcp -m tcp --dport 161 -j ACCEPT
+-A net2fw -j net2all
+-A net2net -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A net2net -j Drop
+-A net2net -j LOG --log-prefix "Shorewall:net2net:DROP:" --log-level 6
+-A net2net -j DROP
+-A reject -m pkttype --pkt-type broadcast -j DROP
+-A reject -m pkttype --pkt-type multicast -j DROP
+-A reject -s 10.2.10.255 -j DROP
+-A reject -s 255.255.255.255 -j DROP
+-A reject -s 224.0.0.0/240.0.0.0 -j DROP
+-A reject -p tcp -j REJECT --reject-with tcp-reset
+-A reject -p udp -j REJECT --reject-with icmp-port-unreachable
+-A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
+-A reject -j REJECT --reject-with icmp-host-prohibited
+-A smurfs -s 10.2.10.255 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6
+-A smurfs -s 10.2.10.255 -j DROP
+-A smurfs -s 255.255.255.255 -j LOG --log-prefix "Shorewall:smurfs:DROP:" \
--log-level 6 +-A smurfs -s 255.255.255.255 -j DROP
+-A smurfs -s 224.0.0.0/240.0.0.0 -j LOG --log-prefix "Shorewall:smurfs:DROP:" \
--log-level 6 +-A smurfs -s 224.0.0.0/240.0.0.0 -j DROP
+-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j \
logflags +-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j \
logflags +-A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j logflags
+-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j logflags
+-A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -j logflags
+COMMIT
+# Completed on Wed Feb 27 16:02:36 2008
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic