[linux-l] RE: [linux-l] Problem Mail von fremden System über meinen Server versendet
Manuel Tennert
webmaster at german-sound.de
Sa Sep 24 11:38:32 CEST 2005
Hallöle,
linux-l-admin at mlists.in-berlin.de's Tastaturgeklapper am :
[...]
> [Ich hab' den logfile-Auszug mal repariert...]
>
>> Sep 24 04:14:53 h615145 postfix/smtpd[10748]: connect from
>> ip-30.net-82-216-145.rev.numericable.fr[82.216.145.30]
>> Sep 24 04:15:20 h615145 postfix/smtpd[10748]: A8134CC102:
>> client=ip-30.net-82-216-145.rev.numericable.fr[82.216.145.30]
>> Sep 24 04:15:55 h615145 postfix/cleanup[10783]: A8134CC102:
>> message-id=<1064034991.2771 at bluefrognet.net>
>> Sep 24 04:16:06 h615145 postfix/qmgr[10715]: A8134CC102:
>> from=<fous at freiha.com>, size=16105, nrcpt=1 (queue active) Sep 24
>> 04:16:06 h615145 postfix/local[10843]: A8134CC102:
>> to=<web1p7 at h615145.serverkompetenz.net>,
>> orig_to=<fussball at lokelstal.de>, relay=local, delay=46, status=sent
>> (mailbox) Sep 24 04:16:12 h615145 postfix/smtpd[10748]: disconnect
>> from ip-30.net-82-216-145.rev.numericable.fr[82.216.145.30]
>
> 82.216.145.30 hat soeben eine Mail bei Dir abgeworfen. Dein
> Rechner scheint sich für fussball at lokelstal.de zuständig zu
> fühlen und hat die Mail an web1p7 at h615145.serverkompetenz.net
> zugestellt.
>
> Wenn Dein Rechner fpr lokelstal.de nicht zuständig ist, ist
> das schonmal falsch konfiguriert. (Catch-all an web1p7?)
Doch der Rechner ist auch für die Domain zuständig, einen Catch-All Account habe ich aber wissenhaft weggelassen.
>> Kann mir bitte jemand sagen was der connect von
>> ip-30.net-82-216-145.rev.numericable.fr zu bedeuten hat und generell
>> dieses Log-File? Firewall auf dem Server ist aktiviert, ich habe auch
>> nur den Port 21 freigegeben, verstehe also nicht wie so etwas
>> passieren konnte. Was kann ich tun?
>
> Da die Mail via smtpd 'reingekommen ist, ist Deine Firewall
> anscheinend falsch konfiguriert (oder garnicht aktiv). Das
> aktuell aktive Regel-Set kannst Du als root mit
> 'iptables-save' abfragen...
Also ich habe die Firewall genommen, die ich über yast konfigurieren kann und die wird auch gestartet, jedenfalls wird das mitgeteilt. Ich habe den Befehl einmal ausgeführt und folgendes Resultat erhalten:
# Generated by iptables-save v1.2.8 on Sat Sep 24 11:27:46 2005
*mangle
:PREROUTING ACCEPT [5086068:1261920060]
:INPUT ACCEPT [5086068:1261920060]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [7942018:9330794752]
:POSTROUTING ACCEPT [7942018:9330794752]
-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --sport 20 -j TOS --set-tos 0x08
-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 20 -j TOS --set-tos 0x08
-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --sport 80 -j TOS --set-tos 0x08
-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 80 -j TOS --set-tos 0x08
-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --sport 53 -j TOS --set-tos 0x10
-A OUTPUT -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --dport 53 -j TOS --set-tos 0x10
-A OUTPUT -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --dport 161 -j TOS --set-tos 0x04
-A OUTPUT -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --dport 162 -j TOS --set-tos 0x04
-A OUTPUT -p udp -m udp --dport 514 -j TOS --set-tos 0x04
COMMIT
# Completed on Sat Sep 24 11:27:46 2005
# Generated by iptables-save v1.2.8 on Sat Sep 24 11:27:46 2005
*nat
:PREROUTING ACCEPT [266292:50330601]
:POSTROUTING ACCEPT [23853:1581214]
:OUTPUT ACCEPT [23840:1580694]
COMMIT
# Completed on Sat Sep 24 11:27:46 2005
# Generated by iptables-save v1.2.8 on Sat Sep 24 11:27:46 2005
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forward_dmz - [0:0]
:forward_ext - [0:0]
:forward_int - [0:0]
:input_dmz - [0:0]
:input_ext - [0:0]
:input_int - [0:0]
:reject_func - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 127.0.0.0/255.0.0.0 -j LOG --log-prefix "SuSE-FW-DROP-ANTI-SPOOFING " --log-tcp-options --log-ip-options
-A INPUT -d 127.0.0.0/255.0.0.0 -j LOG --log-prefix "SuSE-FW-DROP-ANTI-SPOOFING " --log-tcp-options --log-ip-options
-A INPUT -s 127.0.0.0/255.0.0.0 -j DROP
-A INPUT -d 127.0.0.0/255.0.0.0 -j DROP
-A INPUT -s 81.169.143.119 -j LOG --log-prefix "SuSE-FW-DROP-ANTI-SPOOFING " --log-tcp-options --log-ip-options
-A INPUT -s 81.169.143.119 -j DROP
-A INPUT -d 81.169.143.119 -i eth0 -j input_ext
-A INPUT -d 81.169.143.119 -i eth0 -j DROP
-A INPUT -d 255.255.255.255 -i eth0 -j DROP
-A INPUT -j LOG --log-prefix "SuSE-FW-ILLEGAL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 11 -j LOG --log-prefix "SuSE-FW-TRACEROUTE-ATTEMPT " --log-tcp-options --log-ip-options
-A OUTPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 3/3 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 3/9 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 3/10 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 3/13 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 3 -j DROP
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j LOG --log-prefix "SuSE-FW-OUTPUT-ERROR " --log-tcp-options --log-ip-options
-A input_dmz -s 81.169.143.119 -j LOG --log-prefix "SuSE-FW-DROP-ANTI-SPOOF-idmz " --log-tcp-options --log-ip-options
-A input_dmz -s 81.169.143.119 -j DROP
-A input_dmz -p icmp -m icmp --icmp-type 8 -j LOG --log-prefix "SuSE-FW-ACCEPT-PING " --log-tcp-options --log-ip-options
-A input_dmz -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_dmz -p icmp -m icmp --icmp-type 0 -j LOG --log-prefix "SuSE-FW-ACCEPT-ICMP " --log-tcp-options --log-ip-options
-A input_dmz -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A input_dmz -p icmp -m icmp --icmp-type 3 -j LOG --log-prefix "SuSE-FW-ACCEPT-ICMP " --log-tcp-options --log-ip-options
-A input_dmz -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
-A input_dmz -p icmp -m icmp --icmp-type 11 -j LOG --log-prefix "SuSE-FW-ACCEPT-ICMP " --log-tcp-options --log-ip-options
-A input_dmz -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
-A input_dmz -p icmp -m icmp --icmp-type 12 -j LOG --log-prefix "SuSE-FW-ACCEPT-ICMP " --log-tcp-options --log-ip-options
-A input_dmz -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
-A input_dmz -p icmp -m icmp --icmp-type 14 -j LOG --log-prefix "SuSE-FW-ACCEPT-ICMP " --log-tcp-options --log-ip-options
-A input_dmz -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
-A input_dmz -p icmp -m icmp --icmp-type 18 -j LOG --log-prefix "SuSE-FW-ACCEPT-ICMP " --log-tcp-options --log-ip-options
-A input_dmz -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
-A input_dmz -p icmp -j LOG --log-prefix "SuSE-FW-DROP-ICMP " --log-tcp-options --log-ip-options
-A input_dmz -p icmp -j DROP
-A input_dmz -p tcp -m tcp --dport 113 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-REJECT " --log-tcp-options --log-ip-options
-A input_dmz -p tcp -m tcp --dport 113 --tcp-flags SYN,RST,ACK SYN -j reject_func
-A input_dmz -p tcp -m tcp --dport 21 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_dmz -p tcp -m tcp --dport 21 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_dmz -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_dmz -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_dmz -p tcp -m tcp --dport 25 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_dmz -p tcp -m tcp --dport 25 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_dmz -p tcp -m tcp --dport 53 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_dmz -p tcp -m tcp --dport 53 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_dmz -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_dmz -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_dmz -p tcp -m tcp --dport 110 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_dmz -p tcp -m tcp --dport 110 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_dmz -p tcp -m tcp --dport 111 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_dmz -p tcp -m tcp --dport 111 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_dmz -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_dmz -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_dmz -p tcp -m tcp --dport 3306 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_dmz -p tcp -m tcp --dport 3306 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_dmz -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 1024:65535 -j LOG --log-prefix "SuSE-FW-ACCEPT " --log-tcp-options --log-ip-options
-A input_dmz -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 1024:65535 -j ACCEPT
-A input_dmz -p tcp -m tcp --dport 600:65535 ! --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-ACCEPT " --log-tcp-options --log-ip-options
-A input_dmz -p tcp -m state --state ESTABLISHED -m tcp --dport 600:65535 ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A input_dmz -p tcp -m tcp --dport 20 ! --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-ACCEPT " --log-tcp-options --log-ip-options
-A input_dmz -p tcp -m state --state ESTABLISHED -m tcp --dport 20 ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A input_dmz -s 81.169.163.106 -p udp -m udp --sport 53 --dport 1024:65535 -j LOG --log-prefix "SuSE-FW-ACCEPT " --log-tcp-options --log-ip-options
-A input_dmz -s 81.169.163.106 -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --sport 53 --dport 1024:65535 -j ACCEPT
-A input_dmz -s 81.169.163.104 -p udp -m udp --sport 53 --dport 1024:65535 -j LOG --log-prefix "SuSE-FW-ACCEPT " --log-tcp-options --log-ip-options
-A input_dmz -s 81.169.163.104 -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --sport 53 --dport 1024:65535 -j ACCEPT
-A input_dmz -p udp -m udp --dport 21 -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_dmz -p udp -m udp --dport 21 -j DROP
-A input_dmz -p udp -m udp --dport 22 -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_dmz -p udp -m udp --dport 22 -j DROP
-A input_dmz -p udp -m udp --dport 25 -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_dmz -p udp -m udp --dport 25 -j DROP
-A input_dmz -p udp -m udp --dport 53 -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_dmz -p udp -m udp --dport 53 -j DROP
-A input_dmz -p udp -m udp --dport 53 -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_dmz -p udp -m udp --dport 53 -j DROP
-A input_dmz -p udp -m udp --dport 68 -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_dmz -p udp -m udp --dport 68 -j DROP
-A input_dmz -p udp -m udp --dport 80 -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_dmz -p udp -m udp --dport 80 -j DROP
-A input_dmz -p udp -m udp --dport 110 -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_dmz -p udp -m udp --dport 110 -j DROP
-A input_dmz -p udp -m udp --dport 111 -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_dmz -p udp -m udp --dport 111 -j DROP
-A input_dmz -p udp -m udp --dport 111 -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_dmz -p udp -m udp --dport 111 -j DROP
-A input_dmz -p udp -m udp --dport 443 -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_dmz -p udp -m udp --dport 443 -j DROP
-A input_dmz -p udp -m udp --dport 3306 -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_dmz -p udp -m udp --dport 3306 -j DROP
-A input_dmz -p udp -m udp --dport 1024:65535 -j LOG --log-prefix "SuSE-FW-ACCEPT " --log-tcp-options --log-ip-options
-A input_dmz -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --dport 1024:65535 -j ACCEPT
-A input_dmz -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT " --log-tcp-options --log-ip-options
-A input_dmz -j DROP
-A input_ext -s 81.169.143.119 -p icmp -m icmp --icmp-type 4 -j LOG --log-prefix "SuSE-FW-ACCEPT-SOURCEQUENCH " --log-tcp-options --log-ip-options
-A input_ext -s 81.169.143.119 -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_ext -p icmp -m icmp --icmp-type 8 -j LOG --log-prefix "SuSE-FW-ACCEPT-PING " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_ext -p icmp -m icmp --icmp-type 0 -j LOG --log-prefix "SuSE-FW-ACCEPT-ICMP " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A input_ext -p icmp -m icmp --icmp-type 3 -j LOG --log-prefix "SuSE-FW-ACCEPT-ICMP " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
-A input_ext -p icmp -m icmp --icmp-type 11 -j LOG --log-prefix "SuSE-FW-ACCEPT-ICMP " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
-A input_ext -p icmp -m icmp --icmp-type 12 -j LOG --log-prefix "SuSE-FW-ACCEPT-ICMP " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
-A input_ext -p icmp -m icmp --icmp-type 14 -j LOG --log-prefix "SuSE-FW-ACCEPT-ICMP " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
-A input_ext -p icmp -m icmp --icmp-type 18 -j LOG --log-prefix "SuSE-FW-ACCEPT-ICMP " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
-A input_ext -p icmp -j LOG --log-prefix "SuSE-FW-DROP-ICMP " --log-tcp-options --log-ip-options
-A input_ext -p icmp -j DROP
-A input_ext -p tcp -m tcp --dport 21 -j LOG --log-prefix "SuSE-FW-ACCEPT " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 21 -j ACCEPT
-A input_ext -p tcp -m tcp --dport 80 -j LOG --log-prefix "SuSE-FW-ACCEPT " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 80 -j ACCEPT
-A input_ext -p tcp -m tcp --dport 443 -j LOG --log-prefix "SuSE-FW-ACCEPT " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 443 -j ACCEPT
-A input_ext -p tcp -m tcp --dport 143 -j LOG --log-prefix "SuSE-FW-ACCEPT " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 143 -j ACCEPT
-A input_ext -p tcp -m tcp --dport 993 -j LOG --log-prefix "SuSE-FW-ACCEPT " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 993 -j ACCEPT
-A input_ext -p tcp -m tcp --dport 110 -j LOG --log-prefix "SuSE-FW-ACCEPT " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 110 -j ACCEPT
-A input_ext -p tcp -m tcp --dport 995 -j LOG --log-prefix "SuSE-FW-ACCEPT " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 995 -j ACCEPT
-A input_ext -p tcp -m tcp --dport 25 -j LOG --log-prefix "SuSE-FW-ACCEPT " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 25 -j ACCEPT
-A input_ext -p tcp -m tcp --dport 22 -j LOG --log-prefix "SuSE-FW-ACCEPT " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 22 -j ACCEPT
-A input_ext -p tcp -m tcp --dport 113 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-REJECT " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 113 --tcp-flags SYN,RST,ACK SYN -j reject_func
-A input_ext -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_ext -p tcp -m tcp --dport 25 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 25 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_ext -p tcp -m tcp --dport 53 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 53 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_ext -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_ext -p tcp -m tcp --dport 110 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 110 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_ext -p tcp -m tcp --dport 111 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 111 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_ext -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_ext -p tcp -m tcp --dport 3306 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 3306 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_ext -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 1024:65535 -j LOG --log-prefix "SuSE-FW-ACCEPT " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 1024:65535 -j ACCEPT
-A input_ext -p tcp -m tcp --dport 600:65535 ! --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-ACCEPT " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m state --state ESTABLISHED -m tcp --dport 600:65535 ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A input_ext -p tcp -m tcp --dport 20 ! --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-ACCEPT " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m state --state ESTABLISHED -m tcp --dport 20 ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A input_ext -s 81.169.163.106 -p udp -m udp --sport 53 --dport 1024:65535 -j LOG --log-prefix "SuSE-FW-ACCEPT " --log-tcp-options --log-ip-options
-A input_ext -s 81.169.163.106 -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --sport 53 --dport 1024:65535 -j ACCEPT
-A input_ext -s 81.169.163.104 -p udp -m udp --sport 53 --dport 1024:65535 -j LOG --log-prefix "SuSE-FW-ACCEPT " --log-tcp-options --log-ip-options
-A input_ext -s 81.169.163.104 -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --sport 53 --dport 1024:65535 -j ACCEPT
-A input_ext -p udp -m udp --dport 22 -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_ext -p udp -m udp --dport 22 -j DROP
-A input_ext -p udp -m udp --dport 25 -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_ext -p udp -m udp --dport 25 -j DROP
-A input_ext -p udp -m udp --dport 53 -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_ext -p udp -m udp --dport 53 -j DROP
-A input_ext -p udp -m udp --dport 53 -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_ext -p udp -m udp --dport 53 -j DROP
-A input_ext -p udp -m udp --dport 53 -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_ext -p udp -m udp --dport 53 -j DROP
-A input_ext -p udp -m udp --dport 68 -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_ext -p udp -m udp --dport 68 -j DROP
-A input_ext -p udp -m udp --dport 80 -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_ext -p udp -m udp --dport 80 -j DROP
-A input_ext -p udp -m udp --dport 110 -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_ext -p udp -m udp --dport 110 -j DROP
-A input_ext -p udp -m udp --dport 111 -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_ext -p udp -m udp --dport 111 -j DROP
-A input_ext -p udp -m udp --dport 111 -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_ext -p udp -m udp --dport 111 -j DROP
-A input_ext -p udp -m udp --dport 443 -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_ext -p udp -m udp --dport 443 -j DROP
-A input_ext -p udp -m udp --dport 3306 -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_ext -p udp -m udp --dport 3306 -j DROP
-A input_ext -p udp -m udp --dport 1024:65535 -j LOG --log-prefix "SuSE-FW-ACCEPT " --log-tcp-options --log-ip-options
-A input_ext -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --dport 1024:65535 -j ACCEPT
-A input_ext -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT " --log-tcp-options --log-ip-options
-A input_ext -j DROP
-A input_int -s 81.169.143.119 -j LOG --log-prefix "SuSE-FW-DROP-ANTI-SPOOF-iint " --log-tcp-options --log-ip-options
-A input_int -s 81.169.143.119 -j DROP
-A input_int -j LOG --log-prefix "SuSE-FW-ACCEPT-ALL-INTERNAL " --log-tcp-options --log-ip-options
-A input_int -j ACCEPT
-A input_int -p icmp -m icmp --icmp-type 8 -j LOG --log-prefix "SuSE-FW-ACCEPT-PING " --log-tcp-options --log-ip-options
-A input_int -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_int -p icmp -m icmp --icmp-type 0 -j LOG --log-prefix "SuSE-FW-ACCEPT-ICMP " --log-tcp-options --log-ip-options
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A input_int -p icmp -m icmp --icmp-type 3 -j LOG --log-prefix "SuSE-FW-ACCEPT-ICMP " --log-tcp-options --log-ip-options
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
-A input_int -p icmp -m icmp --icmp-type 11 -j LOG --log-prefix "SuSE-FW-ACCEPT-ICMP " --log-tcp-options --log-ip-options
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
-A input_int -p icmp -m icmp --icmp-type 12 -j LOG --log-prefix "SuSE-FW-ACCEPT-ICMP " --log-tcp-options --log-ip-options
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
-A input_int -p icmp -m icmp --icmp-type 14 -j LOG --log-prefix "SuSE-FW-ACCEPT-ICMP " --log-tcp-options --log-ip-options
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
-A input_int -p icmp -m icmp --icmp-type 18 -j LOG --log-prefix "SuSE-FW-ACCEPT-ICMP " --log-tcp-options --log-ip-options
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
-A input_int -p icmp -j LOG --log-prefix "SuSE-FW-DROP-ICMP " --log-tcp-options --log-ip-options
-A input_int -p icmp -j DROP
-A input_int -p tcp -m tcp --dport 113 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-REJECT " --log-tcp-options --log-ip-options
-A input_int -p tcp -m tcp --dport 113 --tcp-flags SYN,RST,ACK SYN -j reject_func
-A input_int -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 1024:65535 -j LOG --log-prefix "SuSE-FW-ACCEPT " --log-tcp-options --log-ip-options
-A input_int -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 1024:65535 -j ACCEPT
-A input_int -p tcp -m tcp --dport 600:65535 ! --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-ACCEPT " --log-tcp-options --log-ip-options
-A input_int -p tcp -m state --state ESTABLISHED -m tcp --dport 600:65535 ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A input_int -p tcp -m tcp --dport 20 ! --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-ACCEPT " --log-tcp-options --log-ip-options
-A input_int -p tcp -m state --state ESTABLISHED -m tcp --dport 20 ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A input_int -p udp -m udp --dport 32768 -j LOG --log-prefix "SuSE-FW-ACCEPT " --log-tcp-options --log-ip-options
-A input_int -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --dport 32768 -j ACCEPT
-A input_int -p udp -m udp --dport 32769 -j LOG --log-prefix "SuSE-FW-ACCEPT " --log-tcp-options --log-ip-options
-A input_int -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --dport 32769 -j ACCEPT
-A input_int -s 81.169.163.106 -p udp -m udp --sport 53 --dport 1024:65535 -j LOG --log-prefix "SuSE-FW-ACCEPT " --log-tcp-options --log-ip-options
-A input_int -s 81.169.163.106 -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --sport 53 --dport 1024:65535 -j ACCEPT
-A input_int -s 81.169.163.104 -p udp -m udp --sport 53 --dport 1024:65535 -j LOG --log-prefix "SuSE-FW-ACCEPT " --log-tcp-options --log-ip-options
-A input_int -s 81.169.163.104 -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --sport 53 --dport 1024:65535 -j ACCEPT
-A input_int -p udp -m udp --dport 1024:65535 -j LOG --log-prefix "SuSE-FW-ACCEPT " --log-tcp-options --log-ip-options
-A input_int -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --dport 1024:65535 -j ACCEPT
-A input_int -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT " --log-tcp-options --log-ip-options
-A input_int -j DROP
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable
COMMIT
# Completed on Sat Sep 24 11:27:46 2005
Ich hoffe das war nun nicht zu lang...wenn ich das richtig sehe, sind doch einige Ports zu ...!?
Gruß Manuel
Mehr Informationen über die Mailingliste linux-l