[Openswan Users]
foren titze
foren.titze at gmx.net
Tue Aug 30 14:30:25 CEST 2005
Am Dienstag, 30. August 2005 13:16 schrieb Paul Wouters:
> On Tue, 30 Aug 2005, foren titze wrote:
> > Then I try to open the Ports you give to me.
>
> Those are not ports but protocols. eg not "-p tcp --dport 50" but "-p 50"
3ast tmp # iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
limit: avg 2/sec burst 5 LOG flags 0 level 4 prefix `INPUT INVALID '
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
MY_DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x3F/0x00
MY_DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x03/0x03
MY_DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x06/0x06
MY_DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x05/0x05
MY_DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x11/0x01
MY_DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x18/0x08
MY_DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x30/0x20
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp
dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp
dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp
dpt:220
MY_REJECT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT esp -- 195.xxx.xxx.21 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp
dpt:500
Chain FORWARD (policy DROP)
target prot opt source destination
Chain MY_DROP (7 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 2/sec
burst 5 LOG flags 0 level 4 prefix `PORTSCAN DROP '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain MY_REJECT (2 references)
target prot opt source destination
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 2/sec
burst 5 LOG flags 0 level 4 prefix `REJECT TCP '
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 reject-with
tcp-reset
LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 2/sec
burst 5 LOG flags 0 level 4 prefix `REJECT UDP '
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-port-unreachable
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 2/sec
burst 5 LOG flags 0 level 4 prefix `DROP ICMP '
DROP icmp -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 2/sec
burst 5 LOG flags 0 level 4 prefix `REJECT OTHER '
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-proto-unreachable
Chain OUTPUT (policy DROP)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
limit: avg 2/sec burst 5 LOG flags 0 level 4 prefix `OUTPUT INVALID '
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
NEW,RELATED,ESTABLISHED
MY_REJECT all -- 0.0.0.0/0 0.0.0.0/0
I don't use AH. Kernelmodul ipt_esp is loaded.
But Iptables is dropping pakets further on:
---
REJECT OTHER IN=eth1 OUT= MAC=00:20:ed:8f:9b:c5:00:d0:02:76:63:fc:08:00
SRC=195.xxx.xxx.21 DST=134.147.130.30 LEN=120 TOS=0x00 PREC=0x00 TTL=51
ID=28462 PROTO=ESP SPI=0x23d9d5aa
REJECT OTHER IN=eth1 OUT= MAC=00:20:ed:8f:9b:c5:00:d0:02:76:63:fc:08:00
SRC=195.xxx.xxx.21 DST=134.147.130.30 LEN=120 TOS=0x00 PREC=0x00 TTL=51
ID=28463 PROTO=ESP SPI=0x23d9d5aa
REJECT OTHER IN=eth1 OUT= MAC=00:20:ed:8f:9b:c5:00:d0:02:76:63:fc:08:00
SRC=195.xxx.xxx.21 DST=134.147.130.30 LEN=120 TOS=0x00 PREC=0x00 TTL=51
ID=28464 PROTO=ESP SPI=0x23d9d5aa
REJECT OTHER IN=eth1 OUT= MAC=00:20:ed:8f:9b:c5:00:d0:02:76:63:fc:08:00
SRC=195.xxx.xxx.21 DST=134.147.130.30 LEN=120 TOS=0x00 PREC=0x00 TTL=51
ID=28465 PROTO=ESP SPI=0x23d9d5aa
----
Ben
>
> Paul
More information about the Users
mailing list