论坛徽章:: 0

电梯直达

1楼 [收藏(0)] [报告]

发表于 2005-08-01 01:41 |只看该作者 |倒序浏览

Hi everyone

my firewall have some problem, did anyone help me ?
i accept squid read 80 port from internet.
but in my log file, i found some (not all) packet from Source port 80 and iptables reject them? '
why

---------------------
Rhel3
[root@mail root]# rpm -q iptables
iptables-1.2.8-12
-----------------------

-------------------------------------
My iptables setting
---------------------------------------
'Chain RH-Firewall-1-INPUT (2 references)
pkts bytes target    prot opt in    out    source             destination
1807K  150M ACCEPT    all  --  lo    *    0.0.0.0/0          0.0.0.0/0
  40M 6735M ACCEPT    all  --  *    *    0.0.0.0/0          0.0.0.0/0       state RELATED,ESTABLISHED
  839  278K ACCEPT    udp  --  eth1 *    0.0.0.0/0          0.0.0.0/0       state NEW udp spt:53
6 240 ACCEPT    tcp  --  eth1 *    0.0.0.0/0          0.0.0.0/0       state NEW tcp spt:1521
  929 40074 ACCEPT    tcp  --  eth1 *    0.0.0.0/0          0.0.0.0/0       state NEW tcp spt:80
32  1280 ACCEPT    tcp  --  eth1 *    0.0.0.0/0          0.0.0.0/0       state NEW tcp spt:443
0    0 REJECT    udp  --  eth1 *    0.0.0.0/0          0.0.0.0/0       state NEW udp spt:67 reject-with icmp-port-unreachable
0    0 REJECT    udp  --  eth1 *    0.0.0.0/0          0.0.0.0/0       state NEW udp spt:68 reject-with icmp-port-unreachable
1680 67200 LOG       all  --  eth1 *    0.0.0.0/0          0.0.0.0/0       LOG flags 0 level 0 prefix `'FW-eth1''
1680 67200 REJECT    all  --  eth1 *    0.0.0.0/0          0.0.0.0/0       reject-with icmp-host-prohibited
-------------------------

----------------------------
[root@mail root]# dmesg
5 LEN=40 TOS=0x00 PREC=0x00 TTL=254 ID=0 DF PROTO=TCP SPT=80 DPT=42195 WINDOW=0 RES=0x00 RST URGP=0
'FW-eth1'IN=eth1 OUT= MAC=00:0d:60:1a:1f:2b:00:50:7f:06:d6:1a:08:00 SRC=61.172.201.224 DST=192.168.1.5 LEN=40 TOS=0x00 PREC=0x00 TTL=254 ID=0 DF PROTO=TCP SPT=80 DPT=42183 WINDOW=0 RES=0x00 RST URGP=0
'FW-eth1'IN=eth1 OUT= MAC=00:0d:60:1a:1f:2b:00:50:7f:06:d6:1a:08:00 SRC=216.239.63.91 DST=192.168.1.5 LEN=40 TOS=0x00 PREC=0x00 TTL=254 ID=0 DF PROTO=TCP SPT=80 DPT=42194 WINDOW=0 RES=0x00 RST URGP=0
'FW-eth1'IN=eth1 OUT= MAC=00:0d:60:1a:1f:2b:00:50:7f:06:d6:1a:08:00 SRC=216.239.63.93 DST=192.168.1.5 LEN=40 TOS=0x00 PREC=0x00 TTL=254 ID=0 DF PROTO=TCP SPT=80 DPT=42193 WINDOW=0 RES=0x00 RST URGP=0
'FW-eth1'IN=eth1 OUT= MAC=00:0d:60:1a:1f:2b:00:50:7f:06:d6:1a:08:00 SRC=216.239.63.91 DST=192.168.1.5 LEN=40 TOS=0x00 PREC=0x00 TTL=254 ID=0 DF PROTO=TCP SPT=80 DPT=42192 WINDOW=0 RES=0x00 RST URGP=0
'FW-eth1'IN=eth1 OUT= MAC=00:0d:60:1a:1f:2b:00:50:7f:06:d6:1a:08:00 SRC=216.239.63.93 DST=192.168.1.5 LEN=40 TOS=0x00 PREC=0x00 TTL=254 ID=0 DF PROTO=TCP SPT=80 DPT=42191 WINDOW=0 RES=0x00 RST URGP=0
'FW-eth1'IN=eth1 OUT= MAC=00:0d:60:1a:1f:2b:00:50:7f:06:d6:1a:08:00 SRC=216.239.63.93 DST=192.168.1.5 LEN=40 TOS=0x00 PREC=0x00 TTL=254 ID=0 DF PROTO=TCP SPT=80 DPT=42125 WINDOW=0 RES=0x00 RST URGP=0
'FW-eth1'IN=eth1 OUT= MAC=00:0d:60:1a:1f:2b:00:50:7f:06:d6:1a:08:00 SRC=216.239.63.91 DST=192.168.1.5 LEN=40 TOS=0x00 PREC=0x00 TTL=254 ID=0 PROTO=TCP SPT=80 DPT=42017 WINDOW=0 RES=0x00 RST URGP=0
'------------------

河里的鱼

小富即安

论坛徽章:: 0

2楼 [报告]

发表于 2005-08-01 08:47 |只看该作者

iptables setting Question?

能不能把iptables-save帖上来

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

homesite

白手起家

论坛徽章:: 0

3楼 [报告]

发表于 2005-08-01 23:57 |只看该作者

iptables setting Question?

[root@www root]# iptables-save
# Generated by iptables-save v1.2.8 on Mon Aug 1 23:53:15 2005
*filter
:INPUT ACCEPT [0]
:FORWARD ACCEPT [0]
:OUTPUT ACCEPT [181689]
:RH-Firewall-1-INPUT - [0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -s 61.84.87.244 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 218.108.237.11 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 61.139.126.80 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 61.185.220.46 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 221.210.182.160 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 218.108.245.135 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 218.25.10.66 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 81.192.37.130 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 219.245.176.88 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 61.152.114.87 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 61.144.162.7 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 61.152.105.35 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 61.152.104.243 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 61.152.93.138 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 81.91.34.170 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 61.237.20.73 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 219.241.43.249 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 219.241.43.249 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 210.0.213.20 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 218.75.79.237 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 61.152.160.145 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 61.233.75.9 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 219.138.184.213 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 61.152.167.43 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 221.239.32.170 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 220.130.45.134 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 222.96.154.133 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 61.73.102.250 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 218.52.240.60 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 128.134.225.139 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 211.157.121.37 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 211.233.38.80 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 61.211.239.115 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 61.185.208.82 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 61.152.159.226 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 218.59.169.115 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 218.106.169.125 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 211.219.146.55 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 211.125.74.155 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 209.97.205.125 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 211.91.191.144 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 211.155.23.123 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 123.23.155.211 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 72.3.136.68 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 61.128.186.203 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 221.122.53.70 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 61.152.188.72 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 210.118.64.140 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 61.61.144.74 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 61.151.243.217 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 61.152.144.39 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 61.153.19.13 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 222.90.206.62 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 61.129.50.90 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 218.58.220.134 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 218.75.120.146 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 61.152.108.163 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 61.218.185.123 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 211.22.121.5 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 1521 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 1434 -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 4899 -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -p udp -m udp --dport 4899 -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -p udp -m udp --dport 1026 -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -p udp -m udp --dport 1027 -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1027 -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1026 -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 445 -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1433 -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 139 -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 135 -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -p udp -m udp --dport 137 -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -p udp -m udp --dport 138 -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -j LOG --log-prefix "'FW'" --log-level 0
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Mon Aug 1 23:53:15 2005
[root@www root]#