Optimized iptables Firewall from Chapter 5

Previous page
Table of content
Next page

For most systems on DSL, cable modem, and lower-speed leased line connections, the chances are good that the Linux network code can handle packets faster than the network connection can. Particularly because firewall rules are order-dependent and difficult to construct, organizing the rules for readability is probably a bigger win than organizing for speed.

In addition to general rule ordering, iptables supports user-defined rule lists, or chains, that you can use to optimize your firewall rules. Passing a packet from one chain to another based on values in the packet header provides a means to selectively test the packet against a subset of the INPUT, OUTPUT, or FORWARD rules rather than testing the packet against every rule in the list until a match is found.

Based on these particular scripts, an input packet from an NTP time server must be tested against numerous input rules in the unoptimized firewall script before the packet matches its ACCEPT rule. Using user-defined chains to optimize the firewall, the same input packet is tested against far fewer rules before matching its ACCEPT rule. With the addition of connection state tracking, the same input packet is tested against only a handful rules before matching its ACCEPT rule.

With user-defined chains, rules are used to pass packets between chains, as well as to define under what conditions the packet is accepted or dropped. If a packet doesn't match any rule in the user-defined chain, control returns to the calling chain. If the packet doesn't match a top-level chain-selection rule, the packet isn't passed to that chain for testing against the chain's rules. The packet is simply tested against the next chain selection rule.

Following is the Chapter 5 firewall script, optimized with user-defined chains:

 #!/bin/sh /sbin/modprobe ip_conntrack_ftp CONNECTION_TRACKING="1" ACCEPT_AUTH="0" DHCP_CLIENT="0" IPT="/sbin/iptables"                 # Location of iptables on your system INTERNET="eth0"                      # Internet-connected interface LOOPBACK_INTERFACE="lo"              # however your system names it IPADDR="my.ip.address"               # your IP address SUBNET_BASE="network.address"        # ISP network segment base address SUBNET_BROADCAST="directed.broadcast" # network segment broadcast address MY_ISP="my.isp.address.range"        # ISP server & NOC address range NAMESERVER_1="isp.name.server.1"     # address of a remote name server NAMESERVER_2="isp.name.server.2"     # address of a remote name server NAMESERVER_3="isp.name.server.3"     # address of a remote name server POP_SERVER="isp.pop.server"          # address of a remote pop server MAIL_SERVER="isp.mail.server"        # address of a remote mail gateway NEWS_SERVER="isp.news.server"        # address of a remote news server TIME_SERVER="some.timne.server"      # address of a remote time server DHCP_SERVER="isp.dhcp.server"        # address of your ISP dhcp server SSH_CLIENT="some.ssh.client" LOOPBACK="127.0.0.0/8"               # reserved loopback address range CLASS_A="10.0.0.0/8"                 # Class A private networks CLASS_B="172.16.0.0/12"              # Class B private networks CLASS_C="192.168.0.0/16"             # Class C private networks CLASS_D_MULTICAST="224.0.0.0/4"      # Class D multicast addresses CLASS_E_RESERVED_NET="240.0.0.0/5"   # Class E reserved addresses BROADCAST_src="/books/3/251/1/html/2/0.0.0.0"              # broadcast source address BROADCAST_DEST="255.255.255.255"     # broadcast destination address PRIVPORTS="0:1023"                   # well-known, privileged port range UNPRIVPORTS="1024:65535"             # unprivileged port range NFS_PORT="2049" LOCKD_PORT="4045" SOCKS_PORT="1080" OPENWINDOWS_PORT="2000" XWINDOW_PORTS="6000:6063" SQUID_PORT="3128" # traceroute usually uses -S 32769:65535 -D 33434:33523 TRACEROUTE_SRC_PORTS="32769:65535" TRACEROUTE_DEST_PORTS="33434:33523" USER_CHAINS="EXT-input                  EXT-output \              tcp-state-flags            connection-tracking  \              source-address-check       destination-address-check  \              local-dns-server-query     remote-dns-server-response  \              local-tcp-client-request   remote-tcp-server-response \              remote-tcp-client-request  local-tcp-server-response \              local-udp-client-request   remote-udp-server-response \              local-dhcp-client-query    remote-dhcp-server-response \              EXT-icmp-out               EXT-icmp-in \              EXT-log-in                 EXT-log-out \              log-tcp-state" ############################################################### # Enable broadcast echo Protection echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Disable Source Routed Packets for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do     echo 0 > $f done # Enable TCP SYN Cookie Protection echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Disable ICMP Redirect Acceptance for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do     echo 0 > $f done # Don't send Redirect Messages for f in /proc/sys/net/ipv4/conf/*/send_redirects; do     echo 0 > $f done # Drop Spoofed Packets coming in on an interface, which, if replied to, # would result in the reply going out a different interface. for f in /proc/sys/net/ipv4/conf/*/rp_filter; do     echo 1 > $f done # Log packets with impossible addresses. for f in /proc/sys/net/ipv4/conf/*/log_martians; do     echo 1 > $f done ############################################################### # Remove any existing rules from all chains $IPT --flush $IPT -t nat --flush $IPT -t mangle --flush $IPT -X $IPT -t nat -X $IPT -t mangle -X $IPT --policy INPUT   ACCEPT $IPT --policy OUTPUT  ACCEPT $IPT --policy FORWARD ACCEPT $IPT -t nat --policy PREROUTING  ACCEPT $IPT -t nat --policy OUTPUT ACCEPT $IPT -t nat --policy POSTROUTING ACCEPT $IPT -t mangle --policy PREROUTING ACCEPT $IPT -t mangle --policy OUTPUT ACCEPT if [ "$1" = "stop" ] then echo "Firewall completely stopped!  WARNING: THIS HOST HAS NO FIREWALL RUNNING." exit 0  fi # Unlimited traffic on the loopback interface $IPT -A INPUT  -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT # Set the default policy to drop $IPT --policy INPUT DROP $IPT --policy OUTPUT DROP $IPT --policy FORWARD DROP $IPT -t nat --policy PREROUTING DROP $IPT -t nat --policy OUTPUT DROP $IPT -t nat --policy POSTROUTING DROP $IPT -t mangle --policy PREROUTING DROPT $IPT -t mangle --policy OUTPUT DROP # Create the user-defined chains for i in $USER_CHAINS; do     $IPT -N $i done ############################################################### # DNS Caching Name Server (query to remote, primary server) $IPT -A EXT-output -p udp --sport 53 --dport 53 \          -j local-dns-server-query $IPT -A EXT-input -p udp --sport 53 --dport 53 \          -j remote-dns-server-response # DNS Caching Name Server (query to remote server over TCP) $IPT -A EXT-output -p tcp \          --sport $UNPRIVPORTS --dport 53 \          -j local-dns-server-query $IPT -A EXT-input -p tcp ! --syn \          --sport 53 --dport $UNPRIVPORTS \          -j remote-dns-server-response ############################################################### # DNS Forwarding Name Server or client requests if [ "$CONNECTION_TRACKING" = "1" ]; then     $IPT -A local-dns-server-query \              -d $NAMESERVER_1 \              -m state --state NEW -j ACCEPT     $IPT -A local-dns-server-query \              -d $NAMESERVER_2 \              -m state --state NEW -j ACCEPT     $IPT -A local-dns-server-query \              -d $NAMESERVER_3 \              -m state --state NEW -j ACCEPT fi  $IPT -A local-dns-server-query \          -d $NAMESERVER_1 -j ACCEPT $IPT -A local-dns-server-query \          -d $NAMESERVER_2 -j ACCEPT $IPT -A local-dns-server-query \          -d $NAMESERVER_3 -j ACCEPT # DNS server responses to local requests $IPT -A remote-dns-server-response \          -s $NAMESERVER_1 -j ACCEPT $IPT -A remote-dns-server-response \          -s $NAMESERVER_2 -j ACCEPT $IPT -A remote-dns-server-response \          -s $NAMESERVER_3 -j ACCEPT ############################################################### # Local TCP client, remote server $IPT -A EXT-output -p tcp \          --sport $UNPRIVPORTS \          -j local-tcp-client-request $IPT -A EXT-input -p tcp ! --syn \          --dport $UNPRIVPORTS \          -j remote-tcp-server-response ############################################################### # Local TCP client output and remote server input chains # SSH client if [ "$CONNECTION_TRACKING" = "1" ]; then     $IPT -A local-tcp-client-request -p tcp \              -d <selected host> --dport 22 \              -m state --state NEW \              -j ACCEPT fi $IPT -A local-tcp-client-request -p tcp \          -d <selected host> --dport 22 \          -j ACCEPT $IPT -A remote-tcp-server-response -p tcp ! --syn \          -s <selected host> --sport 22  \          -j ACCEPT #............................................................... # Client rules for HTTP, HTTPS, AUTH, and FTP control requests if [ "$CONNECTION_TRACKING" = "1" ]; then     $IPT -A local-tcp-client-request -p tcp \              -m multiport --destination-port 80,443,21 \              --syn -m state --state NEW \              -j ACCEPT fi $IPT -A local-tcp-client-request -p tcp \          -m multiport --destination-port 80,443,21 \          -j ACCEPT $IPT -A remote-tcp-server-response -p tcp \          -m multiport --source-port 80,443,21  ! --syn \          -j ACCEPT #............................................................... # POP client if [ "$CONNECTION_TRACKING" = "1" ]; then     $IPT -A local-tcp-client-request -p tcp \              -d $POP_SERVER --dport 110 \              -m state --state NEW \              -j ACCEPT fi $IPT -A local-tcp-client-request -p tcp \          -d $POP_SERVER --dport 110 \          -j ACCEPT $IPT -A remote-tcp-server-response -p tcp ! --syn \          -s $POP_SERVER --sport 110  \          -j ACCEPT #............................................................... # SMTP mail client if [ "$CONNECTION_TRACKING" = "1" ]; then     $IPT -A local-tcp-client-request -p tcp \              -d $MAIL_SERVER --dport 25 \              -m state --state NEW \              -j ACCEPT fi $IPT -A local-tcp-client-request -p tcp \          -d $MAIL_SERVER --dport 25 \          -j ACCEPT $IPT -A remote-tcp-server-response -p tcp ! --syn \          -s $MAIL_SERVER --sport 25  \          -j ACCEPT #............................................................... # Usenet news client if [ "$CONNECTION_TRACKING" = "1" ]; then     $IPT -A local-tcp-client-request -p tcp \              -d $NEWS_SERVER --dport 119 \              -m state --state NEW \              -j ACCEPT fi $IPT -A local-tcp-client-request -p tcp \          -d $NEWS_SERVER --dport 119 \          -j ACCEPT $IPT -A remote-tcp-server-response -p tcp ! --syn \          -s $NEWS_SERVER --sport 119  \          -j ACCEPT #............................................................... # FTP client - passive mode data channel connection if [ "$CONNECTION_TRACKING" = "1" ]; then     $IPT -A local-tcp-client-request -p tcp \              --dport $UNPRIVPORTS \              -m state --state NEW \              -j ACCEPT fi $IPT -A local-tcp-client-request -p tcp \          --dport $UNPRIVPORTS -j ACCEPT $IPT -A remote-tcp-server-response -p tcp  ! --syn \          --sport $UNPRIVPORTS -j ACCEPT ############################################################### # Local TCP server, remote client $IPT -A EXT-input -p tcp \          --sport $UNPRIVPORTS \          -j remote-tcp-client-request $IPT -A EXT-output -p tcp ! --syn \          --dport $UNPRIVPORTS \          -j local-tcp-server-response # Kludge for incoming FTP data channel connections # from remote servers using port mode. # The state modules treat this connection as RELATED # if the ip_conntrack_ftp module is loaded.   $IPT -A EXT-input -p tcp \          --sport 20 --dport $UNPRIVPORTS \          -j ACCEPT $IPT -A EXT-output -p tcp ! --syn \          --sport $UNPRIVPORTS --dport 20 \          -j ACCEPT ############################################################### # Remote TCP client input and local server output chains # SSH server if [ "$CONNECTION_TRACKING" = "1" ]; then     $IPT -A remote-tcp-client-request -p tcp \              -s <selected host> --destination-port 22 \              -m state --state NEW \              -j ACCEPT fi $IPT -A remote-tcp-client-request -p tcp \          -s <selected host> --destination-port 22 \          -j ACCEPT $IPT -A local-tcp-server-response -p tcp  ! --syn \          --source-port 22 -d <selected host> \          -j ACCEPT #............................................................... # AUTH identd server if [ "$ACCEPT_AUTH" = "0" ]; then     $IPT -A remote-tcp-client-request -p tcp \          --destination-port 113 \          -j REJECT --reject-with tcp-reset else     $IPT -A remote-tcp-client-request -p tcp \              --destination-port 113 \              -j ACCEPT     $IPT -A local-tcp-server-response -p tcp  ! --syn \              --source-port 113 \              -j ACCEPT fi ############################################################### # Local UDP client, remote server $IPT -A EXT-output -p udp \          --sport $UNPRIVPORTS \          -j local-udp-client-request $IPT -A EXT-input -p udp \          --dport $UNPRIVPORTS \          -j remote-udp-server-response ############################################################### # NTP time client if [ "$CONNECTION_TRACKING" = "1" ]; then     $IPT -A local-udp-client-request -p udp \              -d $TIME_SERVER --dport 123 \              -m state --state NEW \              -j ACCEPT fi $IPT -A local-udp-client-request -p udp \          -d $TIME_SERVER --dport 123 \          -j ACCEPT $IPT -A remote-udp-server-response -p udp \          -s $TIME_SERVER --sport 123 \          -j ACCEPT ############################################################### # ICMP $IPT -A EXT-input -p icmp -j EXT-icmp-in $IPT -A EXT-output -p icmp -j EXT-icmp-out ############################################################### # ICMP traffic # Log and drop initial ICMP fragments $IPT -A EXT-icmp-in --fragment -j LOG \          --log-prefix "Fragmented incoming ICMP: " $IPT -A EXT-icmp-in --fragment -j DROP $IPT -A EXT-icmp-out --fragment -j LOG \          --log-prefix "Fragmented outgoing ICMP: " $IPT -A EXT-icmp-out --fragment -j DROP # Outgoing ping if [ "$CONNECTION_TRACKING" = "1" ]; then     $IPT -A EXT-icmp-out -p icmp \              --icmp-type echo-request \              -m state --state NEW \              -j ACCEPT fi $IPT -A EXT-icmp-out -p icmp \          --icmp-type echo-request -j ACCEPT $IPT -A EXT-icmp-in -p icmp \          --icmp-type echo-reply -j ACCEPT # Incoming ping if [ "$CONNECTION_TRACKING" = "1" ]; then     $IPT -A EXT-icmp-in -p icmp \              -s $MY_ISP  \              --icmp-type echo-request \              -m state --state NEW \              -j ACCEPT fi $IPT -A EXT-icmp-in -p icmp \          --icmp-type echo-request \          -s $MY_ISP -j ACCEPT $IPT -A EXT-icmp-out -p icmp \          --icmp-type echo-reply \          -d $MY_ISP -j ACCEPT # Destination Unreachable Type 3 $IPT -A EXT-icmp-out -p icmp \          --icmp-type fragmentation-needed -j ACCEPT $IPT -A EXT-icmp-in -p icmp \          --icmp-type destination-unreachable -j ACCEPT # Parameter Problem $IPT -A EXT-icmp-out -p icmp \          --icmp-type parameter-problem -j ACCEPT $IPT -A EXT-icmp-in -p icmp \          --icmp-type parameter-problem -j ACCEPT # Time Exceeded $IPT -A EXT-icmp-in -p icmp \          --icmp-type time-exceeded -j ACCEPT # Source Quench  $IPT -A EXT-icmp-out -p icmp \          --icmp-type source-quench -j ACCEPT ############################################################### # TCP State Flags # All of the bits are cleared $IPT -A tcp-state-flags -p tcp --tcp-flags ALL NONE -j log-tcp-state # SYN and FIN are both set $IPT -A tcp-state-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j log-tcp-state # SYN and RST are both set $IPT -A tcp-state-flags -p tcp --tcp-flags SYN,RST SYN,RST -j log-tcp-state # FIN and RST are both set $IPT -A tcp-state-flags -p tcp --tcp-flags FIN,RST FIN,RST -j log-tcp-state # FIN is the only bit set, without the expected accompanying ACK $IPT -A tcp-state-flags -p tcp --tcp-flags ACK,FIN FIN -j log-tcp-state # PSH is the only bit set, without the expected accompanying ACK $IPT -A tcp-state-flags -p tcp --tcp-flags ACK,PSH PSH -j log-tcp-state # URG is the only bit set, without the expected accompanying ACK $IPT -A tcp-state-flags -p tcp --tcp-flags ACK,URG URG -j log-tcp-state ############################################################### # Log and drop TCP packets with bad state combinations $IPT -A log-tcp-state -p tcp -j LOG \          --log-prefix "Illegal TCP state: " \          --log-ip-options --log-tcp-options $IPT -A log-tcp-state -j DROP ############################################################### # By-pass rule checking for ESTABLISHED exchanges if [ "$CONNECTION_TRACKING" = "1" ]; then     # By-pass the firewall filters for established exchanges     $IPT -A connection-tracking -m state \              --state ESTABLISHED,RELATED \              -j ACCEPT     $IPT -A connection-tracking -m state --state INVALID \              -j LOG --log-prefix "INVALID packet: "     $IPT -A connection-tracking -m state --state INVALID -j DROP fi ############################################################### # DHCP traffic # Some broadcast packets are explicitly ignored by the firewall. # Others are dropped by the default policy. # DHCP tests must precede broadcast-related rules, as DHCP relies # on broadcast traffic initially. if [ "$DHCP_CLIENT" = "1" ]; then     # Initialization or rebinding: No lease or Lease time expired.     $IPT -A local-dhcp-client-query \              -s $BROADCAST_SRC \              -d $BROADCAST_DEST -j ACCEPT     # Incoming DHCPOFFER from available DHCP servers     $IPT -A remote-dhcp-server-response \              -s $BROADCAST_SRC \              -d $BROADCAST_DEST -j ACCEPT     # Fall back to initialization     # The client knows its server, but has either lost its lease,     # or else needs to reconfirm the IP address after rebooting.     $IPT -A local-dhcp-client-query \                  -s $BROADCAST_SRC \                  -d $DHCP_SERVER -j ACCEPT     $IPT -A remote-dhcp-server-response \              -s $DHCP_SERVER \              -d $BROADCAST_DEST -j ACCEPT     # As a result of the above, we're supposed to change our IP     # address with this message, which is addressed to our new     # address before the dhcp client has received the update.     # Depending on the server implementation, the destination address     # can be the new IP address, the subnet address, or the limited     # broadcast address.     # If the network subnet address is used as the destination,     # the next rule must allow incoming packets destined to the     # subnet address, and the rule must precede any general rules     # that block such incoming broadcast packets.     $IPT -A remote-dhcp-server-response \              -s $DHCP_SERVER -j ACCEPT     # Lease renewal     $IPT -A local-dhcp-client-query \              -s $IPADDR \              -d $DHCP_SERVER -j ACCEPT fi ############################################################### # Source Address Spoof Checks # Drop packets pretending to be originating from the receiving interface $IPT -A source-address-check -s $IPADDR -j DROP # Refuse packets claiming to be from private networks $IPT -A source-address-check -s $CLASS_A -j DROP $IPT -A source-address-check -s $CLASS_B -j DROP $IPT -A source-address-check -s $CLASS_C -j DROP $IPT -A source-address-check -s $CLASS_D_MULTICAST -j DROP $IPT -A source-address-check -s $CLASS_E_RESERVED_NET -j DROP $IPT -A source-address-check -s $LOOPBACK  -j DROP $IPT -A source-address-check -s 0.0.0.0/8 -j DROP $IPT -A source-address-check -s 169.254.0.0/16 -j DROP $IPT -A source-address-check -s 192.0.2.0/24 -j DROP ############################################################### # Bad Destination Address and Port Checks # Block directed broadcasts from the Internet $IPT -A destination-address-check -d $BROADCAST_DEST -j DROP $IPT -A destination-address-check -d $SUBNET_BASE -j DROP $IPT -A destination-address-check -d $SUBNET_BROADCAST -j DROP $IPT -A destination-address-check -p ! udp \          -d $CLASS_D_MULTICAST -j DROP # Avoid ports subject to protocol and system administration problems # TCP unprivileged ports # Deny connection requests to NFS, SOCKS, and X Window ports $IPT -A destination-address-check -p tcp -m multiport \          --destination-port $NFS_PORT,$OPENWINDOWS_PORT,$SOCKS_PORT,$SQUID_PORT \          --syn -j DROP $IPT -A destination-address-check -p tcp --syn \          --destination-port $XWINDOW_PORTS -j DROP # UDP unprivileged ports # Deny connection requests to NFS and lockd ports $IPT -A destination-address-check -p udp -m multiport \          --destination-port $NFS_PORT,$LOCKD_PORT -j DROP ############################################################### # Logging Rules Prior to Dropping by the Default Policy # ICMP rules $IPT -A EXT-log-in -p icmp \          --icmp-type ! echo-request -m limit -j LOG # TCP rules $IPT -A EXT-log-in -p tcp \          --dport 0:19 -j LOG # skip ftp, telnet, ssh $IPT -A EXT-log-in -p tcp \          --dport 24 -j LOG # skip smtp $IPT -A EXT-log-in -p tcp \          --dport 26:78 -j LOG # skip finger, www $IPT -A EXT-log-in -p tcp \          --dport 81:109 -j LOG # skip pop-3, sunrpc $IPT -A EXT-log-in -p tcp \          --dport 112:136 -j LOG # skip NetBIOS $IPT -A EXT-log-in -p tcp \          --dport 140:142 -j LOG # skip imap $IPT -A EXT-log-in -p tcp \          --dport 144:442 -j LOG # skip secure_web/SSL $IPT -A EXT-log-in -p tcp \          --dport 444:65535 -j LOG #UDP rules $IPT -A EXT-log-in -p udp \          --dport 0:110 -j LOG # skip sunrpc $IPT -A EXT-log-in -p udp \          --dport 112:160 -j LOG # skip snmp $IPT -A EXT-log-in -p udp \          --dport 163:634 -j LOG   # skip NFS mountd $IPT -A EXT-log-in -p udp \          --dport 636:5631 -j LOG # skip pcAnywhere $IPT -A EXT-log-in -p udp \          --dport 5633:31336 -j LOG # skip traceroute's default ports $IPT -A EXT-log-in -p udp \          --sport $TRACEROUTE_SRC_PORTS \          --dport $TRACEROUTE_DEST_PORTS -j LOG # skip the rest $IPT -A EXT-log-in -p udp \          --dport 33434:65535 -j LOG # Outgoing Packets # Don't log rejected outgoing ICMP destination-unreachable packets $IPT -A EXT-log-out -p icmp \          --icmp-type destination-unreachable -j DROP $IPT -A EXT-log-out -j LOG ############################################################### # Install the User-defined Chains on the built-in # INPUT and OUTPUT chains # If TCP: Check for common stealth scan TCP state patterns $IPT -A INPUT  -p tcp -j tcp-state-flags $IPT -A OUTPUT -p tcp -j tcp-state-flags if [ "$CONNECTION_TRACKING" = "1" ]; then     # By-pass the firewall filters for established exchanges     $IPT -A INPUT  -j connection-tracking     $IPT -A OUTPUT -j connection-tracking fi if [ "$DHCP_CLIENT" = "1" ]; then     $IPT -A INPUT  -i $INTERNET -p udp \              --sport 67 --dport 68 -j remote-dhcp-server-response     $IPT -A OUTPUT -o $INTERNET -p udp \              --sport 68 --dport 67 -j local-dhcp-client-query fi # Test for illegal source and destination addresses in incoming packets $IPT -A INPUT  -p ! tcp -j source-address-check $IPT -A INPUT  -p tcp --syn -j source-address-check $IPT -A INPUT  -j destination-address-check # Test for illegal destination addresses in outgoing packets $IPT -A OUTPUT -j destination-address-check # Begin standard firewall tests for packets addressed to this host $IPT -A INPUT -i $INTERNET -d $IPADDR -j EXT-input # Multicast traffic $IPT -A INPUT  -i $INTERNET -p udp -d $CLASS_D_MULTICAST -j [ DROP | ACCEPT ] $IPT -A OUTPUT -o $INTERNET -p udp -s $IPADDR -d $CLASS_D_MULTICAST \_ -j [ DROP | ACCEPT ] # Begin standard firewall tests for packets sent from this host # Source address spoofing by this host is not allowed due to the # test on source address in this rule. $IPT -A OUTPUT -o $INTERNET -s $IPADDR -j EXT-output # Log anything of interest that fell through, # before the default policy drops the packet. $IPT -A INPUT  -j EXT-log-in $IPT -A OUTPUT -j EXT-log-out exit 0



Previous page
Table of content
Next page
Linux Firewalls
Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort
ISBN: 1593271417
EAN: 2147483647
Year: 2005
Pages: 163
Authors: Michael Rash
BUY ON AMAZON
Systematic Software Testing (Artech House Computer Library)
Google Maps Hacks: Tips & Tools for Geographic Searching and Remixing
Twisted Network Programming Essentials
Java Concurrency in Practice
DNS & BIND Cookbook
Digital Character Animation 3 (No. 3)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy