论坛风格切换切换到宽版
发帖 回复
返回列表
  • 811阅读
  • 5回复

[问题求助]iptables setting Question? [复制链接]

 上一主题 下一主题
离线qishudj.
初中二年级
 
发帖
1839
C币
-61332
威望
327
贡献值
1
银元
-1
铜钱
4088
人人网人气币
0
只看楼主 倒序阅读 使用道具 楼主  发表于: 2009-05-01
Hi everyone

my firewall have s..ome problem, did anyone help me ?           建材
i acce.pt squid read 80 port f.rom internet.投资
but in my log file, i found some (.not all) packet from Source port 80 and. iptables reject them?. '健康
why

---.------------------学习
Rhel3
[root@mail root]# rpm. -q. iptables虚拟主机
iptables-1..2.8-12              乙肝
--------.---------------.

---.-----------.-----------------------.
My iptables settin.g.
--------.---------------------------.----.
'Chain .RH-Firewal.l-1-INPUT (2 references)             汽车
pkts byte.s target     prot opt in     out.     source     .          destination.
1807K  150M ACCEPT     all  --  lo.     *       0.0..0.0/0   .         0.0.0.0/0    健康
  40M 6735M ACCEPT  .   all  .--  *      *       0.0.0.0/0            0.0.0.0/0          .state RELATED,ESTABLISHED电脑
  839  278K ACCEPT     udp  --.  eth1   *       0.0.0.0/0            0.0.0.0/0          state N.E.W udp spt:53.
    6   240 ACCEP.T     tcp  --  eth.1   *       0.0.0.0/0            0.0.0.0./0          state NEW tcp spt:1521(        游戏          )
  929 40074 ACCEPT     tcp  --  eth1   .*       0.0.0.0/0            0.0..0.0/0      .    state NEW tcp spt:80          婚庆
.  32  1280 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0          sta.t.e NEW tcp spt:443虚拟主机
    0     0 REJECT     udp  --  eth1   *   . .   0.0.0.0/0            0.0.0.0/0    .      state NEW udp. spt:67 reject-with icmp-port-unreachable电脑
    0   .  0 REJECT     udp  --  eth1   *       0.0.0.0/0 .           0.0.0.0/0          stat.e NEW udp spt:68 reject-with icmp-port-unreachab.le.
1680 67200 .LOG        all  -- . eth1   *     .  0.0.0.0/0            0.0.0.0/0          LOG flags 0 level 0 prefix `'FW-eth1''.
1680 6720.0 REJECT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0    .      reject-with icmp-host.-prohibited教育
---------------------.----           建材

--------------------.------.----- 印刷
[r.oot@mail root]# dmesg           鲜花
5 LEN=40 TOS=0x00 PRE.C=0x00 TTL=254 ID=0 DF PROTO=TCP SPT=80 DPT=42195 WINDO.W.=0 RES=0x00 RST URGP=0教育
'FW-eth1'IN=eth1 OUT= MAC=00:0d.:60:1a:1f:2b:0.0:50.:7f.:06:d6:1a:08:00 SRC=61.172.201.224 DST=192.168.1.5 LEN=40 TOS=0x00 PREC=0x00 TTL=254 ID=0 DF PROTO=TCP SPT=80 DPT=42183 WINDOW=0 RES=0x00 RST UR.GP=0            杀毒
'FW-eth1'.IN=eth1 OUT= MAC=0.0:0d:60:1a:1f:2b:00:50:7f:06:d6:1a:08:00 SRC=216.239.63.91 DST=192.168.1.5 LEN=40 TOS=0x0.0 PREC=0x00 TTL=254 ID=0 DF PROTO=TC.P SPT=80 DPT=42.194 WINDOW=0 RES=0x00 RST URGP=0.
'FW-eth1'IN=eth1 OUT= MAC=00:0d:60:1a:1f:2b:00:50:7f:06:d6:1a:08:00 SRC=216.239.63.93 DST=192.168.1.5 LEN.=40 TOS.=0x00 PREC=0x00 TTL=254 ID=0 DF PROTO=TCP SPT=80 .DPT=42193 WINDOW=0 RES.=0x00 RS.T URGP=0外贸
'.FW-eth1'IN=eth1 OUT= MAC=00:0d:60:1a:1f:2b:00:50.:7f:06:d6:1a:08:00 S.RC=2.16.239.63.91 DST=192.16.8.1.5 LEN=40 TOS=0x00 PREC=0x00 TTL=254 ID=0 DF PROTO=TCP SPT=80 DPT=42192 WINDOW=0 RES=0x00 RST URGP=0    外汇
'FW-eth1'IN.=eth1 OUT= MAC=00:0d:60:1a:1f:2b:00:50:7f:06:d6:1a:08:00 SRC=216.239.63.93 DST=1.92.168.1.5 LEN=40 .TOS=0x00. PREC=0x00 TTL=254 ID=0 DF PROTO=TCP SPT=80 DPT=42191 WINDOW=0 RES=.0x00 RST URGP=0投资
'FW-eth1'IN=eth.1 OUT.= MAC=00:0d:60:1a:1f:2b:00:50:7f:06:d6:1a:08:00 SRC=216..239.63.93 DST=192.168.1.5 LEN=40 TOS=0x00 .PREC=0x00 TTL=254 ID=0 DF .PROTO=TCP SPT=80 DPT=42125 WINDOW=0 RES=0x00 RST URGP=0.
'FW-eth1'IN=eth1 OUT= MAC=00:0d:60:1a:1f.:2b:00:50:7f:06:d6:.1a:08:00. SRC=216.239.63.91 DST=192.168.1.5 LEN=40 TOS=0x00 P.RE.C=0x00 TTL=254 ID=0 PROTO=TCP SPT=80 DPT=42017 WINDOW=0 RES=0x00 RST URGP=0             汽车
'-.-----------------.
评价一下你浏览此帖子的感受

精彩
感动
搞笑
开心
愤怒
无聊
灌水
回复
举报
分享到 淘江湖 新浪 QQ微博 QQ空间 开心 人人 豆瓣 网易微博 百度 鲜果 白社会 飞信
离线dzbz.
初中三年级
发帖
2128
C币
-152321
威望
374
贡献值
1
银元
-4
铜钱
4710
人人网人气币
0
只看该作者 沙发  发表于: 2010-04-13
Re:iptables
能不能把iptables-save帖上来
回复
举报
离线风语.
初中三年级
发帖
2116
C币
-139044
威望
379
贡献值
1
银元
-2
铜钱
4703
人人网人气币
0
只看该作者 板凳  发表于: 2010-04-13
Re:iptables
[root@www root]# iptables-save
# Generated by iptables-save v1.2.8 on Mon Aug  1 23:53:15 2005
*filter
:INPUT ACCEPT [0]
:FORWARD ACCEPT [0]
:OUTPUT ACCEPT [181689]
:RH-Firewall-1-INPUT - [0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -s 61.84.87.244 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 218.108.237.11 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 61.139.126.80 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 61.185.220.46 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 221.210.182.160 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 218.108.245.135 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 218.25.10.66 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 81.192.37.130 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 219.245.176.88 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 61.152.114.87 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 61.144.162.7 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 61.152.105.35 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 61.152.104.243 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 61.152.93.138 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 81.91.34.170 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 61.237.20.73 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 219.241.43.249 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 219.241.43.249 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 210.0.213.20 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 218.75.79.237 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 61.152.160.145 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 61.233.75.9 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 219.138.184.213 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 61.152.167.43 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 221.239.32.170 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 220.130.45.134 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 222.96.154.133 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 61.73.102.250 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 218.52.240.60 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 128.134.225.139 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 211.157.121.37 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 211.233.38.80 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 61.211.239.115 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 61.185.208.82 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 61.152.159.226 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 218.59.169.115 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 218.106.169.125 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 211.219.146.55 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 211.125.74.155 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 209.97.205.125 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 211.91.191.144 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 211.155.23.123 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 123.23.155.211 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 72.3.136.68 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 61.128.186.203 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 221.122.53.70 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 61.152.188.72 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 210.118.64.140 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 61.61.144.74 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 61.151.243.217 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 61.152.144.39 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 61.153.19.13 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 222.90.206.62 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 61.129.50.90 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 218.58.220.134 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 218.75.120.146 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 61.152.108.163 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 61.218.185.123 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 211.22.121.5 -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 1521 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 1434 -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 4899 -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -p udp -m udp --dport 4899 -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -p udp -m udp --dport 1026 -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -p udp -m udp --dport 1027 -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1027 -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1026 -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 445 -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1433 -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 139 -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 135 -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -p udp -m udp --dport 137 -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -p udp -m udp --dport 138 -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -j LOG --log-prefix "'FW'" --log-level 0
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Mon Aug  1 23:53:15 2005
[root@www root]#
回复
举报
离线shehongv.
初中三年级
发帖
2116
C币
-235073
威望
395
贡献值
1
银元
-2
铜钱
4764
人人网人气币
0
只看该作者 地板  发表于: 2010-04-13
Re:iptables


QUOTE:-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT

icmp-type 255是什么类型啊?我查不到,哪位兄弟解答一下
回复
举报
离线欢喜楊陽.
初中三年级
发帖
2133
C币
-281463
威望
428
贡献值
1
银元
-3
铜钱
4887
人人网人气币
0
只看该作者 4楼 发表于: 2010-04-13
Re:iptables


QUOTE:原帖由 "bingosek" 发表:

icmp-type 255是什么类型啊?我查不到,哪位兄弟解答一下

相当于 ICMP 的全部类型
回复
举报
离线ppcynt.
初中三年级
发帖
1965
C币
-61033
威望
340
贡献值
1
银元
-4
铜钱
4335
人人网人气币
0
只看该作者 5楼 发表于: 2010-04-13
Re:iptables
从你的脚本上来看,我没有看出问题来,80是允许的
回复
举报
发帖 回复
返回列表
快速回复
限100 字节
如果您提交过一次失败了,可以用”恢复数据”来恢复帖子内容
 
上一个 下一个