Ubuntu
iptables package

respondo comando -L: cerco spiegazioni da esperto

Asked by pliut

Smanettando ho ottenuto questo firewall all'accensione di Xubuntu 10.10, con kernel 2.6.35.4:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- resolver1.opendns.com anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
ACCEPT udp -- resolver1.opendns.com anywhere
ACCEPT tcp -- resolver2.opendns.com anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
ACCEPT udp -- resolver2.opendns.com anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere limit: avg 10/sec burst 5
DROP all -- anywhere 255.255.255.255
DROP all -- anywhere 192.168.1.255
DROP all -- BASE-ADDRESS.MCAST.NET/8 anywhere
DROP all -- anywhere BASE-ADDRESS.MCAST.NET/8
DROP all -- 255.255.255.255 anywhere
DROP all -- anywhere 0.0.0.0
DROP all -- anywhere anywhere state INVALID
LSI all -f anywhere anywhere limit: avg 10/min burst 5
INBOUND all -- anywhere anywhere
LOG_FILTER all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Unknown Input'

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere limit: avg 10/sec burst 5
LOG_FILTER all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Unknown Forward'

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- laptop resolver1.opendns.com tcp dpt:domain
ACCEPT udp -- laptop resolver1.opendns.com udp dpt:domain
ACCEPT tcp -- -laptop resolver2.opendns.com tcp dpt:domain
ACCEPT udp -- -laptop resolver2.opendns.com udp dpt:domain
ACCEPT all -- anywhere anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/8 anywhere
DROP all -- anywhere BASE-ADDRESS.MCAST.NET/8
DROP all -- 255.255.255.255 anywhere
DROP all -- anywhere 0.0.0.0
DROP all -- anywhere anywhere state INVALID
OUTBOUND all -- anywhere anywhere
LOG_FILTER all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Unknown Output'

Chain INBOUND (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED
LSI all -- anywhere anywhere

Chain LOG_FILTER (5 references)
target prot opt source destination

Chain LSI (2 references)
target prot opt source destination
LOG_FILTER all -- anywhere anywhere
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5 LOG level info prefix `Inbound '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5 LOG level info prefix `Inbound '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST
LOG icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5 LOG level info prefix `Inbound '
DROP icmp -- anywhere anywhere icmp echo-request
LOG all -- anywhere anywhere limit: avg 5/sec burst 5 LOG level info prefix `Inbound '
DROP all -- anywhere anywhere

Chain LSO (0 references)
target prot opt source destination
LOG_FILTER all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 5/sec burst 5 LOG level info prefix `Outbound '
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain OUTBOUND (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
non so neanche io cosa sto bloccando e cosa no, vado ancora su internet e mi basterebbe continuare a fare ciò in sicurezza lasciando aperta anche la porta di transmission per il torrent.
Grazie
Paolo

Question information

Language:
Italian Edit question
Status:
Solved
For:
Ubuntu iptables Edit question
Assignee:
No assignee Edit question
Solved by:
pliut
Solved:
Last query:
Last reply:
Revision history for this message
marcobra (Marco Braida) (marcobra) said : 		#1

Paolo io ho uno script per settare le iptables già bello e pronto e che funziona ti interessa provarlo...?

Revision history for this message
pliut (paolo-liut-deactivatedaccount) said : 		#2

 mio caro dovresti fare uno step by step di configurazione:
perchè io avevo provato a usarne uno pre-cotto ma.. alla volta successiva era già bello che fumato!
Avevo reso uno script eseguibile e pronto a riavviarsi al prossimo boot ma ...
Tra l'altro a me basterebbe usare uno scudo di protezione per desktop che mi consenta di andare in rete per navigare e scaricare file quando occorre, senza servizi di connessioni remota, server e protocolli vari!
Segui tuoi raffinati consigli fino in fondo e ti ringrazio per l'attenzione che mi presti!
Paolo

Revision history for this message
marcobra (Marco Braida) (marcobra) said : 		#3

Ma hai risolto visto che hai messo la risposta come solved...?
Non capisco ti serve lo script e le eventuali indicazioni, se si, contattami direttamente premendo sul mio nome utente in forma privata perchè e molto semplice installarlo ma preferisco assisterti e ciò va fatto quando io e te siamo disponibili per diciamo mezz'ora in modo continuo altrrimenti rischi di non navigare più e per te cio' non sarebbe una buona soluzione...

Ciao

Revision history for this message
pliut (paolo-liut-deactivatedaccount) said : 		#4

Ho messo solved perchè ho inserito il primo post per scoprire solo adesso che è iptables come gestito da Firestarter che girava evidentemente in background.