Hi, While I'm at it, do you know why iptables block avahi broadcasts when multicast is explicitely allowed in the iptables rules ? (-A INBOUND -m pkttype --pkt-type multicast -j ACCEPT) > Jun 5 14:03:25 rousalka avahi-daemon[2357]: New relevant interface eth0.IPv4 for mDNS. > Jun 5 14:03:25 rousalka avahi-daemon[2357]: Joining mDNS multicast group on interface eth0.IPv4 with address 81.64.156.253. > Jun 5 14:03:26 rousalka avahi-daemon[2357]: Network interface enumeration completed. > Jun 5 14:03:26 rousalka avahi-daemon[2357]: Registering new address record for 192.168.1.1 on eth1. > Jun 5 14:03:26 rousalka avahi-daemon[2357]: Registering new address record for 81.64.156.253 on eth0. > Jun 5 14:03:26 rousalka avahi-daemon[2357]: Registering HINFO record with values 'X86_64'/'LINUX'. > Jun 5 14:03:26 rousalka kernel: Inbound IN=eth1 OUT= MAC= SRC=192.168.1.1 DST=224.0.0.251 LEN=145 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN > =125 > Jun 5 14:03:26 rousalka kernel: Inbound IN=eth0 OUT= MAC= SRC=81.64.156.253 DST=224.0.0.251 LEN=147 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 L > EN=127 > Jun 5 14:03:26 rousalka kernel: Inbound IN=eth1 OUT= MAC= SRC=192.168.1.1 DST=224.0.0.251 LEN=145 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN > =125 (attaching full ruleset) -- Nicolas Mailhot
# Custom iptables rules *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] #-A PREROUTING -i eth1 -p tcp -m multiport --dports http,https,squid,svn,http-alt,webcache -j REDIRECT --to-port 8081 -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE COMMIT *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :INBOUND - [0:0] :GENCHK - [0:0] :ICMP - [0:0] :SPOOF - [0:0] :SYN-FLOOD - [0:0] :LOG_FILTER - [0:0] :LSI - [0:0] :LSO - [0:0] :LS - [0:0] :OUTBOUND - [0:0] ### Input # loopback -A INPUT -i lo -j ACCEPT # Broadcast -A INPUT -m pkttype --pkt-type broadcast -i eth0 -p udp -m multiport --ports bootps,bootpc -j INBOUND -A INPUT -m pkttype --pkt-type broadcast -i eth0 -j LS # Generic checks -A INPUT -j ICMP -A INPUT -j GENCHK -A INPUT -j SPOOF # Multicast -A INPUT -m pkttype --pkt-type multicast -j ACCEPT -A INPUT -i eth0 -j INBOUND -A INPUT -i eth1 -j INBOUND -A INPUT -j LOG_FILTER -A INPUT -j LOG --log-prefix "Unknown Input " --log-level 6 ### Forward # Generic checks -A FORWARD -j ICMP -A FORWARD -j GENCHK -A FORWARD -j SPOOF # Do not forward any broadcast -A FORWARD -m pkttype --pkt-type broadcast -j LS -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -A FORWARD -i eth1 -j OUTBOUND -A FORWARD -d 192.168.1.0/24 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -j LOG_FILTER -A FORWARD -j LOG --log-prefix "Unknown Forward " --log-level 6 ### Output # Loopback -A OUTPUT -o lo -j ACCEPT -A OUTPUT -j GENCHK -A OUTPUT -o eth0 -j OUTBOUND -A OUTPUT -o eth1 -j OUTBOUND -A OUTPUT -j LOG_FILTER -A OUTPUT -j LOG --log-prefix "Unknown Output " --log-level 6 ### Inbound -A INBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT # DHCP -A INBOUND -p udp -m multiport --ports bootps,bootpc -j ACCEPT # Multicast -A INBOUND -m pkttype --pkt-type multicast -j ACCEPT # Syn-flood tcp protection -A INBOUND -p tcp --syn -j SYN-FLOOD -A INBOUND -p tcp -m multiport --dports ssh,submission,https,imaps -j ACCEPT -A INBOUND -p tcp -d 192.168.1.1 -m multiport --dports smtp,domain,ntp,printer,tproxy -i eth1 -j ACCEPT -A INBOUND -p udp -d 192.168.1.1 -m multiport --dports smtp,domain,ntp,printer -i eth1 -j ACCEPT -A INBOUND -p udp -d 192.168.1.255 --sport ipp --dport ipp -i eth1 -j ACCEPT -A INBOUND -p udp -d 192.168.1.1 --sport ipp --dport ipp -i eth1 -j ACCEPT # This DNS server deffers replies in UDP -A INBOUND -p udp -s 202.89.131.4 --sport domain --dport domain -i eth0 -j ACCEPT -A INBOUND -j LSI ### Generic checks -A GENCHK -m state --state INVALID -j DROP -A GENCHK -p tcp ! --syn -m state --state NEW -j LS -A GENCHK -m state --state RELATED,ESTABLISHED -j RETURN -A GENCHK -m state --state ! NEW -j LS -A GENCHK -j RETURN ### ICMP check -A ICMP -p icmp --fragment -j DROP -A ICMP -p icmp --icmp-type echo-reply -m limit --limit 1/sec -j ACCEPT -A ICMP -p udp --dport traceroute -j LS -A ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT -A ICMP -p icmp --icmp-type redirect -m limit --limit 2/sec -j ACCEPT -A ICMP -p icmp --icmp-type time-exceeded -j ACCEPT -A ICMP -p icmp -j LS -A ICMP -j RETURN ### Spoof check (need to accept dhcp and lo before) # Refuse packets claiming to be to the loopback interface. # Refusing packets claiming to be to the loopback interface protects against # source quench, whereby a machine can be told to slow itself down by an icmp source # quench to the loopback. -A SPOOF -d 127.0.0.0/8 -j LS # Accept LAN in -A SPOOF -s 192.168.1.0/24 -i eth1 -j RETURN # Nothing else from LAN -A SPOOF -i eth1 -j LS # Refuse packets claiming to be from a Class A private network. -A SPOOF -s 10.0.0.0/8 -j LS # Refuse packets claiming to be from a Class B private network. -A SPOOF -s 172.16.0.0/12 -j LS # Refuse packets claiming to be from a Class C private network. -A SPOOF -s 192.168.0.0/16 -j LS # Refuse Class D multicast addresses. Multicast is illegal as a source address -A SPOOF -s 224.0.0.0/4 -j LS # Refuse Class E reserved IP addresses. -A SPOOF -s 240.0.0.0/5 -j LS # Accept LAN out -A SPOOF -d 192.168.1.0/24 -o eth1 -j RETURN # Nothing else to LAN -A SPOOF -o eth1 -j LS # If we got this far filtering can continue -A SPOOF -j RETURN ### syn-flood check -A SYN-FLOOD -m limit --limit 5/s --limit-burst 10 -j RETURN -A SYN-FLOOD -j DROP ### Outbound -A OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT # DHCP -A OUTBOUND -p udp --sport bootpc --dport bootps -o eth0 -j ACCEPT -A OUTBOUND -p udp --sport bootps --dport bootpc -o eth1 -j ACCEPT -A OUTBOUND -p udp --sport ipp --dport ipp -o eth0 -j DROP -A OUTBOUND -j ACCEPT ### Generic logging filtering -A LOG_FILTER -m multiport -p tcp --ports 135,netbios-ns,netbios-dgm,netbios-ssn,microsoft-ds,593,ms-sql-s,ms-sql-m -j DROP -A LOG_FILTER -m multiport -p udp --ports 135,netbios-ns,netbios-dgm,netbios-ssn,microsoft-ds,593,ms-sql-s,ms-sql-m -j DROP -A LOG_FILTER -p icmp --icmp-type echo-request -m limit --limit 1/sec -j RETURN -A LOG_FILTER -p icmp --icmp-type echo-request -j DROP -A LOG_FILTER -m limit --limit 5/sec -j RETURN -A LOG_FILTER -j DROP ### Inbound log -A LSI -j LOG_FILTER -A LSI -m limit --limit 5/sec -j LOG --log-prefix "Inbound " --log-level 6 -A LSI -j DROP ### Outbound log -A LSO -j LOG_FILTER -A LSO -m limit --limit 5/sec -j LOG --log-prefix "Outbound " --log-level 6 -A LSO -j DROP ### Generic log -A LS -j LOG_FILTER -A LS -m limit --limit 5/sec -j LOG --log-prefix "Blocking " --log-level 6 -A LS -j DROP COMMIT
Attachment:
signature.asc
Description: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=
