Thanks guys. Alright. You are correct. I am new to Linux. I have been blind for a long time and am learning exponentially. Thanks for your help. I was able to get the applications working this weekend. (so proud,yeah!) However, I got my A$$ handed to me this morning with massive input errors from the LAN side. I am doing the following, can you provide me any assistance? eth2=WAN eth1=LAN /etc/ufw/before.rules # nat Table rules *nat : POSTROUTING ACCEPT [0:0] # Forward traffic from eth2 through eth0. -A POSTROUTING -s 172.20.0.0/16 -o eth2 -j MASQUERADE -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to- 8080 #iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE # don't delete the 'COMMIT' line or these nat table rules won't be processed COMMIT UFW logging: Below is the copy of BLOCKed content, from this mornings headache. XXX.XXX.XXX.XXX= eth2 , public IP address. I replaces to protect the innocent. sudo vi UFWMay3BLOCK.log May 3 09:16:36 squidGuard kernel: [64639.938264] [UFW BLOCK] IN=eth2 OUT= MAC=00:15:5d:04:81:10:00:50:73:f6:f4:a0:08:00 SRC=209.85.225.83 DST=xxx.xxx.xxxx LEN=1263 TOS=0x00 PREC=0x00 TTL=55 ID=39420 PROTO=TCP SPT=443 DPT=1856 WINDOW=16260 RES=0x00 ACK PSH URGP=0 May 3 09:16:45 squidGuard kernel: [64649.105950] [UFW BLOCK] IN=eth2 OUT= MAC=00:15:5d:04:81:10:00:50:73:f6:f4:a0:08:00 SRC=199.34.228.106 DST=xxx.xxx.xxxx LEN=1500 TOS=0x00 PREC=0x00 TTL=52 ID=63006 DF PROTO=TCP SPT=80 DPT=50808 WINDOW=60 RES=0x00 ACK URGP=0 May 3 09:16:45 squidGuard kernel: [64649.107154] [UFW BLOCK] IN=eth2 OUT= MAC=00:15:5d:04:81:10:00:50:73:f6:f4:a0:08:00 SRC=199.34.228.106 DST=xxx.xxx.xxxx LEN=1500 TOS=0x00 PREC=0x00 TTL=52 ID=63007 DF PROTO=TCP SPT=80 DPT=50808 WINDOW=60 RES=0x00 ACK URGP=0 May 3 09:16:45 squidGuard kernel: [64649.108390] [UFW BLOCK] IN=eth2 OUT= MAC=00:15:5d:04:81:10:00:50:73:f6:f4:a0:08:00 SRC=199.34.228.106 DST=xxx.xxx.xxxx LEN=1500 TOS=0x00 PREC=0x00 TTL=52 ID=63008 DF PROTO=TCP SPT=80 DPT=50808 WINDOW=60 RES=0x00 ACK URGP=0 May 3 09:16:45 squidGuard kernel: [64649.109614] [UFW BLOCK] IN=eth2 OUT= MAC=00:15:5d:04:81:10:00:50:73:f6:f4:a0:08:00 SRC=199.34.228.106 DST=xxx.xxx.xxxx LEN=1500 TOS=0x00 PREC=0x00 TTL=52 ID=63009 DF PROTO=TCP SPT=80 DPT=50808 WINDOW=60 RES=0x00 ACK URGP=0 May 3 09:16:45 squidGuard kernel: [64649.110842] [UFW BLOCK] IN=eth2 OUT= MAC=00:15:5d:04:81:10:00:50:73:f6:f4:a0:08:00 SRC=199.34.228.106 DST=xxx.xxx.xxxx LEN=1500 TOS=0x00 PREC=0x00 TTL=52 ID=63010 DF PROTO=TCP SPT=80 DPT=50808 WINDOW=60 RES=0x00 ACK URGP=0 May 3 09:16:45 squidGuard kernel: [64649.112078] [UFW BLOCK] IN=eth2 OUT= MAC=00:15:5d:04:81:10:00:50:73:f6:f4:a0:08:00 SRC=199.34.228.106 DST=xxx.xxx.xxxx LEN=1500 TOS=0x00 PREC=0x00 TTL=52 ID=63011 DF PROTO=TCP SPT=80 DPT=50808 WINDOW=60 RES=0x00 ACK URGP=0 May 3 09:16:45 squidGuard kernel: [64649.113306] [UFW BLOCK] IN=eth2 OUT= MAC=00:15:5d:04:81:10:00:50:73:f6:f4:a0:08:00 SRC=199.34.228.106 DST=xxx.xxx.xxxx LEN=1500 TOS=0x00 PREC=0x00 TTL=52 ID=63012 DF PROTO=TCP SPT=80 DPT=50808 WINDOW=60 RES=0x00 ACK URGP=0 May 3 09:16:45 squidGuard kernel: [64649.114539] [UFW BLOCK] IN=eth2 OUT= MAC=00:15:5d:04:81:10:00:50:73:f6:f4:a0:08:00 SRC=199.34.228.106 DST=xxx.xxx.xxxx LEN=1500 TOS=0x00 PREC=0x00 TTL=52 ID=63013 DF PROTO=TCP SPT=80 DPT=50808 WINDOW=60 RES=0x00 ACK URGP=0 May 3 09:16:45 squidGuard kernel: [64649.115768] [UFW BLOCK] IN=eth2 OUT= MAC=00:15:5d:04:81:10:00:50:73:f6:f4:a0:08:00 SRC=199.34.228.106 DST=xxx.xxx.xxxx LEN=1500 TOS=0x00 PREC=0x00 TTL=52 ID=63014 DF PROTO=TCP SPT=80 DPT=50808 WINDOW=60 RES=0x00 ACK URGP=0 May 3 09:16:45 squidGuard kernel: [64649.118231] [UFW BLOCK] IN=eth2 OUT= MAC=00:15:5d:04:81:10:00:50:73:f6:f4:a0:08:00 SRC=199.34.228.106 DST=xxx.xxx.xxxx LEN=1500 TOS=0x00 PREC=0x00 TTL=52 ID=63015 DF PROTO=TCP SPT=80 DPT=50808 WINDOW=60 RES=0x00 ACK URGP=0 May 3 09:16:45 squidGuard kernel: [64649.119464] [UFW BLOCK] IN=eth2 OUT= MAC=00:15:5d:04:81:10:00:50:73:f6:f4:a0:08:00 SRC=199.34.228.106 DST=xxx.xxx.xxxx LEN=1500 TOS=0x00 PREC=0x00 TTL=52 ID=63016 DF PROTO=TCP SPT=80 DPT=50808 WINDOW=60 RES=0x00 ACK URGP=0 May 3 09:16:45 squidGuard kernel: [64649.121923] [UFW BLOCK] IN=eth2 OUT= MAC=00:15:5d:04:81:10:00:50:73:f6:f4:a0:08:00 SRC=199.34.228.106 DST=xxx.xxx.xxxx LEN=1500 TOS=0x00 PREC=0x00 TTL=52 ID=63017 DF PROTO=TCP SPT=80 DPT=50808 WINDOW=60 RES=0x00 ACK URGP=0 May 3 09:16:45 squidGuard kernel: [64649.125610] [UFW BLOCK] IN=eth2 OUT= MAC=00:15:5d:04:81:10:00:50:73:f6:f4:a0:08:00 SRC=199.34.228.106 DST=xxx.xxx.xxxx LEN=1500 TOS=0x00 PREC=0x00 TTL=52 ID=63018 DF PROTO=TCP SPT=80 DPT=50808 WINDOW=60 RES=0x00 ACK PSH FIN URGP=0 May 3 09:16:46 squidGuard kernel: [64649.221610] [UFW BLOCK] IN=eth2 OUT= MAC=00:15:5d:04:81:10:00:50:73:f6:f4:a0:08:00 SRC=74.125.95.97 DST=xxx.xxx.xxxx LEN=40 TOS=0x00 PREC=0x00 TTL=55 ID=10841 PROTO=TCP SPT=443 DPT=1790 WINDOW=11219 RES=0x00 ACK FIN URGP=0 May 3 09:16:46 squidGuard kernel: [64649.929228] [UFW BLOCK] IN=eth2 OUT= MAC=00:15:5d:04:81:10:00:50:73:f6:f4:a0:08:00 SRC=209.85.225.83 DST=xxx.xxx.xxxx LEN=1263 TOS=0x00 PREC=0x00 TTL=55 ID=39421 PROTO=TCP SPT=443 DPT=1856 WINDOW=16260 RES=0x00 ACK PSH URGP=0 May 3 09:16:55 squidGuard kernel: [64659.201813] [UFW BLOCK] IN=eth2 OUT= MAC=00:15:5d:04:81:10:00:50:73:f6:f4:a0:08:00 SRC=74.125.95.97 DST=xxx.xxx.xxxx LEN=40 TOS=0x00 PREC=0x00 TTL=55 ID=10842 PROTO=TCP SPT=443 DPT=1790 WINDOW=11219 RES=0x00 ACK FIN URGP=0 May 3 09:16:56 squidGuard kernel: [64659.934100] [UFW BLOCK] IN=eth2 OUT= MAC=00:15:5d:04:81:10:00:50:73:f6:f4:a0:08:00 SRC=209.85.225.83 DST=xxx.xxx.xxxx LEN=1263 TOS=0x00 PREC=0x00 TTL=55 ID=39422 PROTO=TCP SPT=443 DPT=1856 WINDOW=16260 RES=0x00 ACK PSH URGP=0 May 3 09:16:58 squidGuard kernel: [64661.599044] [UFW BLOCK] IN=eth2 OUT= MAC=00:15:5d:04:81:10:00:50:73:f6:f4:a0:08:00 SRC=199.34.228.106 DST=xxx.xxx.xxxx LEN=1500 TOS=0x00 PREC=0x00 TTL=52 ID=63019 DF PROTO=TCP SPT=80 DPT=50808 WINDOW=60 RES=0x00 ACK URGP=0 May 3 09:17:05 squidGuard kernel: [64669.158398] [UFW BLOCK] IN=eth2 OUT= MAC=00:15:5d:04:81:10:00:50:73:f6:f4:a0:08:00 SRC=74.125.95.97 DST=xxx.xxx.xxxx LEN=40 TOS=0x00 PREC=0x00 TTL=55 ID=10843 PROTO=TCP SPT=443 DPT=1790 WINDOW=11219 RES=0x00 ACK FIN URGP=0 May 3 09:17:06 squidGuard kernel: [64669.978711] [UFW BLOCK] IN=eth2 OUT= MAC=00:15:5d:04:81:10:00:50:73:f6:f4:a0:08:00 SRC=209.85.225.83 DST=xxx.xxx.xxxx LEN=1263 TOS=0x00 PREC=0x00 TTL=55 ID=39423 PROTO=TCP SPT=443 DPT=1856 WINDOW=16260 RES=0x00 ACK PSH URGP=0 May 3 09:17:07 squidGuard kernel: [64671.174946] [UFW BLOCK] IN=eth2 OUT= MAC=00:15:5d:04:81:10:00:50:73:f6:f4:a0:08:00 SRC=65.54.95.93 DST=xxx.xxx.xxxx LEN=1500 TOS=0x00 PREC=0x00 TTL=56 ID=15075 DF PROTO=TCP SPT=80 DPT=52652 WINDOW=6335 RES=0x00 ACK URGP=0 Thanks for your input On Sat, Apr 30, 2011 at 2:24 PM, /dev/rob0 <rob0@xxxxxxxxx> wrote: > On Sat, Apr 30, 2011 at 08:08:55PM +0100, Andrew Beverley wrote: >> On Sat, 2011-04-30 at 13:23 -0500, Mike Hendrie wrote: >> > Now to lock it down? I should just create rules to block ports? >> >> Well it depends how paranoid you are. You might just want to block >> new incoming connections to the local network: >> >> iptables -P FORWARD DROP >> iptables -A FORWARD -i $ext_IF -o $int_IF \ >> -m state --state ESTABLISHED,RELATED -j ACCEPT >> iptables -A FORWARD -i $int_IF -o $ext_IF -j ACCEPT >> >> You'd probably also want to drop all incoming connections to the >> server apart from your web server: >> >> iptables -A INPUT -p tcp --dport 80 -i $ext_IF -j ACCEPT >> iptables -A INPUT -i $ext_IF -j DROP >> >> As Rob says though, you're probably best going through a few basic >> tutorials first - you'll be up to speed in no time. Also check out >> iptables-save and iptables-restore. >> >> Let's hope I haven't made any more mistakes that Rob is going to >> spot :) > > Hehe ... well ... I would suggest that you look at the enhanced > feature set of -m conntrack --ctstate vs. -m state --state. That's > not a mistake, though; that is preference. :) -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
