From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org)
	by nuthatch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-user+bounces-48329-garchives=archives.gentoo.org@gentoo.org>)
	id 1GBeoK-0001IQ-UU
	for garchives@archives.gentoo.org; Fri, 11 Aug 2006 21:44:57 +0000
Received: from robin.gentoo.org (localhost [127.0.0.1])
	by robin.gentoo.org (8.13.7/8.13.6) with SMTP id k7BLgD0W032329;
	Fri, 11 Aug 2006 21:42:13 GMT
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	by robin.gentoo.org (8.13.7/8.13.6) with ESMTP id k7BLdtiw022516
	for <gentoo-user@lists.gentoo.org>; Fri, 11 Aug 2006 21:39:55 GMT
Received: from localhost (localhost [127.0.0.1])
	by smtp.gentoo.org (Postfix) with ESMTP id C08B164647
	for <gentoo-user@lists.gentoo.org>; Fri, 11 Aug 2006 21:39:54 +0000 (UTC)
Received: from smtp.gentoo.org ([127.0.0.1])
 by localhost (smtp.gentoo.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 28929-05 for <gentoo-user@lists.gentoo.org>;
 Fri, 11 Aug 2006 21:39:47 +0000 (UTC)
Received: from ciao.gmane.org (main.gmane.org [80.91.229.2])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTP id B2A21643A7
	for <gentoo-user@gentoo.org>; Fri, 11 Aug 2006 21:39:45 +0000 (UTC)
Received: from list by ciao.gmane.org with local (Exim 4.43)
	id 1GBej8-0005m7-KQ
	for gentoo-user@gentoo.org; Fri, 11 Aug 2006 23:39:34 +0200
Received: from www.buffer.net ([24.73.161.102])
        by main.gmane.org with esmtp (Gmexim 0.1 (Debian))
        id 1AlnuQ-0007hv-00
        for <gentoo-user@gentoo.org>; Fri, 11 Aug 2006 23:39:34 +0200
Received: from wireless by www.buffer.net with local (Gmexim 0.1 (Debian))
        id 1AlnuQ-0007hv-00
        for <gentoo-user@gentoo.org>; Fri, 11 Aug 2006 23:39:34 +0200
X-Injected-Via-Gmane: http://gmane.org/
To: gentoo-user@lists.gentoo.org
From: James <wireless@tampabay.rr.com>
Subject: [gentoo-user]  Re: OT: iptables mac filtering
Date: Fri, 11 Aug 2006 21:39:25 +0000 (UTC)
Message-ID:  <loom.20060811T230121-160@post.gmane.org>
References:  <loom.20060809T191535-468@post.gmane.org>  <20060809214353.5787529e.hilse@web.de>  <loom.20060811T003230-539@post.gmane.org> <7573e9640608110024gf773d0dxa8ef9f1da0a9f73f@mail.gmail.com>
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
Mime-Version:  1.0
Content-Type:  text/plain; charset=us-ascii
Content-Transfer-Encoding:  7bit
X-Complaints-To: usenet@sea.gmane.org
X-Gmane-NNTP-Posting-Host: main.gmane.org
User-Agent: Loom/3.14 (http://gmane.org/)
X-Loom-IP: 24.73.161.102 (Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.13) Gecko/20060616)
Sender: news <news@sea.gmane.org>
X-Virus-Scanned: amavisd-new at gentoo.org
X-Spam-Status: No, score=-2.575 required=5.5 tests=[AWL=0.024,
 BAYES_00=-2.599]
X-Spam-Score: -2.575
X-Spam-Level: 
X-Archives-Salt: 25dc674a-d4cd-44dc-a306-32726a8e78e6
X-Archives-Hash: 4c48e5efe3ad7f55ec0ed006a30ec521

Richard Fish <bigfish <at> asmallpond.org> writes:

> > I need a rule on the 3 (nic) interface firewall so that only
> > ssh from the LAN is allowed to the firewall or sytems (web
> > server, mail dns) in the DMZ. Only one static ip is routable
> > to this site. SSH from the outside should be completely blocked.

> # allow ssh connections from LAN to us
> iptables -A INPUT -i $IF_LAN -p tcp --dport 22 -j ACCEPT
> # allow routing of ssh connections from LAN to DMZ hosts
> iptables -A FORWARD -i $IF_LAN -o $IF_DMZ -p tcp --dport 22 -j ACCEPT
> # deny all other ssh connections
> iptables -A INPUT -p tcp --dport 22 -j DROP
> iptables -A FORWARD -p tcp --dport 22 -j DROP


Richard,

These rules worked like a charm. I had something similar, but had
the syntax messed up.
thx.

Now I have ONE big problem.
Spammers. (I think).

Running a sniffer between my firewall and the cable box's
ethernet (single static IP),
I see:

hackIP   myIP  TCP   smtp > 55634 (RST,ACK) Seq=0 ACK=1 WIN=0 LEN=0 MSS=1460
myIP hackIP    TCP   55634 > smtp  (SYN) Seq=0 ACK=1 WIN=0 LEN=0
hackIP   myIP  TCP   smtp > 55634 (RST,ACK) Seq=0 ACK=1 WIN=0 LEN=0 MSS=1460
myIP hackIP    TCP   55634 > smtp  (SYN) Seq=0 ACK=1 WIN=0 LEN=0
hackIP   myIP  TCP   smtp > 55634 (RST,ACK) Seq=0 ACK=1 WIN=0 LEN=0 MSS=1460
myIP hackIP    TCP   55634 > smtp  (SYN) Seq=0 ACK=1 WIN=0 LEN=0

Last night I saw this for a while and then a storm of smtp traffic.
This site does not even run a mail server and all systems where 
shutdown except for the firewall and the sniffer.

This explains why this site is listed as a spammer site...
Somebody has been reflecting email off of this site for some time,
I suspect.

Got any idea for a (iptables) syntax to stop this?   Do I need to
reinstall the sysetm (gentoo-hardened firewall)???????

thoughts and ideas are welcome.

-- 
gentoo-user@gentoo.org mailing list