Output drop
Dalibor Kouřil
dalibork na sorbi.cz
Středa Srpen 16 08:26:16 CEST 2006
Dobry den,
mam problem na routeru. Z niceho nic se mi na routeru zacali objevovat
hlasky v logu:
Aug 13 11:44:21 server kernel: OUTPUT drop: IN= OUT=eth1 SRC=68.190.161.65 DST=192.168.1.81 LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=TCP SPT=44191 DPT=2037 WINDOW=0 RES=0x00 ACK RST URGP=0
Aug 13 11:44:21 server kernel: OUTPUT drop: IN= OUT=eth1 SRC=82.157.169.154 DST=192.168.1.81 LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=TCP SPT=27331 DPT=2038 WINDOW=0 RES=0x00 ACK RST URGP=0
Aug 13 11:44:21 server kernel: OUTPUT drop: IN= OUT=eth1 SRC=68.115.48.116 DST=192.168.1.81 LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=TCP SPT=16103 DPT=2039 WINDOW=0 RES=0x00 ACK RST URGP=0
Aug 13 11:44:21 server kernel: OUTPUT drop: IN= OUT=eth1 SRC=24.110.103.57 DST=192.168.1.81 LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=TCP SPT=50852 DPT=2040 WINDOW=0 RES=0x00 ACK RST URGP=0
Aug 13 11:44:23 server kernel: OUTPUT drop: IN= OUT=eth1 SRC=81.99.191.248 DST=192.168.1.81 LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=TCP SPT=50573 DPT=2042 WINDOW=0 RES=0x00 ACK RST URGP=0
Aug 13 11:44:23 server kernel: OUTPUT drop: IN= OUT=eth1 SRC=67.173.185.225 DST=192.168.1.81 LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=TCP SPT=10247 DPT=2043 WINDOW=0 RES=0x00 ACK RST URGP=0
eth1 je pritom vnitrni podsit ze ktere vnejsi provoz internetu nemuze
vznikat...
Pravidla ve firewallu pro output mam tato:
$IPTABLES -t mangle -A OUTPUT -p tcp --sport *ssh* -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A OUTPUT -p tcp --dport *ssh* -j TOS --set-tos Minimize-Delay
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IPMASQ -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s 192.168.0.1 -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s 192.168.1.1 -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s 192.168.2.1 -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s 192.168.3.1 -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s 192.168.4.1 -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s 192.168.5.1 -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s 192.168.6.1 -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s 192.168.88.1 -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s 192.168.99.1 -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s 192.168.100.1 -j ACCEPT
$IPTABLES -A OUTPUT -j LOG --log-prefix "OUTPUT drop: "
Uz si s tim nevim rady. Pokud by nekoho neco napadlo, prosim napiste.
Diky Dalibor Kouril
Další informace o konferenci Linux