sm0ker
03.09.05, 15:27
guten tag.
ich habe folgendes problem.hab mir nen router gebastelt mit nem linux from scratch drauf. er routet alles wunderbar und damit gibts keine probleme! auf dem router narc als paket-filter installiert. mein lan besteht aus 2 clients und dem router ( hero ). nun das eigentliche problem:
--( root@hero )-( 13/pts )-( 16:16/03-Sep-05 )--
--( $:~ )-- ssh localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
RSA key fingerprint is 53:77:c9:62:ad:e0:98:ed:7e:35:9e:20:df:1e:68:e5.
Are you sure you want to continue connecting (yes/no)? no
Host key verification failed.
--( root@hero )-( 14/pts )-( 16:16/03-Sep-05 )--
--( $:~ )-- ssh hero
ssh: connect to host hero port 22: Connection timed out
--( root@hero )-( 15/pts )-( 16:20/03-Sep-05 )--
das gleiche passiert wenn ich ftp nutzen will. wenn ich auf localhost connecte geht es wunderbar nur wenn ich den router mit hero (hostname) anspreche passiert eben nix. die clients aus dem lan koennen ohne probleme connecten. hab auch schon herausgefunden, dass iptables irgendiwe dran schuld ist, da ich aber narc benutze und mich mit iptables nicht wirklich auskenne hoffe ich jemand hier kann mir irgendwie helfen!
iptables rules:
Chain CUST_LOG (22 references)
target prot opt source destination
LOG all -- 127.0.0.0/8 anywhere LOG level debug tcp-options ip-options prefix `SPOOF '
DROP all -- 127.0.0.0/8 anywhere
LOG all -- 240.0.0.0/5 anywhere LOG level debug tcp-options ip-options prefix `SPOOF '
DROP all -- 240.0.0.0/5 anywhere
LOG all -- 248.0.0.0/5 anywhere LOG level debug tcp-options ip-options prefix `SPOOF '
DROP all -- 248.0.0.0/5 anywhere
LOG all -- 172.16.0.0/12 anywhere LOG level debug tcp-options ip-options prefix `SPOOF '
DROP all -- 172.16.0.0/12 anywhere
LOG all -- 192.168.0.0/16 anywhere LOG level debug tcp-options ip-options prefix `SPOOF '
DROP all -- 192.168.0.0/16 anywhere
LOG all -- 10.25.215.194 anywhere LOG level debug tcp-options ip-options prefix `SPOOF '
DROP all -- 10.25.215.194 anywhere
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN LOG level debug tcp-options ip-options prefix `ILLEGAL '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH LOG level debug tcp-options ip-options prefix `ILLEGAL '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,ACK LOG level debug tcp-options ip-options prefix `ILLEGAL '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,ACK
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,PSH LOG level debug tcp-options ip-options prefix `ILLEGAL '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,PSH
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST LOG level debug tcp-options ip-options prefix `ILLEGAL '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH LOG level debug tcp-options ip-options prefix `ILLEGAL '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK LOG level debug tcp-options ip-options prefix `ILLEGAL '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK LOG level debug tcp-options ip-options prefix `ILLEGAL '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG LOG level debug tcp-options ip-options prefix `ILLEGAL '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
LOG tcp -- anywhere anywhere state NEW tcp flags:FIN,SYN,RST,PSH,ACK,URG/ACK LOG level debug tcp-options ip-options prefix `ACKSCAN '
DROP tcp -- anywhere anywhere state NEW tcp flags:FIN,SYN,RST,PSH,ACK,URG/ACK
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN LOG level debug tcp-options ip-options prefix `FINSCAN '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG LOG level debug tcp-options ip-options prefix `XMASSCAN '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE LOG level debug tcp-options ip-options prefix `NULLSCAN '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
LOG tcp -- anywhere anywhere multiport dports telnet,hosts2-ns,sunrpc,ntp,snmp,printer,dsf,search-agent,nessus,serialgateway,ms-sql-s,ica,shilp,mysql,ndl-aas LOG level debug tcp-options ip-options prefix `PROBE '
DROP tcp -- anywhere anywhere multiport dports telnet,hosts2-ns,sunrpc,ntp,snmp,printer,dsf,search-agent,nessus,serialgateway,ms-sql-s,ica,shilp,mysql,ndl-aas
LOG tcp -- anywhere anywhere multiport dports ms-wbt-server,pcanywheredata,pcanywherestat,6635,http-alt,9055,italk,24452,27374,27573,31337,42484 LOG level debug tcp-options ip-options prefix `PROBE '
DROP tcp -- anywhere anywhere multiport dports ms-wbt-server,pcanywheredata,pcanywherestat,6635,http-alt,9055,italk,24452,27374,27573,31337,42484
LOG udp -- anywhere anywhere multiport dports ssh,snmp,blackjack,net-assistant,5634,5882,28431,31337,31789 LOG level debug ip-options prefix `PROBE '
DROP udp -- anywhere anywhere multiport dports ssh,snmp,blackjack,net-assistant,5634,5882,28431,31337,31789
LOG all -- anywhere anywhere state INVALID LOG level debug tcp-options ip-options prefix `INVALID '
DROP all -- anywhere anywhere state INVALID
LOG tcp -- anywhere anywhere state NEW tcp flags:!FIN,SYN,RST,ACK/SYN LOG level debug tcp-options ip-options prefix `INVALID '
DROP tcp -- anywhere anywhere state NEW tcp flags:!FIN,SYN,RST,ACK/SYN
LOG icmp -- anywhere anywhere LOG level debug ip-options prefix `ICMP: '
DROP icmp -- anywhere anywhere
LOG tcp -- anywhere anywhere multiport dports netbios-ssn,microsoft-ds LOG level debug ip-options prefix `SMB: '
LOG udp -- anywhere anywhere multiport dports netbios-ns,netbios-dgm LOG level debug ip-options prefix `SMB: '
DROP tcp -- anywhere anywhere multiport dports netbios-ssn,microsoft-ds
DROP udp -- anywhere anywhere multiport dports netbios-ns,netbios-dgm
LOG tcp -- anywhere anywhere length ! 40:68 LOG level debug tcp-options ip-options prefix `PACKET_LENGTH_BAD: '
DROP tcp -- anywhere anywhere length ! 40:68
LOG all -- anywhere anywhere LOG level debug tcp-options ip-options prefix `ALL_ELSE '
DROP all -- anywhere anywhere
Chain ICMP_CHK (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5
ACCEPT icmp -- anywhere anywhere icmp echo-reply limit: avg 1/sec burst 5
ACCEPT icmp -- anywhere anywhere icmp network-unreachable limit: avg 1/sec burst 5
ACCEPT icmp -- anywhere anywhere icmp host-unreachable limit: avg 1/sec burst 5
ACCEPT icmp -- anywhere anywhere icmp port-unreachable limit: avg 1/sec burst 5
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed limit: avg 1/sec burst 5
ACCEPT icmp -- anywhere anywhere icmp time-exceeded limit: avg 1/sec burst 5
CUST_LOG all -- anywhere anywhere
Chain INPUT (policy DROP)
target prot opt source destination
SPOOF_CHK all -- anywhere anywhere
SANITY_CHK tcp -- anywhere anywhere
STATE_CHK all -- anywhere anywhere
ACCEPT all -- 127.0.0.0/24 127.0.0.0/24 state NEW
TCP_CHK tcp -- anywhere anywhere
UDP_CHK udp -- anywhere anywhere
ICMP_CHK icmp -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
SPOOF_CHK all -- anywhere anywhere
SANITY_CHK tcp -- anywhere anywhere
STATE_CHK all -- anywhere anywhere
ACCEPT tcp -- anywhere spacken.net state NEW tcp dpt:15551 flags:FIN,SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere spacken.net state NEW tcp dpt:15552 flags:FIN,SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere assassine.net state NEW tcp dpt:15553 flags:FIN,SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere assassine.net state NEW tcp dpt:15554 flags:FIN,SYN,RST,ACK/SYN
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain SANITY_CHK (2 references)
target prot opt source destination
CUST_LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN
CUST_LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH
CUST_LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,ACK
CUST_LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,PSH
CUST_LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST
CUST_LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH
CUST_LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK
CUST_LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK
CUST_LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
CUST_LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN
CUST_LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
Chain SPOOF_CHK (2 references)
target prot opt source destination
CUST_LOG all -- 127.0.0.0/8 anywhere
CUST_LOG all -- 240.0.0.0/5 anywhere
CUST_LOG all -- 248.0.0.0/5 anywhere
CUST_LOG all -- 172.16.0.0/12 anywhere
CUST_LOG all -- 192.168.0.0/16 anywhere
CUST_LOG all -- 10.25.215.194 anywhere
Chain STATE_CHK (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
CUST_LOG all -- anywhere anywhere state INVALID
CUST_LOG tcp -- anywhere anywhere state NEW tcp flags:!FIN,SYN,RST,ACK/SYN
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state NEW
Chain TCP_CHK (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere multiport dports ftp state NEW length 40:68 tcp flags:FIN,SYN,RST,ACK/SYN
CUST_LOG all -- anywhere anywhere
Chain UDP_CHK (1 references)
target prot opt source destination
CUST_LOG all -- anywhere anywhere
--( $:~ )-- ping hero
PING hero.net (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: icmp_seq=0 ttl=64 time=0.414 ms
--- hero.net ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.414/0.414/0.414/0.000 ms
--( root@hero )-( 2/pts )-( 16:33/03-Sep-05 )--
--( $:~ )-- uname -a
Linux hero 2.6.11.12 #1 Thu Aug 25 16:59:32 CEST 2005 i686 pentium3 i386 GNU/Linux
danke
sm0ker
ich habe folgendes problem.hab mir nen router gebastelt mit nem linux from scratch drauf. er routet alles wunderbar und damit gibts keine probleme! auf dem router narc als paket-filter installiert. mein lan besteht aus 2 clients und dem router ( hero ). nun das eigentliche problem:
--( root@hero )-( 13/pts )-( 16:16/03-Sep-05 )--
--( $:~ )-- ssh localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
RSA key fingerprint is 53:77:c9:62:ad:e0:98:ed:7e:35:9e:20:df:1e:68:e5.
Are you sure you want to continue connecting (yes/no)? no
Host key verification failed.
--( root@hero )-( 14/pts )-( 16:16/03-Sep-05 )--
--( $:~ )-- ssh hero
ssh: connect to host hero port 22: Connection timed out
--( root@hero )-( 15/pts )-( 16:20/03-Sep-05 )--
das gleiche passiert wenn ich ftp nutzen will. wenn ich auf localhost connecte geht es wunderbar nur wenn ich den router mit hero (hostname) anspreche passiert eben nix. die clients aus dem lan koennen ohne probleme connecten. hab auch schon herausgefunden, dass iptables irgendiwe dran schuld ist, da ich aber narc benutze und mich mit iptables nicht wirklich auskenne hoffe ich jemand hier kann mir irgendwie helfen!
iptables rules:
Chain CUST_LOG (22 references)
target prot opt source destination
LOG all -- 127.0.0.0/8 anywhere LOG level debug tcp-options ip-options prefix `SPOOF '
DROP all -- 127.0.0.0/8 anywhere
LOG all -- 240.0.0.0/5 anywhere LOG level debug tcp-options ip-options prefix `SPOOF '
DROP all -- 240.0.0.0/5 anywhere
LOG all -- 248.0.0.0/5 anywhere LOG level debug tcp-options ip-options prefix `SPOOF '
DROP all -- 248.0.0.0/5 anywhere
LOG all -- 172.16.0.0/12 anywhere LOG level debug tcp-options ip-options prefix `SPOOF '
DROP all -- 172.16.0.0/12 anywhere
LOG all -- 192.168.0.0/16 anywhere LOG level debug tcp-options ip-options prefix `SPOOF '
DROP all -- 192.168.0.0/16 anywhere
LOG all -- 10.25.215.194 anywhere LOG level debug tcp-options ip-options prefix `SPOOF '
DROP all -- 10.25.215.194 anywhere
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN LOG level debug tcp-options ip-options prefix `ILLEGAL '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH LOG level debug tcp-options ip-options prefix `ILLEGAL '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,ACK LOG level debug tcp-options ip-options prefix `ILLEGAL '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,ACK
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,PSH LOG level debug tcp-options ip-options prefix `ILLEGAL '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,PSH
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST LOG level debug tcp-options ip-options prefix `ILLEGAL '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH LOG level debug tcp-options ip-options prefix `ILLEGAL '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK LOG level debug tcp-options ip-options prefix `ILLEGAL '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK LOG level debug tcp-options ip-options prefix `ILLEGAL '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG LOG level debug tcp-options ip-options prefix `ILLEGAL '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
LOG tcp -- anywhere anywhere state NEW tcp flags:FIN,SYN,RST,PSH,ACK,URG/ACK LOG level debug tcp-options ip-options prefix `ACKSCAN '
DROP tcp -- anywhere anywhere state NEW tcp flags:FIN,SYN,RST,PSH,ACK,URG/ACK
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN LOG level debug tcp-options ip-options prefix `FINSCAN '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG LOG level debug tcp-options ip-options prefix `XMASSCAN '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE LOG level debug tcp-options ip-options prefix `NULLSCAN '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
LOG tcp -- anywhere anywhere multiport dports telnet,hosts2-ns,sunrpc,ntp,snmp,printer,dsf,search-agent,nessus,serialgateway,ms-sql-s,ica,shilp,mysql,ndl-aas LOG level debug tcp-options ip-options prefix `PROBE '
DROP tcp -- anywhere anywhere multiport dports telnet,hosts2-ns,sunrpc,ntp,snmp,printer,dsf,search-agent,nessus,serialgateway,ms-sql-s,ica,shilp,mysql,ndl-aas
LOG tcp -- anywhere anywhere multiport dports ms-wbt-server,pcanywheredata,pcanywherestat,6635,http-alt,9055,italk,24452,27374,27573,31337,42484 LOG level debug tcp-options ip-options prefix `PROBE '
DROP tcp -- anywhere anywhere multiport dports ms-wbt-server,pcanywheredata,pcanywherestat,6635,http-alt,9055,italk,24452,27374,27573,31337,42484
LOG udp -- anywhere anywhere multiport dports ssh,snmp,blackjack,net-assistant,5634,5882,28431,31337,31789 LOG level debug ip-options prefix `PROBE '
DROP udp -- anywhere anywhere multiport dports ssh,snmp,blackjack,net-assistant,5634,5882,28431,31337,31789
LOG all -- anywhere anywhere state INVALID LOG level debug tcp-options ip-options prefix `INVALID '
DROP all -- anywhere anywhere state INVALID
LOG tcp -- anywhere anywhere state NEW tcp flags:!FIN,SYN,RST,ACK/SYN LOG level debug tcp-options ip-options prefix `INVALID '
DROP tcp -- anywhere anywhere state NEW tcp flags:!FIN,SYN,RST,ACK/SYN
LOG icmp -- anywhere anywhere LOG level debug ip-options prefix `ICMP: '
DROP icmp -- anywhere anywhere
LOG tcp -- anywhere anywhere multiport dports netbios-ssn,microsoft-ds LOG level debug ip-options prefix `SMB: '
LOG udp -- anywhere anywhere multiport dports netbios-ns,netbios-dgm LOG level debug ip-options prefix `SMB: '
DROP tcp -- anywhere anywhere multiport dports netbios-ssn,microsoft-ds
DROP udp -- anywhere anywhere multiport dports netbios-ns,netbios-dgm
LOG tcp -- anywhere anywhere length ! 40:68 LOG level debug tcp-options ip-options prefix `PACKET_LENGTH_BAD: '
DROP tcp -- anywhere anywhere length ! 40:68
LOG all -- anywhere anywhere LOG level debug tcp-options ip-options prefix `ALL_ELSE '
DROP all -- anywhere anywhere
Chain ICMP_CHK (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5
ACCEPT icmp -- anywhere anywhere icmp echo-reply limit: avg 1/sec burst 5
ACCEPT icmp -- anywhere anywhere icmp network-unreachable limit: avg 1/sec burst 5
ACCEPT icmp -- anywhere anywhere icmp host-unreachable limit: avg 1/sec burst 5
ACCEPT icmp -- anywhere anywhere icmp port-unreachable limit: avg 1/sec burst 5
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed limit: avg 1/sec burst 5
ACCEPT icmp -- anywhere anywhere icmp time-exceeded limit: avg 1/sec burst 5
CUST_LOG all -- anywhere anywhere
Chain INPUT (policy DROP)
target prot opt source destination
SPOOF_CHK all -- anywhere anywhere
SANITY_CHK tcp -- anywhere anywhere
STATE_CHK all -- anywhere anywhere
ACCEPT all -- 127.0.0.0/24 127.0.0.0/24 state NEW
TCP_CHK tcp -- anywhere anywhere
UDP_CHK udp -- anywhere anywhere
ICMP_CHK icmp -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
SPOOF_CHK all -- anywhere anywhere
SANITY_CHK tcp -- anywhere anywhere
STATE_CHK all -- anywhere anywhere
ACCEPT tcp -- anywhere spacken.net state NEW tcp dpt:15551 flags:FIN,SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere spacken.net state NEW tcp dpt:15552 flags:FIN,SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere assassine.net state NEW tcp dpt:15553 flags:FIN,SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere assassine.net state NEW tcp dpt:15554 flags:FIN,SYN,RST,ACK/SYN
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain SANITY_CHK (2 references)
target prot opt source destination
CUST_LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN
CUST_LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH
CUST_LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,ACK
CUST_LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,PSH
CUST_LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST
CUST_LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH
CUST_LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK
CUST_LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK
CUST_LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
CUST_LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN
CUST_LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
Chain SPOOF_CHK (2 references)
target prot opt source destination
CUST_LOG all -- 127.0.0.0/8 anywhere
CUST_LOG all -- 240.0.0.0/5 anywhere
CUST_LOG all -- 248.0.0.0/5 anywhere
CUST_LOG all -- 172.16.0.0/12 anywhere
CUST_LOG all -- 192.168.0.0/16 anywhere
CUST_LOG all -- 10.25.215.194 anywhere
Chain STATE_CHK (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
CUST_LOG all -- anywhere anywhere state INVALID
CUST_LOG tcp -- anywhere anywhere state NEW tcp flags:!FIN,SYN,RST,ACK/SYN
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state NEW
Chain TCP_CHK (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere multiport dports ftp state NEW length 40:68 tcp flags:FIN,SYN,RST,ACK/SYN
CUST_LOG all -- anywhere anywhere
Chain UDP_CHK (1 references)
target prot opt source destination
CUST_LOG all -- anywhere anywhere
--( $:~ )-- ping hero
PING hero.net (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: icmp_seq=0 ttl=64 time=0.414 ms
--- hero.net ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.414/0.414/0.414/0.000 ms
--( root@hero )-( 2/pts )-( 16:33/03-Sep-05 )--
--( $:~ )-- uname -a
Linux hero 2.6.11.12 #1 Thu Aug 25 16:59:32 CEST 2005 i686 pentium3 i386 GNU/Linux
danke
sm0ker