# [solved] iptables-1.4.3.2

## 9dra

I have problem when i add rules on iptables-1.4.3.2 :

# iptables -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 3128 --syn -j DROP

it will show errors :

iptables v1.4.3.2:

The "nat" table is not intended for filtering, the use of DROP is therefore inhibited.

Try `iptables -h' or 'iptables --help' for more information.

What rules can i add to iptables which have same effect with rules above ?

Please Help ...

ThanksLast edited by 9dra on Wed Oct 07, 2009 8:06 am; edited 1 time in total

----------

## jomen

Don't do it in the "nat" table - (leave out the "-t nat") like the error-message says.

not really sure about the "same effect"...

----------

## Hu

What are you trying to deny?  Is the Squid on the firewall machine, or is it on an internal machine for which the firewall serves as a router?

----------

## 9dra

I have a router / server with chillispot on same server as proxy. When i use chillispot with proxy it will skip the authentication when i configure in mozilla-firefox using <ip proxy>:<proxy port>. And then i read on chillispot forum to configure with "iptables -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 3128 --syn -j DROP". But now i configure with iptables-1.4.3.2 it show error like that. Because of that i searching for rules can have same effect with rules above.

----------

## Hu

Use iptables -A INPUT -i tun0 -p tcp -m tcp --dport 3128 --syn -j DROP, since the proxy is on the machine operating the firewall.

----------

## 9dra

Ok, thans. I will try it.

----------

## 9dra

it not work because it will block proxy and client cannot access. If i use -t nat to drop, it will only block manual proxy and allow transparant proxy. I get the information from here http://www.chillispot.info/chilliforum/viewtopic.php?id=189.

"you can add this line to your Chillispot Iptables firewall

##Allow transparent proxy (wiboon 1/2)

$IPTABLES -A INPUT -p tcp -m tcp --dport 3128 --syn -j ACCEPT

##Allow transparent proxy (wiboon 2/2)

$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 3128 --syn -j DROP

$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

3128 is your squid port"

----------

## Anarcho

Please try the FORWARD rule for this:

iptables -A FORWARD -i tun0 -p tcp -m tcp --dport 3128 --syn -j DROP

----------

## ferreirafm

Hi there,

I am also having problems on setting iptables rules. My current rules are as follow: 

```
# Generated by iptables-save 

*filter

:INPUT ACCEPT [5:952]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [1192099:595387635]

# accept all from localhost

-A INPUT -s 127.0.0.1 -j ACCEPT

# accept all previously established connections

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# permit people to ssh into this computer

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

# permit ftp and web hosting services

-A INPUT -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT

# permit windows file sharing

-A INPUT -p tcp -m state --state NEW -m tcp --dport 137:139 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 426 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT

# permit five ports for bitorrent

-A INPUT -p tcp -m state --state NEW -m tcp --dport 6881:6886 -j ACCEPT

# reject all other packets coming into the computer, even from other

# computers in the local area network

-A INPUT -j REJECT --reject-with icmp-port-unreachable

COMMIT

```

which gives me:

```
externo log # iptables -L -n

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

ACCEPT     all  --  127.0.0.1            0.0.0.0/0

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:20

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpts:137:139

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:426

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:445

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpts:6881:6886

REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

```

However, my syslog file (/var/log/messages) still has thousands of logging attempts:

```
 Oct  6 19:42:32 externo sshd[28035]: Failed keyboard-interactive/pam for root from 220.165.9.232 port 17503 ssh2

Oct  6 19:44:12 externo sshd[28041]: Connection from 213.215.191.170 port 53652

Oct  6 19:44:14 externo sshd[28041]: reverse mapping checking getaddrinfo for adsl-mi4-170.it.colt.net [213.215.\

191.170] failed - POSSIBLE BREAK-IN ATTEMPT!

Oct  6 19:44:14 externo sshd[28044]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh \

ruser= rhost=213.215.191.170  user=root

Oct  6 19:44:16 externo sshd[28041]: error: PAM: Authentication failure for root from 213.215.191.170

Oct  6 19:44:16 externo sshd[28041]: Failed keyboard-interactive/pam for root from 213.215.191.170 port 53652 ss\

h2

Oct  6 19:47:39 externo sshd[28054]: Connection from 200.51.40.154 port 58193

Oct  6 19:47:42 externo sshd[28054]: reverse mapping checking getaddrinfo for host154.advance.com.ar [200.51.40.\

154] failed - POSSIBLE BREAK-IN ATTEMPT!

Oct  6 19:47:42 externo sshd[28057]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh \

ruser= rhost=200.51.40.154  user=root

Oct  6 19:47:44 externo sshd[28054]: error: PAM: Authentication failure for root from 200.51.40.154

Oct  6 19:47:44 externo sshd[28054]: Failed keyboard-interactive/pam for root from 200.51.40.154 port 58193 ssh2

Oct  6 19:49:23 externo sshd[28061]: Connection from 61.158.154.11 port 5714

Oct  6 19:49:26 externo sshd[28061]: reverse mapping checking getaddrinfo for 11.154.158.61.ha.cnc [61.158.154.1\

1] failed - POSSIBLE BREAK-IN ATTEMPT!

Oct  6 19:49:26 externo sshd[28064]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh \

ruser= rhost=61.158.154.11  user=root

Oct  6 19:49:29 externo sshd[28061]: error: PAM: Authentication failure for root from 61.158.154.11

Oct  6 19:49:29 externo sshd[28061]: Failed keyboard-interactive/pam for root from 61.158.154.11 port 5714 ssh2

Oct  6 19:50:01 externo cron[28067]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )

Oct  6 19:51:15 externo sshd[28078]: Connection from 222.128.48.222 port 39051

Oct  6 19:51:19 externo sshd[28081]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh \

ruser= rhost=222.128.48.222  user=root

Oct  6 19:51:21 externo sshd[28078]: error: PAM: Authentication failure for root from 222.128.48.222

Oct  6 19:51:21 externo sshd[28078]: Failed keyboard-interactive/pam for root from 222.128.48.222 port 39051 ssh\

2

Oct  6 19:52:44 externo sshd[28085]: Connection from 219.134.65.39 port 4074

Oct  6 19:52:47 externo sshd[28088]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh \

ruser= rhost=219.134.65.39  user=root

Oct  6 19:52:49 externo sshd[28085]: error: PAM: Authentication failure for root from 219.134.65.39

Oct  6 19:52:49 externo sshd[28085]: Failed keyboard-interactive/pam for root from 219.134.65.39 port 4074 ssh2

```

Those rules seems to be not enough to prevent that flooding of connections. Please, could someone help me to get ride off such crappy attacks? Any tips are welcome.

----------

## 9dra

 *9dra wrote:*   

> it not work because it will block proxy and client cannot access. If i use -t nat to drop, it will only block manual proxy and allow transparant proxy. I get the information from here http://www.chillispot.info/chilliforum/viewtopic.php?id=189.
> 
> "you can add this line to your Chillispot Iptables firewall
> 
> ##Allow transparent proxy (wiboon 1/2)
> ...

 

I find the solution

# iptables -t mangle -A PREROUTING -i tun0 -p tcp -m tcp --dport 3128 --syn -j DROP

it will for like in NAT table  :Very Happy: 

----------

## 9dra

 *Anarcho wrote:*   

> Please try the FORWARD rule for this:
> 
> iptables -A FORWARD -i tun0 -p tcp -m tcp --dport 3128 --syn -j DROP

 

I will try this too ...

----------

