1 |
On 12/30/2012 10:21 PM, Walter Dnes wrote: |
2 |
> [0:0] -A FECESBOOK -j LOG --log-prefix "FECESBOOK:" --log-level 6 |
3 |
> [0:0] -A FECESBOOK -j DROP |
4 |
> [0:0] -A INPUT -s 192.168.123.248/29 -i eth0 -j ACCEPT |
5 |
> [0:0] -A INPUT -s 169.254.0.0/16 -i eth0 -j ACCEPT |
6 |
> [0:0] -A INPUT -i lo -j ACCEPT |
7 |
> [0:0] -A INPUT -m conntrack --ctstate INVALID,NEW -j UNSOLICITED |
8 |
|
9 |
In fact, since you're blocking all outgoing packets to facebook, the |
10 |
only state that a packet from facebook can have here is INVALID or NEW. |
11 |
So traffic from facebook will be sent to the UNSOLICITED chain and DROPped. |
12 |
|
13 |
|
14 |
> [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK |
15 |
> [0:0] -A INPUT -s 69.220.144.0/20 -j FECESBOOK |
16 |
> [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK |
17 |
> [0:0] -A INPUT -s 69.171.224.0/19 -j FECESBOOK |
18 |
> [0:0] -A INPUT -s 200.58.112.0/20 -j FECESBOOK |
19 |
> [0:0] -A INPUT -s 213.155.64.0/19 -j FECESBOOK |
20 |
|
21 |
...making these pointless =) |
22 |
|
23 |
|
24 |
> [0:0] -A INPUT -s 10.0.0.0/8 -j PRIVATE_LOG |
25 |
> [0:0] -A INPUT -s 127.0.0.0/8 -j PRIVATE_LOG |
26 |
> [0:0] -A INPUT -s 172.16.0.0/12 -j PRIVATE_LOG |
27 |
> [0:0] -A INPUT -s 192.168.0.0/16 -j PRIVATE_LOG |
28 |
|
29 |
I believe the same applies here, since you already accepted your |
30 |
legitimate LAN traffic above. For this to catch anything, you'd first |
31 |
have to send a packet to one of those subnets and something would have |
32 |
to respond to it. |
33 |
|
34 |
|
35 |
> [0:0] -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT |
36 |
|
37 |
So it makes even more sense to move this above the rest. If you still |
38 |
want to log facebook and other private traffic, the INVALID,NEW rule |
39 |
should come after those, otherwise the facebook/private stuff will just |
40 |
be dropped as UNSOLICITED. |