| 1 |
On 12/30/2012 10:21 PM, Walter Dnes wrote: |
| 2 |
> [0:0] -A FECESBOOK -j LOG --log-prefix "FECESBOOK:" --log-level 6 |
| 3 |
> [0:0] -A FECESBOOK -j DROP |
| 4 |
> [0:0] -A INPUT -s 192.168.123.248/29 -i eth0 -j ACCEPT |
| 5 |
> [0:0] -A INPUT -s 169.254.0.0/16 -i eth0 -j ACCEPT |
| 6 |
> [0:0] -A INPUT -i lo -j ACCEPT |
| 7 |
> [0:0] -A INPUT -m conntrack --ctstate INVALID,NEW -j UNSOLICITED |
| 8 |
|
| 9 |
In fact, since you're blocking all outgoing packets to facebook, the |
| 10 |
only state that a packet from facebook can have here is INVALID or NEW. |
| 11 |
So traffic from facebook will be sent to the UNSOLICITED chain and DROPped. |
| 12 |
|
| 13 |
|
| 14 |
> [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK |
| 15 |
> [0:0] -A INPUT -s 69.220.144.0/20 -j FECESBOOK |
| 16 |
> [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK |
| 17 |
> [0:0] -A INPUT -s 69.171.224.0/19 -j FECESBOOK |
| 18 |
> [0:0] -A INPUT -s 200.58.112.0/20 -j FECESBOOK |
| 19 |
> [0:0] -A INPUT -s 213.155.64.0/19 -j FECESBOOK |
| 20 |
|
| 21 |
...making these pointless =) |
| 22 |
|
| 23 |
|
| 24 |
> [0:0] -A INPUT -s 10.0.0.0/8 -j PRIVATE_LOG |
| 25 |
> [0:0] -A INPUT -s 127.0.0.0/8 -j PRIVATE_LOG |
| 26 |
> [0:0] -A INPUT -s 172.16.0.0/12 -j PRIVATE_LOG |
| 27 |
> [0:0] -A INPUT -s 192.168.0.0/16 -j PRIVATE_LOG |
| 28 |
|
| 29 |
I believe the same applies here, since you already accepted your |
| 30 |
legitimate LAN traffic above. For this to catch anything, you'd first |
| 31 |
have to send a packet to one of those subnets and something would have |
| 32 |
to respond to it. |
| 33 |
|
| 34 |
|
| 35 |
> [0:0] -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT |
| 36 |
|
| 37 |
So it makes even more sense to move this above the rest. If you still |
| 38 |
want to log facebook and other private traffic, the INVALID,NEW rule |
| 39 |
should come after those, otherwise the facebook/private stuff will just |
| 40 |
be dropped as UNSOLICITED. |
Archives