[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]
RE: iptables

From: "Magee, Fred \(MRC\)" <fred magee atk com>
To: "Discussion of Red Hat Enterprise Linux 3 \(Taroon\)" <taroon-list redhat com>
Subject: RE: iptables
Date: Fri, 5 Aug 2005 16:29:39 -0500
Thanks for the suggestion, David.

I'll give it a shot.  I tend to forget the old maxim KISS!  You are
certainly right I over complicated this.

-----Original Message-----
From: taroon-list-bounces redhat com
[mailto:taroon-list-bounces redhat com] On Behalf Of Williams, David A.
- DAWilliams
Sent: Friday, August 05, 2005 3:00 PM
To: taroon-list redhat com
Subject: RE: iptables

I'm sure you will get better answers than this, but my two cents...
Try a simpler set of rules to block those four random addresses:

#block anything sourced from aaa.aaa.aaa.aaa:
-A INPUT -s aaa.aaa.aaa.aaa -j DROP 
#block anything going to aaa.aaa.aaa.aaa:
-A OUTPUT -d aaa.aaa.aaa.aaa -j DROP 
#try the same for forwarded traffic
-A FORWARD -s aaa.aaa.aaa.aaa -j DROP 
-A FORWARD -d aaa.aaa.aaa.aaa -j DROP 

I suspect the extra -m tcp and the FORWARD rules with both source and
destination being the bad addresses.  Also if you want to stop all the
traffic, I wouldn't worry about protocol or ports, just block the IPs.

Of course finding out what's running that shouldn't would also be good.

-David

-----Original Message-----
Message: 1
Date: Fri, 5 Aug 2005 15:31:19 -0500
From: "Magee, Fred \(MRC\)" <fred magee atk com>
Subject: iptables
To: <taroon-list redhat com>
Message-ID:
	<3535C9C4B7DBD34298DBF40A540C2254018C9924 mn01se03 atk com>
Content-Type: text/plain; charset="us-ascii"

Good afternoon.
 
I have a mystery process running on my vmware client system under WinXP
Professional that is streaming data to one of four random ip addresses.
I've modified /etc/sysconfig/iptables as follows in an attempt to block
this access:
 
# Generated by iptables-save v1.2.8 on Fri Aug  5 12:48:07 2005
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [63:4488]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -s 63.236.48.222 -p tcp -m tcp -j DROP 
-A INPUT -s 63.236.48.222 -p udp -m udp -j DROP 
-A INPUT -s 4.79.72.30 -p udp -m udp -j DROP 
-A INPUT -s 4.79.72.30 -p tcp -m tcp -j DROP 
-A INPUT -s 67.72.120.61 -p tcp -m tcp -j DROP 
-A INPUT -s 67.72.120.61 -p udp -m udp -j DROP 
-A INPUT -s 208.172.13.253 -p tcp -m tcp -j DROP 
-A INPUT -s 208.172.13.253 -p udp -m udp -j DROP 
-A INPUT -s 209.3.40.190 -p tcp -m tcp -j DROP 
-A INPUT -s 209.3.40.190 -p udp -m udp -j DROP 
-A INPUT -s 192.168.1.67 -p tcp -m tcp --sport 1040:1250 -j DROP 
-A INPUT -s 192.168.1.67 -p udp -m udp --sport 1040:1250 -j DROP 
-A INPUT -j RH-Firewall-1-INPUT 
-A FORWARD -s 63.236.48.222 -d 63.236.48.222 -p tcp -m tcp -j DROP 
-A FORWARD -s 63.236.48.222 -d 63.236.48.222 -p udp -m udp -j DROP 
-A FORWARD -s 4.79.72.30 -d 4.79.72.30 -p udp -m udp -j DROP 
-A FORWARD -s 4.79.72.30 -d 4.79.72.30 -p tcp -m tcp -j DROP 
-A FORWARD -s 67.72.120.61 -d 67.72.120.61 -p udp -m udp -j DROP 
-A FORWARD -s 67.72.120.61 -d 67.72.120.61 -p tcp -m tcp -j DROP 
-A FORWARD -s 208.172.13.253 -d 208.172.13.253 -p tcp -m tcp -j DROP 
-A FORWARD -s 208.172.13.253 -d 208.172.13.253 -p udp -m udp -j DROP 
-A FORWARD -s 209.3.40.190 -d 209.3.40.190 -p tcp -m tcp -j DROP 
-A FORWARD -s 209.3.40.190 -d 209.3.40.190 -p udp -m udp -j DROP 
-A FORWARD -s 192.168.1.67 -p tcp -m tcp --sport 1040:1250 --dport
1040:1250 -j DROP 
-A FORWARD -s 192.168.1.67 -p udp -m udp --sport 1040:1250 --dport
1040:1250 -j DROP 
-A FORWARD -j RH-Firewall-1-INPUT 
-A OUTPUT -d 63.236.48.222 -p tcp -m tcp -j DROP 
-A OUTPUT -d 63.236.48.222 -p udp -m udp -j DROP 
-A OUTPUT -d 4.79.72.30 -p udp -m udp -j DROP 
-A OUTPUT -d 4.79.72.30 -p tcp -m tcp -j DROP 
-A OUTPUT -d 67.72.120.61 -p tcp -m tcp -j DROP 
-A OUTPUT -d 67.72.120.61 -p udp -m udp -j DROP 
-A OUTPUT -d 208.172.13.253 -p tcp -m tcp -j DROP 
-A OUTPUT -d 208.172.13.253 -p udp -m udp -j DROP 
-A OUTPUT -d 209.3.40.190 -p tcp -m tcp -j DROP 
-A OUTPUT -d 209.3.40.190 -p udp -m udp -j DROP 
-A OUTPUT -s 192.168.1.67 -p tcp -m tcp --sport 1040:1250 -j DROP 
-A OUTPUT -s 192.168.1.67 -p udp -m udp --sport 1040:1250 -j DROP 
-A OUTPUT -s 192.168.1.67 -p tcp -m tcp --dport 222 -j DROP 
-A OUTPUT -s 192.168.1.67 -p udp -m udp --dport 222 -j DROP 
-A RH-Firewall-1-INPUT -i lo -j ACCEPT 
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT 
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT 
-A RH-Firewall-1-INPUT -p esp -j ACCEPT 
-A RH-Firewall-1-INPUT -p ah -j ACCEPT 
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j
ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 21 -m state --state NEW -j
ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j
ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 25 -m state --state NEW -j
ACCEPT 
COMMIT
# Completed on Fri Aug  5 12:48:07 2005
 
 
I'm not sure if traffic from my guest machine is considered input/output
or forward so I hedged my bets and placed rules in all three chains.  I
restarted iptables after these modifications and iptables -L shows the
rules in effect.  I'm still getting evidence of continued traffic as can
be seen from the following snippet from tcpdump:
 
14:16:01.696211 192.168.1.67.1056 > 4.79.72.30.http: . ack 1 win 64240
(DF)
14:16:01.696218 192.168.1.67.1056 > 4.79.72.30.http: . ack 1 win 64240
(DF)
14:16:01.696829 192.168.1.67.1056 > 4.79.72.30.http: P 1:285(284) ack 1
win 64240 (DF)
14:16:01.696837 192.168.1.67.1056 > 4.79.72.30.http: P 1:285(284) ack 1
win 64240 (DF)
14:16:01.783858 4.79.72.30.http > 192.168.1.67.1056: . ack 285 win 6432
14:16:01.804597 4.79.72.30.http > 192.168.1.67.1056: P 1:472(471) ack
285 win 6432
14:16:01.811094 4.79.72.30.http > 192.168.1.67.1056: . 472:1852(1380)
ack 285 win 6432
14:16:01.811575 192.168.1.67.1056 > 4.79.72.30.http: . ack 1852 win
64240 (DF)
14:16:01.811581 192.168.1.67.1056 > 4.79.72.30.http: . ack 1852 win
64240 (DF)
14:16:01.910538 4.79.72.30.http > 192.168.1.67.1056: P 1852:2677(825)
ack 285 win 6432
14:16:02.057130 192.168.1.67.1056 > 4.79.72.30.http: . ack 2677 win
63415 (DF)
14:16:02.057141 192.168.1.67.1056 > 4.79.72.30.http: . ack 2677 win
63415 (DF)
 
 
Port 222 was one of the ports used but I have not seen traffic to it
since implementing the rules set above.  The outgoing traffic has been
on various ports between 1040 and 1222 so I decided to block the whole
range from 1040-1250.
 
What am I missing here?  This is RedHat EL3.0 WS U5 but I continue to
see this traffic whenever I start the client Windows box.  This traffic
starts within a few seconds after the login screen appears even if I
don't log in.
 
Any tips as to how I can block all this extraneous traffic will be most
gratefully appreciated.
 
Thanks and have a great weekend.
 
 
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
https://www.redhat.com/archives/taroon-list/attachments/20050805/6eff278
c/attachment.htm

------------------------------

--
Taroon-list mailing list
Taroon-list redhat com
http://www.redhat.com/mailman/listinfo/taroon-list

End of Taroon-list Digest, Vol 18, Issue 9
******************************************

--
Taroon-list mailing list
Taroon-list redhat com
http://www.redhat.com/mailman/listinfo/taroon-list
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]