 | | | iptables | iptables 2005-08-05 - By Magee, Fred (MRC)
Back
Thanks for the suggestion, David.
I'll give it a shot. I tend to forget the old maxim KISS! You are
certainly right I over complicated this.
-- --Original Message-- --
From: taroon-list-bounces@(protected)
[mailto:taroon-list-bounces@(protected)] On Behalf Of Williams, David A.
- DAWilliams
Sent: Friday, August 05, 2005 3:00 PM
To: taroon-list@(protected)
Subject: RE: iptables
I'm sure you will get better answers than this, but my two cents...
Try a simpler set of rules to block those four random addresses:
#block anything sourced from aaa.aaa.aaa.aaa:
-A INPUT -s aaa.aaa.aaa.aaa -j DROP
#block anything going to aaa.aaa.aaa.aaa:
-A OUTPUT -d aaa.aaa.aaa.aaa -j DROP
#try the same for forwarded traffic
-A FORWARD -s aaa.aaa.aaa.aaa -j DROP
-A FORWARD -d aaa.aaa.aaa.aaa -j DROP
I suspect the extra -m tcp and the FORWARD rules with both source and
destination being the bad addresses. Also if you want to stop all the
traffic, I wouldn't worry about protocol or ports, just block the IPs.
Of course finding out what's running that shouldn't would also be good.
-David
-- --Original Message-- --
Message: 1
Date: Fri, 5 Aug 2005 15:31:19 -0500
From: "Magee, Fred \(MRC\)" <fred.magee@(protected)>
Subject: iptables
To: <taroon-list@(protected)>
Message-ID:
<3535C9C4B7DBD34298DBF40A540C2254018C9924@(protected)>
Content-Type: text/plain; charset="us-ascii"
Good afternoon.
I have a mystery process running on my vmware client system under WinXP
Professional that is streaming data to one of four random ip addresses.
I've modified /etc/sysconfig/iptables as follows in an attempt to block
this access:
# Generated by iptables-save v1.2.8 on Fri Aug 5 12:48:07 2005
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [63:4488]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -s 63.236.48.222 -p tcp -m tcp -j DROP
-A INPUT -s 63.236.48.222 -p udp -m udp -j DROP
-A INPUT -s 4.79.72.30 -p udp -m udp -j DROP
-A INPUT -s 4.79.72.30 -p tcp -m tcp -j DROP
-A INPUT -s 67.72.120.61 -p tcp -m tcp -j DROP
-A INPUT -s 67.72.120.61 -p udp -m udp -j DROP
-A INPUT -s 208.172.13.253 -p tcp -m tcp -j DROP
-A INPUT -s 208.172.13.253 -p udp -m udp -j DROP
-A INPUT -s 209.3.40.190 -p tcp -m tcp -j DROP
-A INPUT -s 209.3.40.190 -p udp -m udp -j DROP
-A INPUT -s 192.168.1.67 -p tcp -m tcp --sport 1040:1250 -j DROP
-A INPUT -s 192.168.1.67 -p udp -m udp --sport 1040:1250 -j DROP
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -s 63.236.48.222 -d 63.236.48.222 -p tcp -m tcp -j DROP
-A FORWARD -s 63.236.48.222 -d 63.236.48.222 -p udp -m udp -j DROP
-A FORWARD -s 4.79.72.30 -d 4.79.72.30 -p udp -m udp -j DROP
-A FORWARD -s 4.79.72.30 -d 4.79.72.30 -p tcp -m tcp -j DROP
-A FORWARD -s 67.72.120.61 -d 67.72.120.61 -p udp -m udp -j DROP
-A FORWARD -s 67.72.120.61 -d 67.72.120.61 -p tcp -m tcp -j DROP
-A FORWARD -s 208.172.13.253 -d 208.172.13.253 -p tcp -m tcp -j DROP
-A FORWARD -s 208.172.13.253 -d 208.172.13.253 -p udp -m udp -j DROP
-A FORWARD -s 209.3.40.190 -d 209.3.40.190 -p tcp -m tcp -j DROP
-A FORWARD -s 209.3.40.190 -d 209.3.40.190 -p udp -m udp -j DROP
-A FORWARD -s 192.168.1.67 -p tcp -m tcp --sport 1040:1250 --dport
1040:1250 -j DROP
-A FORWARD -s 192.168.1.67 -p udp -m udp --sport 1040:1250 --dport
1040:1250 -j DROP
-A FORWARD -j RH-Firewall-1-INPUT
-A OUTPUT -d 63.236.48.222 -p tcp -m tcp -j DROP
-A OUTPUT -d 63.236.48.222 -p udp -m udp -j DROP
-A OUTPUT -d 4.79.72.30 -p udp -m udp -j DROP
-A OUTPUT -d 4.79.72.30 -p tcp -m tcp -j DROP
-A OUTPUT -d 67.72.120.61 -p tcp -m tcp -j DROP
-A OUTPUT -d 67.72.120.61 -p udp -m udp -j DROP
-A OUTPUT -d 208.172.13.253 -p tcp -m tcp -j DROP
-A OUTPUT -d 208.172.13.253 -p udp -m udp -j DROP
-A OUTPUT -d 209.3.40.190 -p tcp -m tcp -j DROP
-A OUTPUT -d 209.3.40.190 -p udp -m udp -j DROP
-A OUTPUT -s 192.168.1.67 -p tcp -m tcp --sport 1040:1250 -j DROP
-A OUTPUT -s 192.168.1.67 -p udp -m udp --sport 1040:1250 -j DROP
-A OUTPUT -s 192.168.1.67 -p tcp -m tcp --dport 222 -j DROP
-A OUTPUT -s 192.168.1.67 -p udp -m udp --dport 222 -j DROP
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 21 -m state --state NEW -j
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 25 -m state --state NEW -j
ACCEPT
COMMIT
# Completed on Fri Aug 5 12:48:07 2005
I'm not sure if traffic from my guest machine is considered input/output
or forward so I hedged my bets and placed rules in all three chains. I
restarted iptables after these modifications and iptables -L shows the
rules in effect. I'm still getting evidence of continued traffic as can
be seen from the following snippet from tcpdump:
14:16:01.696211 192.168.1.67.1056 > 4.79.72.30.http: . ack 1 win 64240
(DF)
14:16:01.696218 192.168.1.67.1056 > 4.79.72.30.http: . ack 1 win 64240
(DF)
14:16:01.696829 192.168.1.67.1056 > 4.79.72.30.http: P 1:285(284) ack 1
win 64240 (DF)
14:16:01.696837 192.168.1.67.1056 > 4.79.72.30.http: P 1:285(284) ack 1
win 64240 (DF)
14:16:01.783858 4.79.72.30.http > 192.168.1.67.1056: . ack 285 win 6432
14:16:01.804597 4.79.72.30.http > 192.168.1.67.1056: P 1:472(471) ack
285 win 6432
14:16:01.811094 4.79.72.30.http > 192.168.1.67.1056: . 472:1852(1380)
ack 285 win 6432
14:16:01.811575 192.168.1.67.1056 > 4.79.72.30.http: . ack 1852 win
64240 (DF)
14:16:01.811581 192.168.1.67.1056 > 4.79.72.30.http: . ack 1852 win
64240 (DF)
14:16:01.910538 4.79.72.30.http > 192.168.1.67.1056: P 1852:2677(825)
ack 285 win 6432
14:16:02.057130 192.168.1.67.1056 > 4.79.72.30.http: . ack 2677 win
63415 (DF)
14:16:02.057141 192.168.1.67.1056 > 4.79.72.30.http: . ack 2677 win
63415 (DF)
Port 222 was one of the ports used but I have not seen traffic to it
since implementing the rules set above. The outgoing traffic has been
on various ports between 1040 and 1222 so I decided to block the whole
range from 1040-1250.
What am I missing here? This is RedHat EL3.0 WS U5 but I continue to
see this traffic whenever I start the client Windows box. This traffic
starts within a few seconds after the login screen appears even if I
don't log in.
Any tips as to how I can block all this extraneous traffic will be most
gratefully appreciated.
Thanks and have a great weekend.
-- ---- ------ next part -- ---- ------
An HTML attachment was scrubbed...
URL:
https://www.redhat.com/archives/taroon-list/attachments/20050805/6eff278
c/attachment.htm
-- ---- ---- ---- ---- ---- --
--
Taroon-list mailing list
Taroon-list@(protected)
http://www.redhat.com/mailman/listinfo/taroon-list
End of Taroon-list Digest, Vol 18, Issue 9
******************************************
--
Taroon-list mailing list
Taroon-list@(protected)
http://www.redhat.com/mailman/listinfo/taroon-list
--
Taroon-list mailing list
Taroon-list@(protected)
http://www.redhat.com/mailman/listinfo/taroon-list
Earn $52 per hosting referral at Lunarpages.
|
|
|