Mailing List
Home
Forum Home
Linux - General Red Hat Linux discussion list
Installation - Getting started with Red Hat Linux
Enterprise Linux 3 - Discussion of Red Hat Enterprise Linux 3 (Taroon)
Red Hat Linux 9 - Discussion of Red Hat Linux 9 (Shrike)
Red Hat Linux 7.3 - Discussion of Red Hat Linux 7.3 (Valhalla)
Red Hat Linux 7.2 - Discussion of Red Hat Linux 7.2 (Enigma)
Apache Web Server
Oracle database, Microsoft SQL server ...
Subjects
application/x mplayer2 plugin
RPM error: db4 error(16) from dbenv >remove: Device or resource
   busy
Command stream end of file while reading
X Windows problem (xauth)
Upgrading openoffice 1 1 rpm
FTP: connection refused
FTP: connection refused
mount: /dev/cdrom: is not a valid block device
Dell Precision 650, RedHat 9, no sound
how to trace the cause resulting in the crash of bind server
Virus on the list
UNINSTALL RPM MYSQL
usb pen drives: mounting as a user
broadcom network interface
make mrproper
sendmail configuration on redhat
Couldn 't open PID file /var/run/named/named pid Permission denied
Promise 378 controller
kernel 2 6 and /dev/sound/mixer not found
Problem using up2date
mrtg step by step howto/configuration for a newbie?
Compiling and Installing Kernel 2 6
Can 't locate module ppp0, can 't locate module ppp compress 21
HOW I CAN MAKE BOOTABLE FLOPPY DISKET
Lotus Notes under Wine
/etc/security/limits conf question
Intel E/1000 driver
Command stream end of file while reading
rpm database corrupt
qla2300 modules
 
Search:  
Power your search with and, or, +, -, or "some phrase" operators.
Taroon-list Digest, Vol 18, Issue 9

Taroon-list Digest, Vol 18, Issue 9

2005-08-05       - By snailcanfly

 Back


-- --Original Message-- --
From: taroon-list-bounces@(protected) [mailto:taroon-list-bounces@(protected)]
On Behalf Of taroon-list-request@(protected)
Sent: 2005??8??6?? 4:32
To: taroon-list@(protected)
Subject: Taroon-list Digest, Vol 18, Issue 9

Send Taroon-list mailing list submissions to
  taroon-list@(protected)

To subscribe or unsubscribe via the World Wide Web, visit
  http://www.redhat.com/mailman/listinfo/taroon-list
or, via email, send a message with subject or body 'help' to
  taroon-list-request@(protected)

You can reach the person managing the list at
  taroon-list-owner@(protected)

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Taroon-list digest..."


Today's Topics:

  1. iptables (Magee, Fred (MRC))


-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --

Message: 1
Date: Fri, 5 Aug 2005 15:31:19 -0500
From: "Magee, Fred \(MRC\)" <fred.magee@(protected)>
Subject: iptables
To: <taroon-list@(protected)>
Message-ID:
  <3535C9C4B7DBD34298DBF40A540C2254018C9924@(protected)>
Content-Type: text/plain; charset="us-ascii"

Good afternoon.

I have a mystery process running on my vmware client system under WinXP
Professional that is streaming data to one of four random ip addresses.
I've modified /etc/sysconfig/iptables as follows in an attempt to block
this access:

# Generated by iptables-save v1.2.8 on Fri Aug  5 12:48:07 2005
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [63:4488]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -s 63.236.48.222 -p tcp -m tcp -j DROP
-A INPUT -s 63.236.48.222 -p udp -m udp -j DROP
-A INPUT -s 4.79.72.30 -p udp -m udp -j DROP
-A INPUT -s 4.79.72.30 -p tcp -m tcp -j DROP
-A INPUT -s 67.72.120.61 -p tcp -m tcp -j DROP
-A INPUT -s 67.72.120.61 -p udp -m udp -j DROP
-A INPUT -s 208.172.13.253 -p tcp -m tcp -j DROP
-A INPUT -s 208.172.13.253 -p udp -m udp -j DROP
-A INPUT -s 209.3.40.190 -p tcp -m tcp -j DROP
-A INPUT -s 209.3.40.190 -p udp -m udp -j DROP
-A INPUT -s 192.168.1.67 -p tcp -m tcp --sport 1040:1250 -j DROP
-A INPUT -s 192.168.1.67 -p udp -m udp --sport 1040:1250 -j DROP
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -s 63.236.48.222 -d 63.236.48.222 -p tcp -m tcp -j DROP
-A FORWARD -s 63.236.48.222 -d 63.236.48.222 -p udp -m udp -j DROP
-A FORWARD -s 4.79.72.30 -d 4.79.72.30 -p udp -m udp -j DROP
-A FORWARD -s 4.79.72.30 -d 4.79.72.30 -p tcp -m tcp -j DROP
-A FORWARD -s 67.72.120.61 -d 67.72.120.61 -p udp -m udp -j DROP
-A FORWARD -s 67.72.120.61 -d 67.72.120.61 -p tcp -m tcp -j DROP
-A FORWARD -s 208.172.13.253 -d 208.172.13.253 -p tcp -m tcp -j DROP
-A FORWARD -s 208.172.13.253 -d 208.172.13.253 -p udp -m udp -j DROP
-A FORWARD -s 209.3.40.190 -d 209.3.40.190 -p tcp -m tcp -j DROP
-A FORWARD -s 209.3.40.190 -d 209.3.40.190 -p udp -m udp -j DROP
-A FORWARD -s 192.168.1.67 -p tcp -m tcp --sport 1040:1250 --dport
1040:1250 -j DROP
-A FORWARD -s 192.168.1.67 -p udp -m udp --sport 1040:1250 --dport
1040:1250 -j DROP
-A FORWARD -j RH-Firewall-1-INPUT
-A OUTPUT -d 63.236.48.222 -p tcp -m tcp -j DROP
-A OUTPUT -d 63.236.48.222 -p udp -m udp -j DROP
-A OUTPUT -d 4.79.72.30 -p udp -m udp -j DROP
-A OUTPUT -d 4.79.72.30 -p tcp -m tcp -j DROP
-A OUTPUT -d 67.72.120.61 -p tcp -m tcp -j DROP
-A OUTPUT -d 67.72.120.61 -p udp -m udp -j DROP
-A OUTPUT -d 208.172.13.253 -p tcp -m tcp -j DROP
-A OUTPUT -d 208.172.13.253 -p udp -m udp -j DROP
-A OUTPUT -d 209.3.40.190 -p tcp -m tcp -j DROP
-A OUTPUT -d 209.3.40.190 -p udp -m udp -j DROP
-A OUTPUT -s 192.168.1.67 -p tcp -m tcp --sport 1040:1250 -j DROP
-A OUTPUT -s 192.168.1.67 -p udp -m udp --sport 1040:1250 -j DROP
-A OUTPUT -s 192.168.1.67 -p tcp -m tcp --dport 222 -j DROP
-A OUTPUT -s 192.168.1.67 -p udp -m udp --dport 222 -j DROP
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 21 -m state --state NEW -j
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 25 -m state --state NEW -j
ACCEPT
COMMIT
# Completed on Fri Aug  5 12:48:07 2005


I'm not sure if traffic from my guest machine is considered input/output
or forward so I hedged my bets and placed rules in all three chains.  I
restarted iptables after these modifications and iptables -L shows the
rules in effect.  I'm still getting evidence of continued traffic as can
be seen from the following snippet from tcpdump:

14:16:01.696211 192.168.1.67.1056 > 4.79.72.30.http: . ack 1 win 64240
(DF)
14:16:01.696218 192.168.1.67.1056 > 4.79.72.30.http: . ack 1 win 64240
(DF)
14:16:01.696829 192.168.1.67.1056 > 4.79.72.30.http: P 1:285(284) ack 1
win 64240 (DF)
14:16:01.696837 192.168.1.67.1056 > 4.79.72.30.http: P 1:285(284) ack 1
win 64240 (DF)
14:16:01.783858 4.79.72.30.http > 192.168.1.67.1056: . ack 285 win 6432
14:16:01.804597 4.79.72.30.http > 192.168.1.67.1056: P 1:472(471) ack
285 win 6432
14:16:01.811094 4.79.72.30.http > 192.168.1.67.1056: . 472:1852(1380)
ack 285 win 6432
14:16:01.811575 192.168.1.67.1056 > 4.79.72.30.http: . ack 1852 win
64240 (DF)
14:16:01.811581 192.168.1.67.1056 > 4.79.72.30.http: . ack 1852 win
64240 (DF)
14:16:01.910538 4.79.72.30.http > 192.168.1.67.1056: P 1852:2677(825)
ack 285 win 6432
14:16:02.057130 192.168.1.67.1056 > 4.79.72.30.http: . ack 2677 win
63415 (DF)
14:16:02.057141 192.168.1.67.1056 > 4.79.72.30.http: . ack 2677 win
63415 (DF)


Port 222 was one of the ports used but I have not seen traffic to it
since implementing the rules set above.  The outgoing traffic has been
on various ports between 1040 and 1222 so I decided to block the whole
range from 1040-1250.

What am I missing here?  This is RedHat EL3.0 WS U5 but I continue to
see this traffic whenever I start the client Windows box.  This traffic
starts within a few seconds after the login screen appears even if I
don't log in.

Any tips as to how I can block all this extraneous traffic will be most
gratefully appreciated.

Thanks and have a great weekend.



-- ---- ------ next part -- ---- ------
An HTML attachment was scrubbed...
URL:
https://www.redhat.com/archives/taroon-list/attachments/20050805/6eff278c/at
tachment.htm

-- ---- ---- ---- ---- ---- --

--
Taroon-list mailing list
Taroon-list@(protected)
http://www.redhat.com/mailman/listinfo/taroon-list

End of Taroon-list Digest, Vol 18, Issue 9
******************************************


--
Taroon-list mailing list
Taroon-list@(protected)
http://www.redhat.com/mailman/listinfo/taroon-list

Earn $52 per hosting referral at Lunarpages.