Completly blocking ports with IPTables?

Prosaca · 04-04-2011, 07:55 AM

Hello. I'm new to this forum but it helped me alot on Linux world.

I have a root server, where I installed Squid Proxy Server weeks ago. Actually, the company where we host it has complained about that "We sent spam" and pasted us a log of eMail where we send eMails to two IPs, on port 25.

Actually, I've changed root password and activated a firewall that lets me ONLY access it via SSH, authing me by dyndns.

Another problem is, like I said that I installed Squid, and letted it public, now people was using it without my permission so I decided to uninstall it.

When I'm doing tcpdump, it shows people trying to reach it.

Quote:

[root@host ~]# tcpdump -n -i eth0 -s 0 src or dst port 3128
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
14:52:36.937269 IP 61.123.23.221.gtrack-ne > //hidenhost//.squid: S 999771478:999771478(0) win 65535 <mss 1414,nop,wscale 2,nop,nop,timestamp 0 0,nop,nop,sackOK>
14:52:36.975359 IP 190.167.53.255.51522 > //hidenhost//5.squid: S 2620618050:2620618050(0) win 8192 <mss 1400,nop,wscale 2,nop,nop,sackOK>

I have blocked the port 3128 by this:
iptables -A INPUT -p udp --dport 3128 -j REJECT
iptables -A INPUT -p tcp --dport 3128 -j REJECT

Also I tried with DROP instead of REJECT, and it's still the same, when I do tcpdump it keeps showing IPs.

Now, my question is: Is there any way of really blocking that port so my server doesn't have to handle that useless requests? I've also tried to block those IPs, and they keep showing!

I'm needing help for this as I am not an expert of Linux Networking.

Many thanks.

Regards,
Ivan.

acid_kewpie · 04-04-2011, 08:52 AM

it is blocked. you don't need to block udp though, http proxy is ONLY tcp. you're seeing those as the connections will still always hit the box no matter what iptables does, indeed how can iptables block anything if it doesn't see the traffic?? The only way you're going to totally stop it is to put a firewall or something infront of the box (and btw, why is this not already happening?? You're exposing server *directly* on the net?? WTF??)

Put simply, it's fine, and I'd suggest you read up about iptables to understand WHY it's fine IF you are interested. Otherwise, move on. I would suggest dropping (i.e. do it silently to ignore the client, rather than telling them explicitly to go away)

stickman · 04-04-2011, 10:30 PM

You could take a different approach by setting the default action for the INPUT and FORWARD chains to DROP then explicitly allowing only the connections that you want. This is a bit more pragmatic since typically the number of inbound ports that you want to allow is a much short list than those you want to block. Get your rule set together and make sure that you've got console access just in case when you swap the rule sets.

Prosaca · 04-06-2011, 10:10 AM

Aha, thanks for the info.

IPs are also blocked, same as ports.

Still, those IPs are hitting my box. Any way of totally blocking them?

Thanks.

acid_kewpie · 04-06-2011, 11:03 AM

You don't seem to have read our replies. Please read then again
.