LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 10-26-2003, 01:39 AM   #1
chrisknight
Member
 
Registered: Jan 2003
Location: ohio
Distribution: CentOS5.5, SmoothWall 3.0
Posts: 139

Rep: Reputation: 15
iptables rc.firewall file


Ive been getting hammered by an MS-SQL Worm propagation attempt, UDP port 1434.

Im trying to block it like this:
/sbin/iptables -A INPUT -p UDP -i eth1 --dport 1434 -s 0/0 -j DROP

My question is, do I need the source (-s 0/0) or could I just leave it out and append the INPUT argument like this:

/sbin/iptables -A INPUT -p UDP -i eth1 --dport 1434 -j DROP

Last edited by chrisknight; 10-26-2003 at 01:41 AM.
 
Old 10-26-2003, 06:58 AM   #2
david_ross
Moderator
 
Registered: Mar 2003
Location: Scotland
Distribution: Slackware, RedHat, Debian
Posts: 12,047

Rep: Reputation: 64
You shouldn't need to source - by default it will block everything (are you sure it runs over udp though?).
 
Old 10-26-2003, 07:16 AM   #3
chrisknight
Member
 
Registered: Jan 2003
Location: ohio
Distribution: CentOS5.5, SmoothWall 3.0
Posts: 139

Original Poster
Rep: Reputation: 15
My IDS gives me a port # and possible cause. It does not give me a protocol. I looked up (google) "port 1434".
My IDS says, "MS-SQL Worm propagation attempt"... So does google but I got conflicting stories. So I blocked 1434 TCP & UDP.

I tried this today & cleared my logs(still awaiting on the outcome):

# block MS-SQL Worm propagation attempt
/sbin/iptables -A INPUT -p UDP -i $RED_DEV --dport 1434 -s 0/0 -j DROP
/sbin/iptables -A INPUT -p TCP -i $RED_DEV --dport 1434 -s 0/0 -j DROP

# Logging TCP ports 1024 - 65535, but 1434
/sbin/iptables -A INPUT -p TCP -i $RED_DEV --dport 1024:1433 --syn -j LOG
/sbin/iptables -A INPUT -p TCP -i $RED_DEV --dport 1435:65535 --syn -j LOG

# STEALTHING TCP ports 1024 - 65535, but 1434
/sbin/iptables -A INPUT -p TCP -i $RED_DEV --dport 1024:1433 --syn -j DROP
/sbin/iptables -A INPUT -p TCP -i $RED_DEV --dport 1435:65535 --syn -j DROP

Im also trying to stealth TCP 1024 - 65535.
I read that I couldnt have 2 rules addressing the same port, so I excluded it from my Log & drop/stealth between 1024 - 65535.

I hope that works...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables with iptables-firewall.conf arno's matt3333 Slackware 16 06-28-2007 07:20 AM
IPTABLES firewall Vs rc firewall netguy2000 Linux - Security 7 02-28-2004 04:31 AM
Firewall/iptables brentos Linux - Security 14 11-25-2003 05:47 PM
Firewall Builder sample firewall policy file ? (.xml) nuwanguy Linux - Networking 0 09-13-2003 12:32 PM
Need Help with Firewall, iptables!!!! jamesws Linux - Networking 2 02-11-2002 05:56 PM


All times are GMT -5. The time now is 11:55 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration