Review your favorite Linux distribution.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 10-26-2003, 02:39 AM   #1
Registered: Jan 2003
Location: ohio
Distribution: CentOS5.5, SmoothWall 3.0
Posts: 139

Rep: Reputation: 15
iptables rc.firewall file

Ive been getting hammered by an MS-SQL Worm propagation attempt, UDP port 1434.

Im trying to block it like this:
/sbin/iptables -A INPUT -p UDP -i eth1 --dport 1434 -s 0/0 -j DROP

My question is, do I need the source (-s 0/0) or could I just leave it out and append the INPUT argument like this:

/sbin/iptables -A INPUT -p UDP -i eth1 --dport 1434 -j DROP

Last edited by chrisknight; 10-26-2003 at 02:41 AM.
Old 10-26-2003, 07:58 AM   #2
Registered: Mar 2003
Location: Scotland
Distribution: Slackware, RedHat, Debian
Posts: 12,047

Rep: Reputation: 65
You shouldn't need to source - by default it will block everything (are you sure it runs over udp though?).
Old 10-26-2003, 08:16 AM   #3
Registered: Jan 2003
Location: ohio
Distribution: CentOS5.5, SmoothWall 3.0
Posts: 139

Original Poster
Rep: Reputation: 15
My IDS gives me a port # and possible cause. It does not give me a protocol. I looked up (google) "port 1434".
My IDS says, "MS-SQL Worm propagation attempt"... So does google but I got conflicting stories. So I blocked 1434 TCP & UDP.

I tried this today & cleared my logs(still awaiting on the outcome):

# block MS-SQL Worm propagation attempt
/sbin/iptables -A INPUT -p UDP -i $RED_DEV --dport 1434 -s 0/0 -j DROP
/sbin/iptables -A INPUT -p TCP -i $RED_DEV --dport 1434 -s 0/0 -j DROP

# Logging TCP ports 1024 - 65535, but 1434
/sbin/iptables -A INPUT -p TCP -i $RED_DEV --dport 1024:1433 --syn -j LOG
/sbin/iptables -A INPUT -p TCP -i $RED_DEV --dport 1435:65535 --syn -j LOG

# STEALTHING TCP ports 1024 - 65535, but 1434
/sbin/iptables -A INPUT -p TCP -i $RED_DEV --dport 1024:1433 --syn -j DROP
/sbin/iptables -A INPUT -p TCP -i $RED_DEV --dport 1435:65535 --syn -j DROP

Im also trying to stealth TCP 1024 - 65535.
I read that I couldnt have 2 rules addressing the same port, so I excluded it from my Log & drop/stealth between 1024 - 65535.

I hope that works...


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables with iptables-firewall.conf arno's matt3333 Slackware 16 06-28-2007 08:20 AM
IPTABLES firewall Vs rc firewall netguy2000 Linux - Security 7 02-28-2004 05:31 AM
Firewall/iptables brentos Linux - Security 14 11-25-2003 06:47 PM
Firewall Builder sample firewall policy file ? (.xml) nuwanguy Linux - Networking 0 09-13-2003 01:32 PM
Need Help with Firewall, iptables!!!! jamesws Linux - Networking 2 02-11-2002 06:56 PM

All times are GMT -5. The time now is 12:41 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration