LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (http://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   iptables - what are the 11.11.11.11 lines? (http://www.linuxquestions.org/questions/linux-newbie-8/iptables-what-are-the-11-11-11-11-lines-4175431369/)

cnmoore 10-09-2012 01:43 PM

iptables - what are the 11.11.11.11 lines?
 
The iptables on my dedicated server has a lot of lines with 11.11.11.11 that were not put in by me. Such as
-
Code:

-A INPUT -d 11.11.11.11 -p udp -m udp --dport 21 -j DROP
-A INPUT -d 11.11.11.11 -p tcp -m tcp --dport 21 -j DROP
-A INPUT -d 11.11.11.11 -p udp -m udp --dport 22 -j DROP
-A INPUT -d 11.11.11.11 -p tcp -m tcp --dport 22 -j DROP
-A INPUT -d 11.11.11.11 -p udp -m udp --dport 53 -j DROP
-A INPUT -d 11.11.11.11 -p tcp -m tcp --dport 53 -j DROP

from the saved iptables.

I asked our host what they were and there was a vague reference to 'placeholder'. But as far as I can see the 11.11.11.11 is never defined in any way. Am I right in thinking that those lines aren't doing anything and I can delete them?

Or do they have a meaning?

salasi 10-09-2012 03:56 PM

Well, that's odd. Specifically what's odd is that your host seems to be (more-or-less) admitting to have put them there, but isn't really telling what they were out there for. As a placeholder, you'd have to think that they mean that they might run, eg, sed, and replace that 11.11.11.11 with something actually needed (presumably, what you mean by meaningful).

Incidentally, the range 11.0.0.0 - 11.255.255.255 is allocated to the DoD Network Information Center. So if you never have any accesses to them, they won't do any actual harm (and its only three ports, and probably not three ports that you'll ever want accesses to the DoD for), but I'd agree that you don't want 'random' parts of the net being meaninglessly blocked off, as you'll have a problem with it at some later time when you've forgotten all about this.

cnmoore 10-09-2012 04:31 PM

Thanks
 
Appreciate your reply, thanks.

A little context here: I first noticed these a few years ago and asked host (they had changed my iptables). I don't think the support person actually knew why he had been told to do it - said "for added security". Anyway it didn't seem to do any harm so I have faithfully copied every time I updated iptables.

But I went on a housecleaning kick yesterday. We had blocked IPs in .htaccess as well as in iptables, and there was also a Ban Filter in the forum. I decided to consolidate all the bans in one place, in iptables, to make search easier if a block turned out to be a mistake. Then I thought why have this stuff I don't understand in iptables - so now I have taken all the 11.11.11.11 lines out.

May I ask you about something else?
I don't really understand the OUTPUT section. There is a pretty large one. It starts with some reasonable-looking stuff:
Code:

-A OUTPUT -p tcp -m tcp --dport 25 -m owner --gid-owner mail -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -m owner --uid-owner root -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -m owner --uid-owner mail -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable

But after that are a great many DROP lines - a few of them:
Code:

-A OUTPUT -s 173.201.253.108 -j DROP
-A OUTPUT -s 95.132.0.0/255.252.0.0 -j DROP
-A OUTPUT -s 212.156.0.0/255.255.240.0 -j DROP
-A OUTPUT -s 94.100.16.0/255.255.240.0 -j DROP
-A OUTPUT -s 94.100.31.74 -j DROP
-A OUTPUT -s 109.169.56.111 -j DROP
-A OUTPUT -s 218.108.247.134 -j DROP
-A OUTPUT -s 203.129.203.3 -j DROP

What are these actually doing? I'm guessing that if something on the server tries to send to 173.201.253.108, it will not succeed. (Protection against malware sending home?) Would you agree that I could just delete those hundred or so lines?

unSpawn 10-09-2012 05:44 PM

Quote:

Originally Posted by cnmoore (Post 4801605)
I decided to consolidate all the bans in one place, in iptables, to make search easier if a block turned out to be a mistake.

Management-wise, and because iptables will block a connection at the lowest level, that's an excellent move.


Quote:

Originally Posted by cnmoore (Post 4801605)
What are these actually doing? Would you agree that I could just delete those hundred or so lines?

They're doing nothing. In the filter table OUTPUT chain rules usually have "-d" for prohibiting sending any traffic to a specific destination, not "-s".

cnmoore 10-09-2012 06:14 PM

Thanks again!


All times are GMT -5. The time now is 10:14 AM.