LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-13-2004, 10:01 AM   #1
kc8tbe
Member
 
Registered: Feb 2003
Location: Cleveland, Ohio (USA)
Distribution: Gentoo, Kubuntu 6.06
Posts: 179

Rep: Reputation: 30
forwarded traffic is caught by input chain


Taffic from other machines destined for other machines seems to be caught by my input chain instead of my forward chain. I'm assuming this is a problem.

Code:
bash-2.05b# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ULOG       all  --  anywhere             anywhere            limit: avg 3/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `[INPUT]' queue_threshold 1
ACCEPT     icmp --  anywhere             anywhere            state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere            state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     icmp --  anywhere             anywhere
ULOG       all  --  anywhere             anywhere            limit: avg 3/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `[INPUT-DROP]' queue_threshold 1
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ULOG       all  --  anywhere             anywhere            limit: avg 3/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `[FORWARD]' queue_threshold 1

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
bash-2.05b# grep -r 'FORWARD' /var/log/ulogd.syslogemu.iptables
As you can see, although all packets that enter the forward chain should appear in the log file with the prefix "[FORWARD]", this never occurs as indicated by the lack of output from the above grep command.

Code:
Apr 11 18:46:14 heuristic [INPUT] IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0b:db:75:1c:df:08:00  SRC=10.3.5.70 DST=10.3.31.255 LEN=229 TOS=00 PREC=0x00 TTL=128 ID=54643 CE PROTO=UDP SPT=138 DPT=138 LEN=209 
Apr 11 18:46:14 heuristic [INPUT-DROP] IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0b:db:75:1c:df:08:00  SRC=10.3.5.70 DST=10.3.31.255 LEN=229 TOS=00 PREC=0x00 TTL=128 ID=54643 CE PROTO=UDP SPT=138 DPT=138 LEN=209 
Apr 11 18:46:15 heuristic [INPUT] IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0b:db:76:02:a1:08:00  SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=00 PREC=0x00 TTL=128 ID=3551 PROTO=UDP SPT=68 DPT=67 LEN=308 
Apr 11 18:46:15 heuristic [INPUT-DROP] IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0b:db:76:02:a1:08:00  SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=00 PREC=0x00 TTL=128 ID=3551 PROTO=UDP SPT=68 DPT=67 LEN=308 
Apr 11 18:46:15 heuristic [INPUT] IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:08:74:0e:df:e3:08:00  SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=00 PREC=0x00 TTL=128 ID=3746 PROTO=UDP SPT=68 DPT=67 LEN=308 
Apr 11 18:46:15 heuristic [INPUT-DROP] IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:08:74:0e:df:e3:08:00  SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=00 PREC=0x00 TTL=128 ID=3746 PROTO=UDP SPT=68 DPT=67 LEN=308 
Apr 11 18:46:18 heuristic [INPUT] IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:08:74:0e:df:e3:08:00  SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=00 PREC=0x00 TTL=128 ID=3747 PROTO=UDP SPT=68 DPT=67 LEN=308 
Apr 11 18:46:18 heuristic [INPUT-DROP] IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:08:74:0e:df:e3:08:00  SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=00 PREC=0x00 TTL=128 ID=3747 PROTO=UDP SPT=68 DPT=67 LEN=308 
Apr 11 18:46:26 heuristic [INPUT] IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:08:74:0e:df:e3:08:00  SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=00 PREC=0x00 TTL=128 ID=3748 PROTO=UDP SPT=68 DPT=67 LEN=308 
Apr 11 18:46:26 heuristic [INPUT-DROP] IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:08:74:0e:df:e3:08:00  SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=00 PREC=0x00 TTL=128 ID=3748 PROTO=UDP SPT=68 DPT=67 LEN=308 
Apr 11 18:46:31 heuristic [INPUT] IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0b:db:76:02:a1:08:00  SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=00 PREC=0x00 TTL=128 ID=3552 PROTO=UDP SPT=68 DPT=67 LEN=308 
Apr 11 18:46:31 heuristic [INPUT-DROP] IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0b:db:76:02:a1:08:00  SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=00 PREC=0x00 TTL=128 ID=3552 PROTO=UDP SPT=68 DPT=67 LEN=308 
Apr 11 18:46:36 heuristic [INPUT] IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:c0:4f:59:02:fb:08:00  SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=00 PREC=0x00 TTL=128 ID=24561 PROTO=UDP SPT=68 DPT=67 LEN=308 
Apr 11 18:46:36 heuristic [INPUT-DROP] IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:c0:4f:59:02:fb:08:00  SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=00 PREC=0x00 TTL=128 ID=24561 PROTO=UDP SPT=68 DPT=67 LEN=308 
Apr 11 18:46:38 heuristic [INPUT] IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0b:db:7a:79:e6:08:00  SRC=10.3.2.218 DST=10.3.31.255 LEN=229 TOS=00 PREC=0x00 TTL=128 ID=11272 PROTO=UDP SPT=138 DPT=138 LEN=209 
Apr 11 18:46:38 heuristic [INPUT-DROP] IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0b:db:7a:79:e6:08:00  SRC=10.3.2.218 DST=10.3.31.255 LEN=229 TOS=00 PREC=0x00 TTL=128 ID=11272 PROTO=UDP SPT=138 DPT=138 LEN=209 
Apr 11 18:46:39 heuristic [INPUT] IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:c0:4f:59:02:fb:08:00  SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=00 PREC=0x00 TTL=128 ID=24562 PROTO=UDP SPT=68 DPT=67 LEN=308 
Apr 11 18:46:39 heuristic [INPUT-DROP] IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:c0:4f:59:02:fb:08:00  SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=00 PREC=0x00 TTL=128 ID=24562 PROTO=UDP SPT=68 DPT=67 LEN=308 
Apr 11 18:46:42 heuristic [INPUT] IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:25:38:70:08:00  SRC=10.3.11.219 DST=10.3.31.255 LEN=229 TOS=00 PREC=0x00 TTL=128 ID=12568 PROTO=UDP SPT=138 DPT=138 LEN=209 
Apr 11 18:46:42 heuristic [INPUT-DROP] IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:25:38:70:08:00  SRC=10.3.11.219 DST=10.3.31.255 LEN=229 TOS=00 PREC=0x00 TTL=128 ID=12568 PROTO=UDP SPT=138 DPT=138 LEN=209
Furthermore, the above excerpt from the log shows that the firewall is seeing packets from other machines destined for other machines on the input chain. So, why do these packets appear in the input chain instead of the forward chain?

*Note that dropped packets appear in the log twice; once with the prefix [INPUT] and once with the prefix [INPUT-DROP]. I'd like them to show up only once - under [INPUT-DROP] - but all things considered, I could care less.
 
Old 04-13-2004, 11:03 AM   #2
hazza
Member
 
Registered: Nov 2003
Location: Australia
Distribution: Mandrake, SUSE, Fedora
Posts: 122

Rep: Reputation: 15
The packets that you have listed as being logged are all broadcast packets. As you have seen broadcast packets are not forwarded and hence don't reach the forward chain.
 
Old 04-13-2004, 02:10 PM   #3
kc8tbe
Member
 
Registered: Feb 2003
Location: Cleveland, Ohio (USA)
Distribution: Gentoo, Kubuntu 6.06
Posts: 179

Original Poster
Rep: Reputation: 30
Interesting that the network seems to accept two different broadcast addresses. (eg 255.255.255.255 and 10.3.31.255). Anyway, I want to drop the packets and not see them in my log. I tried this:
# iptables -I INPUT -i ! lo -d ! my.ip.add.ress
However when I run:
#iptables -L
or:
#iptables -L INPUT
I get:
Chain INPUT (policy ACCEPT)
target prot opt source destination

And it hangs. Also, my internet connection ceases to function. iptables -L FORWARD (or any other chain) produces complete output.

So... what am I doing wrong?
 
Old 04-13-2004, 02:30 PM   #4
kc8tbe
Member
 
Registered: Feb 2003
Location: Cleveland, Ohio (USA)
Distribution: Gentoo, Kubuntu 6.06
Posts: 179

Original Poster
Rep: Reputation: 30
And to (sort of) answer my own question, I needed to use:
# iptables -I INPUT -i ! lo -d ! my.ip.add.ress/0
Which produces:
# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere !anywhere

etc., etc... only all those broadcast messages are still being logged. Help?
 
Old 04-13-2004, 11:01 PM   #5
hazza
Member
 
Registered: Nov 2003
Location: Australia
Distribution: Mandrake, SUSE, Fedora
Posts: 122

Rep: Reputation: 15
You might want to consider that your INPUT chain may see traffic from more than one interface. So dropping all traffic except to one address might not be the best way to go. If you really don't want to see the broadcast packets in your logs then you can just silently drop them above the log rules. Try something like:

# iptables -I INPUT -j DROP -s 10.3.31.255
# iptables -I INPUT -j DROP -s 255.255.255.255

I've also noticed in your iptables listing that you don't seem to be accepting RELATED state traffic. That may cause problems with some icmp error packets being dropped which are usually marked as RELATED.

It turns out that there is a way to drop all broadcast packets with:

# iptables -I INPUT -j DROP -m pkttype --pkt-type broadcast

Last edited by hazza; 04-13-2004 at 11:20 PM.
 
Old 04-14-2004, 03:14 PM   #6
alveric
LQ Newbie
 
Registered: Apr 2004
Posts: 15

Rep: Reputation: 0
Accepting RELATED packets is also needed by FTP (there is a difference between active and passive ftp, but i can never tell which is which).

Man, how much log do you have with this ? Even with a 3/sec limit, you can end up with lots of garbage in your /var/log/... What i do log is all dropped packets (but ports 4462 and stuff like that, which are *very* active among my ISP network), and only the packets which initiate an accepted traffic (i.e. I LOG acceptable "NEW" packets before ACCEPTing them, and I just ACCEPT packets marked as "RELATED, ESTABLISHED").

Quote:
Interesting that the network seems to accept two different broadcast addresses. (eg. 255.255.255.255 and 10.3.31.255).
10.3.31.255 is the broadcast address of the class C network 10.3.31.* ; 255.255.255.255 is the ip address of a "general" broadcast message, destinated to any machine on the network, whatever their IP addresses are (useful when a machine doesn't have yet its own IP address, during a DCHP comunication for example)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Traffic shaping (limiting outgoing bandwidth of all TCP-traffic except FTP/HTTP) ffkodd Linux - Networking 3 10-25-2008 01:09 AM
how to find http traffic and mail traffic alone? basbosco Linux - General 1 06-07-2005 11:29 PM
Can traffic be forwarded to localhost? silence Linux - Networking 3 08-10-2004 03:42 PM
Most efficient way to tunnel all traffic to remote linux box to then be forwarded? Rims Linux - Networking 0 03-14-2004 02:49 PM
Wireless traffic stomps isdn traffic on gateway machine Radix999 Linux - Wireless Networking 0 11-14-2003 01:54 AM


All times are GMT -5. The time now is 08:38 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration