Iptables/Guarddog - how to block specific outgoing packets
 

Hi all,

I have a problem that I'm just about at wits end trying to solve:

Each time I go on the net to browse or to check on my email (I use my ISP's web mail services) - I find that my email list includes mainly MANY (up to 150 - 180 in a few instances) of 'undeliverable' or 'returned' messages - this is becoming a right PITA in having to delete these from my email inbox each time.

NOTE: I don't use any pop3 links as I only download wanted emails via my web browser (Opera 8.5).

I have gone over my iptables/guarddog firewall rules several times to try and eliminate this problem but don't seem to have any success - I have set up the firewall for policy DROP on INPUT,OUTPUT, & FORWARD chains then have selectively opened those ports that I really need to allow connection to the web through my 56K dialup modem.

Hers a copy of my iptables - sorry if it is a bit on the long side but this is what Guarddog has done:

------------------------------------------------------------------------------------
#!/bin/bash
# [Guarddog2]
# DO NOT EDIT!
# This firewall script was generated by "Guarddog" by Simon Edwards
# http://www.simonzone.com/software/guarddog/ This script requires Linux
# kernel version 2.2.x and ipchains OR Linux kernel 2.4.x and iptables.
#
# [Description]
#
# [Config]
# LOCALPORTRANGESTART=1024
# LOCALPORTRANGEEND=5999
# DISABLED=0
# LOGREJECT=1
# LOGDROP=1
# LOGABORTEDTCP=1
# LOGIPOPTIONS=1
# LOGTCPOPTIONS=1
# LOGTCPSEQUENCE=1
# LOGLEVEL=4
# LOGRATELIMIT=1
# LOGRATE=5
# LOGRATEUNIT=0
# LOGRATEBURST=10
# LOGWARNLIMIT=1
# LOGWARNRATE=2
# LOGWARNRATEUNIT=1
# DHCPC=0
# DHCPCINTERFACENAME=eth0
# DHCPD=0
# DHCPDINTERFACENAME=eth0
# ALLOWTCPTIMESTAMPS=0
# [UserDefinedProtocol]
# ID=1
# NAME=http-88
# TYPE=TCP
# PORT=88:88
# BIDIRECTIONAL=1
# [UserDefinedProtocol]
# ID=3
# NAME=loc
# TYPE=TCP
# PORT=8765:8765
# BIDIRECTIONAL=1
# [UserDefinedProtocol]
# ID=4
# NAME=3030
# TYPE=TCP
# PORT=3030:3030
# BIDIRECTIONAL=1
# [UserDefinedProtocol]
# ID=8
# NAME=stun
# TYPE=UDP
# PORT=3478:3478
# BIDIRECTIONAL=1
# [UserDefinedProtocol]
# ID=2
# NAME=sip
# TYPE=UDP
# PORT=5060:5060
# BIDIRECTIONAL=1
# [UserDefinedProtocol]
# ID=5
# NAME=lisa
# TYPE=TCP
# PORT=7741:7741
# BIDIRECTIONAL=1
# [ServerZone] Internet
# [ClientZone] Local
# CONNECTED=1
# PROTOCOL=ftp
# PROTOCOL=domain
# PROTOCOL=https
# PROTOCOL=http
# [ServerZone] Local
# [ClientZone] Internet
# CONNECTED=1
# [End]

# Real code starts here
# If you change the line below then also change the # DISABLED line above.
DISABLE_GUARDDOG=0
if test -z $GUARDDOG_VERBOSE; then
GUARDDOG_VERBOSE=0
fi;
if [ $DISABLE_GUARDDOG -eq 0 ]; then
# Set the path
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin
# Detect which filter command we should use.
FILTERSYS=0
# 0 = unknown, 1 = ipchains, 2 = iptables
# Check for ipchains.
if [ -e /sbin/ipchains ]; then
FILTERSYS=1
fi;
if [ -e /usr/sbin/ipchains ]; then
FILTERSYS=1
fi;
if [ -e /usr/local/sbin/ipchains ]; then
FILTERSYS=1
fi;
# Check for iptables support.
if [ -e /proc/sys/kernel/osrelease ]; then
KERNEL_VERSION=`sed "s/^\([0-9][0-9]*\.[0-9][0-9]*\).*\$/\1/" < /proc/sys/kernel/osrelease`
if [ $KERNEL_VERSION == "2.6" ]; then
KERNEL_VERSION="2.4"
fi;
if [ $KERNEL_VERSION == "2.5" ]; then
KERNEL_VERSION="2.4"
fi;
if [ $KERNEL_VERSION == "2.4" ]; then
if [ -e /sbin/iptables ]; then
FILTERSYS=2
fi;
if [ -e /usr/sbin/iptables ]; then
FILTERSYS=2
fi;
if [ -e /usr/local/sbin/iptables ]; then
FILTERSYS=2
fi;
fi;
fi;
if [ $FILTERSYS -eq 0 ]; then
logger -p auth.info -t guarddog "ERROR Can't determine the firewall command! (Is ipchains or iptables installed?)"
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "ERROR Can't determine the firewall command! (Is ipchains or iptables installed?)"
false
fi;
if [ $FILTERSYS -eq 1 ]; then
################################################################################
###### ipchains ###############
###############################

<snipped for length purposes>

if [ $FILTERSYS -eq 2 ]; then
###############################################################################
###### iptables firewall ######
###############################
logger -p auth.info -t guarddog Configuring iptables firewall now.
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Using iptables."
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Resetting firewall rules."
# Shut down all traffic
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP

# Delete any existing chains
iptables -F
iptables -X
iptables -Z

# Load any special kernel modules.
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Loading kernel modules."
modprobe ip_conntrack_ftp

[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Setting kernel parameters."
# Turn on kernel IP spoof protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 2> /dev/null
# Set the TCP timestamps config
echo 0 > /proc/sys/net/ipv4/tcp_timestamps 2> /dev/null
# Enable TCP SYN Cookie Protection if available
test -e /proc/sys/net/ipv4/tcp_syncookies && echo 1 > /proc/sys/net/ipv4/tcp_syncookies 2> /dev/null
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route 2> /dev/null
echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route 2> /dev/null
# Disable ICMP redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects 2> /dev/null
# Log truly weird packets.
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians 2> /dev/null
echo 1 > /proc/sys/net/ipv4/conf/default/log_martians 2> /dev/null

# Switch the current language for a moment
GUARDDOG_BACKUP_LANG=$LANG
GUARDDOG_BACKUP_LC_ALL=$LC_ALL
LANG=US
LC_ALL=US
export LANG
export LC_ALL
# Set kernel rp_filter. NICs used for IPSEC should not have rp_fitler turned on.
# Find the IPs of any ipsecX NICs
IPSEC_IPS="`ifconfig | gawk '/^ipsec\w/ { grabip = 1}
/inet addr:[[:digit:]\\.]+/ { if(grabip==1) printf \"%s \",gensub(/^.*inet addr:([[:digit:]\\.]+).*$/,\"\\\\1\",\"g\",$0)
grabip = 0}'`"
# Build a list of NIC names and metching IPs
IP_NIC_PAIRS="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\",$1)}
/inet addr:.*/ {match($0,/inet addr:[[:digit:]\.]+/)
ip=substr($0,RSTART+10,RLENGTH-10)
printf \"%s_%s\\n\",nic,ip }'`"

# Restore the language setting
LANG=$GUARDDOG_BACKUP_LANG
LC_ALL=$GUARDDOG_BACKUP_LC_ALL
export LANG
export LC_ALL

# Activate rp_filter for each NIC, except for NICs that are using
# an IP that is involved with IPSEC.
for X in $IP_NIC_PAIRS ; do
NIC="`echo \"$X\" | cut -f 1 -d _`"
IP="`echo \"$X\" | cut -f 2 -d _`"
RPF="1"
for SEC_IP in $IPSEC_IPS ; do
if [[ $SEC_IP == $IP ]]; then
RPF="0"
fi
done
echo $RPF > /proc/sys/net/ipv4/conf/$NIC/rp_filter 2> /dev/null
done

echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter 2> /dev/null
echo "1024 5999" > /proc/sys/net/ipv4/ip_local_port_range 2> /dev/null

[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Configuring firewall rules."

# Set up our logging and packet 'executing' chains
iptables -N logdrop2
iptables -A logdrop2 -j LOG --log-prefix "DROPPED " --log-level 4 --log-ip-options --log-tcp-options --log-tcp-sequence
iptables -A logdrop2 -j DROP
iptables -N logdrop
iptables -A logdrop -m limit --limit 5/second --limit-burst 10 -j logdrop2
iptables -A logdrop -m limit --limit 2/minute --limit-burst 1 -j LOG --log-prefix "LIMITED " --log-level 4
iptables -A logdrop -j DROP
iptables -N logreject2
iptables -A logreject2 -j LOG --log-prefix "REJECTED " --log-level 4 --log-ip-options --log-tcp-options --log-tcp-sequence
iptables -A logreject2 -p tcp -j REJECT --reject-with tcp-reset
iptables -A logreject2 -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A logreject2 -j DROP
iptables -N logreject
iptables -A logreject -m limit --limit 5/second --limit-burst 10 -j logreject2
iptables -A logreject -m limit --limit 2/minute --limit-burst 1 -j LOG --log-prefix "LIMITED " --log-level 4
iptables -A logreject -p tcp -j REJECT --reject-with tcp-reset
iptables -A logreject -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A logreject -j DROP
iptables -N logaborted2
iptables -A logaborted2 -j LOG --log-prefix "ABORTED " --log-level 4 --log-ip-options --log-tcp-options --log-tcp-sequence
iptables -A logaborted2 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -N logaborted
iptables -A logaborted -m limit --limit 5/second --limit-burst 10 -j logaborted2
iptables -A logaborted -m limit --limit 2/minute --limit-burst 1 -j LOG --log-prefix "LIMITED " --log-level 4

# Allow loopback traffic
for interface in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1> $interface
done
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Switch the current language for a moment
GUARDDOG_BACKUP_LANG=$LANG
GUARDDOG_BACKUP_LC_ALL=$LC_ALL
LANG=US
LC_ALL=US
export LANG
export LC_ALL
# Accept broadcasts from ourself.
IP_BCAST_PAIRS="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\",$1)}
/inet addr:.*Bcast/ {match($0,/inet addr:[[:digit:]\\.]+/)
ip=substr($0,RSTART+10,RLENGTH-10)
match($0,/Bcast:[[:digit:]\\.]+/)
bcast = substr($0,RSTART+6,RLENGTH-6)
printf \"%s_%s_%s\\n\",nic,ip,bcast }'`"
# Restore the language setting
LANG=$GUARDDOG_BACKUP_LANG
LC_ALL=$GUARDDOG_BACKUP_LC_ALL
export LANG
export LC_ALL
for X in $IP_BCAST_PAIRS ; do
NIC="`echo \"$X\" | cut -f 1 -d _`"
IP="`echo \"$X\" | cut -f 2 -d _`"
BCAST="`echo \"$X\" | cut -f 3 -d _`"
iptables -A INPUT -i $NIC -s $IP -d $BCAST -j ACCEPT
done

# Detect aborted TCP connections.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -p tcp --tcp-flags RST RST -j logaborted
# Quickly allow anything that belongs to an already established connection.
iptables -A INPUT -p tcp ! --syn -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow certain critical ICMP types
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT # Dest unreachable
iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j ACCEPT # Dest unreachable
iptables -A FORWARD -p icmp --icmp-type destination-unreachable -j ACCEPT &> /dev/null # Dest unreachable
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT # Time exceeded
iptables -A OUTPUT -p icmp --icmp-type time-exceeded -j ACCEPT # Time exceeded
iptables -A FORWARD -p icmp --icmp-type time-exceeded -j ACCEPT &> /dev/null # Time exceeded
iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT # Parameter Problem
iptables -A OUTPUT -p icmp --icmp-type parameter-problem -j ACCEPT # Parameter Problem
iptables -A FORWARD -p icmp --icmp-type parameter-problem -j ACCEPT &> /dev/null # Parameter Problem

# Switch the current language for a moment
GUARDDOG_BACKUP_LANG=$LANG
GUARDDOG_BACKUP_LC_ALL=$LC_ALL
LANG=US
LC_ALL=US
export LANG
export LC_ALL
# Work out our local IPs.
NIC_IP="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\",\$1)}
/inet addr:/ { match(\$0,/inet addr:[[:digit:]\\.]+/)
printf \"%s_%s\\n\",nic,substr(\$0,RSTART+10,RLENGTH-10) }
/Bcast/ { match(\$0,/Bcast:[[:digit:]\\.]+/)
printf \"%s_%s\\n\",nic,substr(\$0,RSTART+6,RLENGTH-6) }'`"
# Restore the language setting
LANG=$GUARDDOG_BACKUP_LANG
LC_ALL=$GUARDDOG_BACKUP_LC_ALL
export LANG
export LC_ALL
# Create the nicfilt chain
iptables -N nicfilt
GOT_LO=0
NIC_COUNT=0
for X in $NIC_IP ; do
NIC="`echo \"$X\" | cut -f 1 -d _`"
iptables -A nicfilt -i $NIC -j RETURN
# We also take this opportunity to see if we only have a lo interface.
if [ $NIC == "lo" ]; then
GOT_LO=1
fi
let NIC_COUNT=$NIC_COUNT+1
done
IPS="`echo \"$NIC_IP\" | cut -f 2 -d _`"
iptables -A nicfilt -j logdrop
# Do we have just a lo interface?
if [ $GOT_LO -eq 1 ] && [ $NIC_COUNT -eq 1 ] ; then
MIN_MODE=1
else
MIN_MODE=0
fi
# Are there *any* interfaces?
if [ $NIC_COUNT -eq 0 ] ; then
MIN_MODE=1
fi
# If we only have a lo interface or no interfaces then we assume that DNS
# is not going to work and just skip any iptables calls that need DNS.

# Create the filter chains
# Create chain to filter traffic going from 'Internet' to 'Local'
iptables -N f0to1
# Create chain to filter traffic going from 'Local' to 'Internet'
iptables -N f1to0
# Add rules to the filter chains

# Traffic from 'Internet' to 'Local'

# Rejected traffic from 'Internet' to 'Local'

# Traffic from 'Local' to 'Internet'
# Allow 'ftp'
# Control connection
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 21:21 -m state --state NEW -j ACCEPT
# Data connection
# - Handled by netfilter state tracking
# Data connection passive mode
# - Handled by netfilter state tracking
# Allow 'domain'
iptables -A f1to0 -p tcp --sport 0:65535 --dport 53:53 -m state --state NEW -j ACCEPT
iptables -A f1to0 -p udp --sport 0:65535 --dport 53:53 -j ACCEPT
# Allow 'https'
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 443:443 -m state --state NEW -j ACCEPT
# Allow 'http'
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 80:80 -m state --state NEW -j ACCEPT
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 8080:8080 -m state --state NEW -j ACCEPT
#iptables -A f1to0 -p tcp --sport 1024:5999 --dport 8008:8008 -m state --state NEW -j ACCEPT
#iptables -A f1to0 -p tcp --sport 1024:5999 --dport 8000:8000 -m state --state NEW -j ACCEPT
#iptables -A f1to0 -p tcp --sport 1024:5999 --dport 8888:8888 -m state --state NEW -j ACCEPT

# Rejected traffic from 'Local' to 'Internet'

# Place DROP and log rules at the end of our filter chains
iptables -A f0to1 -p udp -s 0/0 --dport 137 -j logdrop
iptables -A f0to1 -p udp -s 0/0 --dport 138 -j logdrop
iptables -A f0to1 -p udp -s 0/0 --dport 139 -j logdrop

# Deny new tcp connections from remote hosts
iptables -A INPUT -i ppp0 -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
iptables -A INPUT -i ppp0 -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -i ppp0 -p tcp -m state --state NEW -j logdrop
# Disable apache port on local host
iptables -A INPUT -i ppp0 -p tcp -s 0/0 --dport 80 -j logdrop
#iptables -A OUTPUT -o ppp0 -p tcp -s 0/0 --dport 80 -j logdrop

# Failing all the rules above, we log and DROP the packet.
iptables -A f0to1 -j logdrop
# Failing all the rules above, we log and DROP the packet.
iptables -A f1to0 -j logdrop

# Add some temp DNS accept rules to the input and output chains.
# This is so that we can pass domain names to ipchains and have iptables be
# able to look it up without being blocked by the our half-complete firewall.
if [ $MIN_MODE -eq 0 ] ; then
iptables -A OUTPUT -p tcp --sport 0:65535 --dport 53:53 -j ACCEPT
iptables -A INPUT -p tcp ! --syn --sport 53:53 --dport 0:65535 -j ACCEPT
iptables -A OUTPUT -p udp --sport 0:65535 --dport 53:53 -j ACCEPT
iptables -A INPUT -p udp --sport 53:53 --dport 0:65535 -j ACCEPT
fi

# Chain to split traffic coming from zone 'Internet' by dest zone
iptables -N s0
for X in $IPS ; do
iptables -A s0 -d $X -j f0to1
done
if [ $MIN_MODE -eq 0 ] ; then
true # make sure this if [] has at least something in it.
fi
iptables -A s0 -j logdrop

# Chain to split traffic coming from zone 'Local' by dest zone
iptables -N s1
if [ $MIN_MODE -eq 0 ] ; then
true # make sure this if [] has at least something in it.
fi
iptables -A s1 -j f1to0
# Create the srcfilt chain
iptables -N srcfilt
if [ $MIN_MODE -eq 0 ] ; then
true # make sure this if [] has at least something in it.
fi
# Assume internet default rule
iptables -A srcfilt -j s0

if [ $MIN_MODE -eq 0 ] ; then
# Remove the temp DNS accept rules
iptables -D OUTPUT -p tcp --sport 0:65535 --dport 53:53 -j ACCEPT
iptables -D INPUT -p tcp ! --syn --sport 53:53 --dport 0:65535 -j ACCEPT
iptables -D OUTPUT -p udp --sport 0:65535 --dport 53:53 -j ACCEPT
iptables -D INPUT -p udp --sport 53:53 --dport 0:65535 -j ACCEPT
fi

# The output chain is very simple. We direct everything to the
# 'source is local' split chain.
iptables -A OUTPUT -j s1

iptables -A INPUT -j nicfilt
iptables -A INPUT -j srcfilt

# All traffic on the forward chains goes to the srcfilt chain.
iptables -A FORWARD -j srcfilt &> /dev/null

logger -p auth.info -t guarddog Finished configuring firewall
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Finished."
fi;
fi;
true
----------------------------------------------------------------------------------

What I'm after is if some kind sould could direct me as to what rule(s) may be concocted to use say my browser's PID or even my 'user' UID as a way of restricting "all" outgoing packets to only be mine and no other 'hidden' user.

I have run Chkrootkit and have Tripwire installed and use it many times but have not been able to find any virus or trojan or rootkit - BUT still feel that somehow my machine is being used as a relay for unwanted emails so would like to see if I can close this gate somehow via my firewall.

Any help would be much appreciated....

I'm not sure how these webmail services work, but I would think that it can't have anything to do with your firewall. My understanding of these systems is that you're using your http link to read, edit, compose, and send mail from a remote server. So as long as your port 80 (http) and/or 443 (https) is open, you should be able to send and recieve mail through the web interface. Of course, I could be wrong...

Are the messages spam related? Have you looked at the headers of one of the messages? It might just be a case of spoofing. There was a guy here at work who got his inbox filled with "undeliverable" spam mail. What happened was that someone on the internet put his address in the "reply-to" field. So when this spam bounced, it was returned to him instead of the original sender. I think he had to get the network admin involved to block these messages somehow. I would look at the headers and see where they originated. If it was your machine, then you have a problem. If not, then you probably need to get your ISP involved.

Hi pljvaldez,

Thanks for the reply.... Yes it is "undeliverable" spam emails!!!! And no I haven't looked at the headers of any and to be frank I really don't know how to do that - would appreciate any guidance as to how - am running Debian based MEPIS distro with kde etc... I hadn't thought it may be 'spoofed' emails so am in the dark as to what to look for. I'd like to make sure that the problem is not in my box first before I talk to my ISP provider. Found another 75 of these very annoying emails in my 'inbox' again today - would very much like to give them the big A.

Any assistance would be much appreciated.

You might call your ISP to see how to look at headers. I don't know how to do it in a webmail type application (or linux one for that matter since at work we're stuck with M$ Outlook). In the windows version of Thunderbird you open a message and then select view --> headers --> all.

The other way to check would be to unplug your machine from the network for a few days or use a Live CD for a few days instead of your hard disk install and then check your email and see if it persists. Since your actual hard disk install wouldn't be running, the only thing it could be was spoofed mail...

Hi pljvaldez,

Thanks for the pointers... Had not thought about using the distro's live CD (MEPIS has such) to check - the only problem is that I use Opera 8.5 as my web browser but it isn't included in the MEPIS install - will have to use the included Mozilla Firefox web browser instead - well one can't win them all ...watson!!!!

Hoping that I can solve this without having to call my ISP ..... please,please...PLEASE!!

TIA

BTW...
I am still interested in finding out how to block outgoing connections in iptables using either the UID or GID or both - if such methods are possible?

Any suggestions on iptables code that could achieve such would be appreciated....

TIA

The only way I'm aware of to block outgoing connections by user or group is by using a proxy. Not sure if there's an IPtables solution (and not in front of my Debian box to fiddle with fwbuilder)....

Hi pljvaldez,
Thanks for the reply... I think there is a module in iptables named 'ip_owner' (or ipt_owner) which could be used via PID or GID or UID to do this but I'm not sure how to write the iptables code to achieve my ultimate ends - just thought that maybe somebody out in Linux userland had maybe used this method in their iptables and could maybe give some pointers on how etc.

Thanks anyway.