Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have set up an iptables firewall in work that goes something like this:
Code:
#
# Rule 0(NAT)
#
#
$IPTABLES -t nat -A POSTROUTING -o eth1 -s 196.3.140.0/24 -j SNAT --to-source 1.2.3.4
#
#
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
#
# Rule 0(lo)
#
# allow everything on loopback
#
$IPTABLES -N lo_In_RULE_0
$IPTABLES -A INPUT -i lo -j lo_In_RULE_0
$IPTABLES -A lo_In_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- ACCEPT "
$IPTABLES -A lo_In_RULE_0 -j ACCEPT
$IPTABLES -N lo_Out_RULE_0
$IPTABLES -A OUTPUT -o lo -j lo_Out_RULE_0
$IPTABLES -A lo_Out_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- ACCEPT "
$IPTABLES -A lo_Out_RULE_0 -j ACCEPT
#
# Rule 0(global)
#
# ssh access to firewall
#
$IPTABLES -N RULE_0
$IPTABLES -A OUTPUT -p tcp --source-port 20 -d 196.3.140.1 --destination-port 1024:65535 -m state --state NEW -j RULE_0
$IPTABLES -A OUTPUT -p tcp --source-port 20 -d 1.2.3.4 --destination-port 1024:65535 -m state --state NEW -j RULE_
0
$IPTABLES -N Cid4052CE4C.0
$IPTABLES -A OUTPUT -d 196.3.140.1 -m state --state NEW -j Cid4052CE4C.0
$IPTABLES -A OUTPUT -d 1.2.3.4 -m state --state NEW -j Cid4052CE4C.0
$IPTABLES -A Cid4052CE4C.0 -p tcp -m multiport --destination-ports 22,20,21,80,25,110 -m state --state NEW -j RULE_0
$IPTABLES -A INPUT -p tcp --source-port 20 -d 196.3.140.1 --destination-port 1024:65535 -m state --state NEW -j RULE_0
$IPTABLES -A INPUT -p tcp --source-port 20 -d 1.2.3.4 --destination-port 1024:65535 -m state --state NEW -j RULE_0
$IPTABLES -N Cid4052CE4C.1
$IPTABLES -A INPUT -d 196.3.140.1 -m state --state NEW -j Cid4052CE4C.1
$IPTABLES -A INPUT -d 1.2.3.4 -m state --state NEW -j Cid4052CE4C.1
$IPTABLES -A Cid4052CE4C.1 -p tcp -m multiport --destination-ports 22,20,21,80,25,110 -m state --state NEW -j RULE_0
$IPTABLES -A RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- ACCEPT "
$IPTABLES -A RULE_0 -j ACCEPT
#
# Rule 1(global)
#
#
#
$IPTABLES -N RULE_1
$IPTABLES -A OUTPUT -p tcp -s 196.3.140.1 -m state --state NEW -j RULE_1
$IPTABLES -A OUTPUT -p tcp -s 1.2.3.4 -m state --state NEW -j RULE_1
$IPTABLES -A OUTPUT -p udp -s 196.3.140.1 -m state --state NEW -j RULE_1
$IPTABLES -A OUTPUT -p udp -s 1.2.3.4 -m state --state NEW -j RULE_1
$IPTABLES -A RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- ACCEPT "
$IPTABLES -A RULE_1 -j ACCEPT
#
# Rule 2(global)
#
# firewall serves as DNS server for LAN
#
$IPTABLES -N RULE_2
$IPTABLES -A INPUT -s 196.3.140.0/24 -d 196.3.140.1 -m state --state NEW -j RULE_2
$IPTABLES -A INPUT -s 196.3.140.0/24 -d 1.2.3.4 -m state --state NEW -j RULE_2
$IPTABLES -A RULE_2 -j LOG --log-level info --log-prefix "RULE 2 -- ACCEPT "
$IPTABLES -A RULE_2 -j ACCEPT
#
# Rule 3(global)
#
#
#
$IPTABLES -N RULE_3
$IPTABLES -A INPUT -p tcp -s 1.2.3.4 --destination-port 10000 -m state --state NEW -j RULE_3
$IPTABLES -A INPUT -p tcp -s 196.3.140.194 --destination-port 1863 -m state --state NEW -j RULE_3
$IPTABLES -A FORWARD -p tcp -s 196.3.140.194 --destination-port 1863 -m state --state NEW -j RULE_3
$IPTABLES -A INPUT -p tcp -s 196.3.140.125 --destination-port 1863 -m state --state NEW -j RULE_3
$IPTABLES -A FORWARD -p tcp -s 196.3.140.125 --destination-port 1863 -m state --state NEW -j RULE_3
$IPTABLES -A RULE_3 -j LOG --log-level info --log-prefix "RULE 3 -- ACCEPT "
$IPTABLES -A RULE_3 -j ACCEPT
#
# Rule 4(global)
#
#
#
$IPTABLES -N RULE_4
#$IPTABLES -A INPUT -p tcp -s 196.3.140.50 -m state --state NEW -j RULE_4
$IPTABLES -A INPUT -p tcp -s 196.3.140.69 -m state --state NEW -j RULE_4
$IPTABLES -A INPUT -p tcp -s 196.3.140.10 -m state --state NEW -j RULE_4
$IPTABLES -A INPUT -p tcp -s 196.3.140.253 -m state --state NEW -j RULE_4
$IPTABLES -A INPUT -p tcp -s 196.3.140.254 -m state --state NEW -j RULE_4
$IPTABLES -A INPUT -p tcp -s 196.3.140.118 -m state --state NEW -j RULE_4
$IPTABLES -A INPUT -p udp -s 196.3.140.118 -m state --state NEW -j RULE_4
#$IPTABLES -A INPUT -p tcp -s 196.3.140.204 -m state --state NEW -j RULE_4
$IPTABLES -A INPUT -p tcp -s 196.3.140.196 -m state --state NEW -j RULE_4
#$IPTABLES -A FORWARD -p tcp -s 196.3.140.50 -m state --state NEW -j RULE_4
$IPTABLES -A FORWARD -p tcp -s 196.3.140.69 -m state --state NEW -j RULE_4
$IPTABLES -A FORWARD -p tcp -s 196.3.140.10 -m state --state NEW -j RULE_4
$IPTABLES -A FORWARD -p tcp -s 196.3.140.253 -m state --state NEW -j RULE_4
$IPTABLES -A FORWARD -p tcp -s 196.3.140.254 -m state --state NEW -j RULE_4
$IPTABLES -A FORWARD -p tcp -s 196.3.140.118 -m state --state NEW -j RULE_4
$IPTABLES -A FORWARD -p udp -s 196.3.140.118 -m state --state NEW -j RULE_4
#$IPTABLES -A FORWARD -p tcp -s 196.3.140.204 -m state --state NEW -j RULE_4
$IPTABLES -A FORWARD -p tcp -s 196.3.140.196 -m state --state NEW -j RULE_4
$IPTABLES -A RULE_4 -j LOG --log-level info --log-prefix "RULE 4 -- ACCEPT "
$IPTABLES -A RULE_4 -j ACCEPT
#
# Rule 5(global)
#
#
#
$IPTABLES -N RULE_5
$IPTABLES -A OUTPUT -s 196.3.140.0/24 -d 196.3.140.0/24 -m state --state NEW -j RULE_5
$IPTABLES -A INPUT -s 196.3.140.0/24 -d 196.3.140.0/24 -m state --state NEW -j RULE_5
$IPTABLES -A FORWARD -s 196.3.140.0/24 -d 196.3.140.0/24 -m state --state NEW -j RULE_5
$IPTABLES -A RULE_5 -j LOG --log-level info --log-prefix "RULE 5 -- ACCEPT "
$IPTABLES -A RULE_5 -j ACCEPT
#
# Rule 6(global)
#
#
#
$IPTABLES -N RULE_6
$IPTABLES -A OUTPUT -s 196.3.140.1 -m state --state NEW -j RULE_6
$IPTABLES -A OUTPUT -s 196.3.140.2/31 -m state --state NEW -j RULE_6
$IPTABLES -A OUTPUT -s 196.3.140.4/31 -m state --state NEW -j RULE_6
$IPTABLES -A OUTPUT -s 196.3.140.6 -m state --state NEW -j RULE_6
$IPTABLES -A FORWARD -s 196.3.140.2/31 -m state --state NEW -j RULE_6
$IPTABLES -A FORWARD -s 196.3.140.4/31 -m state --state NEW -j RULE_6
$IPTABLES -A FORWARD -s 196.3.140.6 -m state --state NEW -j RULE_6
$IPTABLES -A RULE_6 -j LOG --log-level info --log-prefix "RULE 6 -- ACCEPT "
$IPTABLES -A RULE_6 -j ACCEPT
#
# Rule 7(global)
#
# 'masquerading' rule
#
$IPTABLES -N RULE_7
$IPTABLES -A INPUT -p tcp -s 196.3.140.0/24 --source-port 20 --destination-port 1024:65535 -m state --state NEW -j RULE_
7
$IPTABLES -A INPUT -p tcp -m multiport -s 196.3.140.0/24 --destination-ports 21,20,110,143,22,443,8443 -m state --state N
EW -j RULE_7
$IPTABLES -A OUTPUT -p tcp -s 196.3.140.0/24 --source-port 20 --destination-port 1024:65535 -m state --state NEW -j RULE
_7
$IPTABLES -A OUTPUT -p tcp -m multiport -s 196.3.140.0/24 --destination-ports 21,20,110,143,22,443,8443 -m state --state
NEW -j RULE_7
$IPTABLES -A FORWARD -p tcp -s 196.3.140.0/24 --source-port 20 --destination-port 1024:65535 -m state --state NEW -j RUL
E_7
$IPTABLES -A FORWARD -p tcp -m multiport -s 196.3.140.0/24 --destination-ports 21,20,110,143,22,443,8443 -m state --state
NEW -j RULE_7
$IPTABLES -A RULE_7 -j LOG --log-level info --log-prefix "RULE 7 -- ACCEPT "
$IPTABLES -A RULE_7 -j ACCEPT
#
# Rule 8(global)
#
#
#
#$IPTABLES -N RULE_8
#$IPTABLES -A OUTPUT -d old.isp -m state --state NEW -j RULE_8
#$IPTABLES -A FORWARD -d old.isp -m state --state NEW -j RULE_8
#$IPTABLES -A RULE_8 -j LOG --log-level info --log-prefix "RULE 8 -- ACCEPT "
#$IPTABLES -A RULE_8 -j ACCEPT
#
# Rule 9(global)
#
# 'catch all' rule
#
$IPTABLES -N RULE_9
$IPTABLES -A OUTPUT -j RULE_9
$IPTABLES -A INPUT -j RULE_9
$IPTABLES -A FORWARD -j RULE_9
$IPTABLES -A RULE_9 -j LOG --log-level info --log-prefix "RULE 9 -- DENY "
$IPTABLES -A RULE_9 -j DROP
#
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
#
echo 1 > /proc/sys/net/ipv4/ip_forward
Sorry for the long paste.
Here's my question:
I have a user on my network who i allow access to bittorrent in the night, however whenever when i comment out his ip and restart the firewall during the day his established packets are still allowed to pass thorugh, therefore draining bandwidth, how do i get iptables to properly "cut off" all his connections? i do see new connections being blocked from his ip but the established ones remain. Relp!
p.s. 196.3.140.* is my internal network (don't ask ) and i've replaced my net feed ip with 1.2.3.4.
I have set up an iptables firewall in work that goes something like this:
/* deleted */
Here's my question:
I have a user on my network who i allow access to bittorrent in the night, however whenever when i comment out his ip and restart the firewall during the day his established packets are still allowed to pass thorugh, therefore draining bandwidth, how do i get iptables to properly "cut off" all his connections? i do see new connections being blocked from his ip but the established ones remain. Relp!
p.s. 196.3.140.* is my internal network (don't ask ) and i've replaced my net feed ip with 1.2.3.4.
You want to block that user all the time or in the nights only? I think the commented out part is this
Code:
...
#$IPTABLES -A INPUT -p tcp -s 196.3.140.204 -m state --state NEW -j RULE_4
...
#$IPTABLES -A FORWARD -p tcp -s 196.3.140.204 -m state --state NEW -j RULE_4
...
But notice! You RULE_4's target is LOG and ACCEPT, and also your initial rules are allowing ESTABLISHED, RELATED and NEW states:
Code:
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
Also what is your global policies? When you comment out that IP, if there isn't any other matching rule then the global policy will be applied. Check the points i mentioned about and your global policy.
Note: Also don't post your firewall configuration as is with the real IPs :-) Try to use trivial IPs.
Yep i just want to block the guy @ night but the problem is that he leaves his machine running.
The catch all rule is $IPTABLES -A RULE_9 -j DROP .
Those 196.3.140. addys arent public so i saw no harm in posting em.
I thought when i uncommented his IP that all his connections would revert to '$IPTABLES -A RULE_9 -j DROP' , which is actually happening. My problem is that his already established connections arent being 'dropped' . I even tried /etc/init.d/network restart and that didn't work.
Originally posted by z3pp0 Hi thanks for replying!
Yep i just want to block the guy @ night but the problem is that he leaves his machine running.
The catch all rule is $IPTABLES -A RULE_9 -j DROP .
Those 196.3.140. addys arent public so i saw no harm in posting em.
I thought when i uncommented his IP that all his connections would revert to '$IPTABLES -A RULE_9 -j DROP' , which is actually happening. My problem is that his already established connections arent being 'dropped' . I even tried /etc/init.d/network restart and that didn't work.
your further help will be greatly appreciated.
I didn't notice the `catch all' rule, you're right. What about the rules on top that allows ESTABLISHED and RELATED packets? Also you can use time patch for blocking at nights only:
Code:
iptables -A FORWARD --destination `download_man' -m time --timestart 18:00 --timestop 23:00 --days Mon,Tue,Wed,Thu,Fri -j DROP
Place a rule like this to the correct position in the chain. It should work.
The 3 rules above tells my fw host to talk to everyone else. If i remove those then all network access will be cut off.
I don't currently have libipt_time.so installed/compiled so i'll have to look for that but i think the root of the matter is that iptables is not droping established connections. Judging from the rule you posted, it would attempt to do what i did manually so the same thing would happen. This is really strange, although i can see how some people actually need this, unfortuneately i don't
The 3 rules above tells my fw host to talk to everyone else. If i remove those then all network access will be cut off.
Ok, i'm telling almost the same thing. It you haven't any other rule matching with that man's IP then it's traffic will be allowed. Try to block ESTABLISHED and RELATED traffic of him `above' that rules.
Quote:
I don't currently have libipt_time.so installed/compiled so i'll have to look for that but i think the root of the matter is that iptables is not droping established connections.
But there is no rule to let it to DROP them. Am i wrong?
Code:
iptables -I INPUT --destination download_man -m --state ESTABLISHED,RELATED -j DROP
iptables -I FORWARD --destination download_man -m --state ESTABLISHED,RELATED -j DROP
These should work. You're allowing all the ESTABLISHED and RELATED traffic with the one you want to block. So you should catch and block that guy's traffic first, and then allow the remaining part.
Quote:
Judging from the rule you posted, it would attempt to do what i did manually so the same thing would happen. This is really strange, although i can see how some people actually need this, unfortuneately i don't
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.