Hi,

I thought I had a properly written ruleset here but when I sniffed the traffic I still see snmp and and traffic from a blocked machine (.250).

This box has antivirus s/w listening on 9000 ports so it preroutes to it.

My guess the problem must be the first COMMIT which should be removed. But before doing so I would like to get a 2nd opinion on my rules.

#
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9080
-A PREROUTING -i eth1 -p tcp -m tcp --dport 110 -j REDIRECT --to-ports 9110
-A PREROUTING -i eth1 -p tcp -m tcp --dport 25 -j REDIRECT --to-ports 9025
-A PREROUTING -i eth1 -p tcp -m tcp --dport 21 -j REDIRECT --to-ports 9021
COMMIT

*filter
# Set inbound rules
-N FW-INBOUND
-A FW-INBOUND -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A FW-INBOUND -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
#TCP-Packets with one ore more bad flags
-N LBADFLAG
-A LBADFLAG -m limit --limit "2/s" --limit-burst "10" -j LOG --log-prefix "fp=BADFLAG:1 a=DROP "
-A LBADFLAG -j DROP
#CHECKBADFLAG - Kill any Inbound/Outbound TCP-Packets with impossible flag-combinations
# (Some port-scanners use these, eg. nmap Xmas,Null,etc.-scan)
-N CHECKBADFLAG
-A CHECKBADFLAG -p tcp --tcp-flags ALL FIN,URG,PSH -j LBADFLAG
-A CHECKBADFLAG -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LBADFLAG
-A CHECKBADFLAG -p tcp --tcp-flags ALL ALL -j LBADFLAG
-A CHECKBADFLAG -p tcp --tcp-flags ALL NONE -j LBADFLAG
-A CHECKBADFLAG -p tcp --tcp-flags SYN,RST SYN,RST -j LBADFLAG
-A CHECKBADFLAG -p tcp --tcp-flags SYN,FIN SYN,FIN -j LBADFLAG
# Dont allow any smb beyond this point
-N SMB
-A SMB -p tcp --dport 137 -j DROP
-A SMB -p tcp --dport 138 -j DROP
-A SMB -p tcp --dport 139 -j DROP
-A SMB -p tcp --dport 445 -j DROP
-A SMB -p udp --dport 137 -j DROP
-A SMB -p udp --dport 138 -j DROP
-A SMB -p udp --dport 139 -j DROP
-A SMB -p udp --dport 445 -j DROP
-A SMB -p tcp --sport 137 -j DROP
-A SMB -p tcp --sport 138 -j DROP
-A SMB -p tcp --sport 139 -j DROP
-A SMB -p tcp --sport 445 -j DROP
-A SMB -p udp --sport 137 -j DROP
-A SMB -p udp --sport 138 -j DROP
-A SMB -p udp --sport 139 -j DROP
-A SMB -p udp --sport 445 -j DROP
# Trap any SNMP traffic
-N SNMP
-A SNMP -p udp --dport 161 -j DROP
-A SNMP -p udp --dport 162 -j DROP
# Don't allow traffic from this PC to exit
-N HOST
-A HOST -p tcp -s 192.168.0.250 -j DROP
-A HOST -p udp -s 192.168.0.250 -j DROP
-A HOST -p icmp -s 192.168.0.250 -j DROP
COMMIT

I'm not an IPTables guru by any stretch of the imagination but I've looked through your script and I have a couple of comments.

1. New chains should be created first in your script before any other rules are written.
2. DROPs should be placed before ACCEPTs where possible.
3. Finally, down to what I think your problem is with the "HOST" chain. Your rules look fine for this chain but I don't see any of the above rules jump to this chain. If they don't jump to this chain then it will never get used and that is why you are still seeing traffic from .250. I would recommend placing that jump to "HOST" early in the script so the bad IPs are dropped early.

I hope this helps!

Thanks,

Centinul

Thanks for the tips!

I usually only use OpenBSD so I've never really grasped iptables, which is a lot harder to work with.

Anyway, it's pretty hard finding someone who has a clear understanding on how to make things work under iptables.

Hopefully there's someone here who knows it enough to help me stitch it together properly because I sure have a hell of a time getting the syntax right.