Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
07-15-2006, 10:19 AM
|
#1
|
Member
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567
Rep:
|
Antispoof iptables codes !
Quote:
# ANTISPOOF
wget -q http://www.cymru.com/Documents/bogon-bn-nonagg.txt -O /dev/stdout|\
egrep -ve "(^127\.|^192\.168\.|^41\.|^73\.|^76\.|^89\.|^90\.|^121\.|^122\.|^123\.|^124\.|^125\.|^126\.|^189\.| ^190\.)"|\
while read s; do echo "\ $ipt -t nat -I PREROUTING -i \$INT -s $s -j ULOG --ulog-prefix 'BOGON_SPOOF:'"; done
#
wget -q http://www.cymru.com/Documents/bogon-bn-nonagg.txt -O /dev/stdout|\
egrep -ve "(^127\.|^192\.168\.|^41\.|^73\.|^76\.|^89\.|^90\.|^121\.|^122\.|^123\.|^124\.|^125\.|^126\.|^189\.| ^190\.)"|\
while read s; do echo "\ $ipt -t nat -I PREROUTING -i \$INT -s $s -j DROP"; done
|
I'm using this 2 codes in my iptables to prevent spoof but when i launch
Code:
#iptables -L -n -t nat
,i don't see
Code:
"\ $ipt -t nat -I PREROUTING -i \$INT -s $s -j DROP"
got executed , what's wrong with the above codes ??????
|
|
|
07-15-2006, 05:35 PM
|
#2
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
get rid of the echoes if you want the commands to be executed...
Last edited by win32sux; 07-15-2006 at 06:07 PM.
|
|
|
07-16-2006, 09:57 AM
|
#3
|
Member
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567
Original Poster
Rep:
|
So they look like these ....
Code:
wget -q http://www.cymru.com/Documents/bogon-bn-nonagg.txt -O /dev/stdout|\
egrep -ve "(^127\.|^192\.168\.|^41\.|^73\.|^76\.|^89\.|^90\.|^121\.|^122\.|^123\.|^124\.|^125\.|^126\.|^189\.|^190\.)"|\
while read s; "\ $ipt -t nat -I PREROUTING -i \$INT -s $s -j ULOG --ulog-prefix 'BOGON_SPOOF:'"; done
#
wget -q http://www.cymru.com/Documents/bogon-bn-nonagg.txt -O /dev/stdout|\
egrep -ve "(^127\.|^192\.168\.|^41\.|^73\.|^76\.|^89\.|^90\.|^121\.|^122\.|^123\.|^124\.|^125\.|^126\.|^189\.|^190\.)"|\
while read s; "\ $ipt -t nat -I PREROUTING -i \$INT -s $s -j DROP"; done
These codes doesn't work ... I tried also only with 'do' ....
Code:
wget -q http://www.cymru.com/Documents/bogon-bn-nonagg.txt -O /dev/stdout|\
egrep -ve "(^127\.|^192\.168\.|^41\.|^73\.|^76\.|^89\.|^90\.|^121\.|^122\.|^123\.|^124\.|^125\.|^126\.|^189\.|^190\.)"|\
while read s; do "\ $ipt -t nat -I PREROUTING -i \$INT -s $s -j ULOG --ulog-prefix 'BOGON_SPOOF:'"; done
#
wget -q http://www.cymru.com/Documents/bogon-bn-nonagg.txt -O /dev/stdout|\
egrep -ve "(^127\.|^192\.168\.|^41\.|^73\.|^76\.|^89\.|^90\.|^121\.|^122\.|^123\.|^124\.|^125\.|^126\.|^189\.|^190\.)"|\
while read s; do "\ $ipt -t nat -I PREROUTING -i \$INT -s $s -j DROP"; done
Last edited by gabsik; 07-16-2006 at 10:00 AM.
|
|
|
07-16-2006, 10:20 AM
|
#4
|
Moderator
Registered: May 2001
Posts: 29,415
|
Try this.
Code:
wget -q http://www.cymru.com/Documents/bogon-bn-nonagg.txt -O /dev/stdout|\
egrep -ve "(^127\.|^192\.168\.|^41\.|^73\.|^76\.|^89\.|^90\.|^121\.|^122\.|^123\.\
|^124\.|^125\.|^126\.|^189\.| ^190\.)"|while read s; do
/sbin/iptables -t nat -I PREROUTING -i eth0 -s $s -j ULOG --ulog-prefix 'BOGON_SPOOF:'
/sbin/iptables -t nat -I PREROUTING -i eth0 -s $s -j DROP
done
Who on earth posted this crappy shellcode? ;-p
|
|
|
07-16-2006, 10:50 AM
|
#5
|
Member
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567
Original Poster
Rep:
|
I'm using an iptables script starting #/bin/bash -x and that's the output:
As you see the iptables command doesn't get executed.
|
|
|
07-16-2006, 11:18 AM
|
#6
|
Moderator
Registered: May 2001
Posts: 29,415
|
Not enough info.
|
|
|
07-16-2006, 01:24 PM
|
#7
|
Member
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567
Original Poster
Rep:
|
An iptables -L -n -t nat doesn't show a
Code:
/sbin/iptables -t nat -I PREROUTING -i eth0 -s $s -j ULOG --ulog-prefix 'BOGON_SPOOF:'
/sbin/iptables -t nat -I PREROUTING -i eth0 -s $s -j DROP
What other infos do you need ???
|
|
|
07-16-2006, 01:47 PM
|
#8
|
Moderator
Registered: May 2001
Posts: 29,415
|
Control the script (the one marked "Try this.") for stuff like binary location and devicenames, then run from the commandline, then check iptables -L -n -t nat?
|
|
|
07-16-2006, 06:37 PM
|
#9
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
i tried the script as posted by unSpawn... the only difference is i changed the path to iptables (mine is at /usr/sbin/iptables) and the ULOG to a LOG cuz i don't use ULOG...
Code:
bash-3.00# iptables -t nat -n -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DROP all -- 224.0.0.0/3 0.0.0.0/0
LOG all -- 224.0.0.0/3 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 223.0.0.0/8 0.0.0.0/0
LOG all -- 223.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 198.18.0.0/15 0.0.0.0/0
LOG all -- 198.18.0.0/15 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 197.0.0.0/8 0.0.0.0/0
LOG all -- 197.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 192.0.2.0/24 0.0.0.0/0
LOG all -- 192.0.2.0/24 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 187.0.0.0/8 0.0.0.0/0
LOG all -- 187.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 186.0.0.0/8 0.0.0.0/0
LOG all -- 186.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 185.0.0.0/8 0.0.0.0/0
LOG all -- 185.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 184.0.0.0/8 0.0.0.0/0
LOG all -- 184.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 183.0.0.0/8 0.0.0.0/0
LOG all -- 183.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 182.0.0.0/8 0.0.0.0/0
LOG all -- 182.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 181.0.0.0/8 0.0.0.0/0
LOG all -- 181.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 180.0.0.0/8 0.0.0.0/0
LOG all -- 180.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 179.0.0.0/8 0.0.0.0/0
LOG all -- 179.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 178.0.0.0/8 0.0.0.0/0
LOG all -- 178.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 177.0.0.0/8 0.0.0.0/0
LOG all -- 177.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 176.0.0.0/8 0.0.0.0/0
LOG all -- 176.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 175.0.0.0/8 0.0.0.0/0
LOG all -- 175.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 174.0.0.0/8 0.0.0.0/0
LOG all -- 174.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 173.0.0.0/8 0.0.0.0/0
LOG all -- 173.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 172.16.0.0/12 0.0.0.0/0
LOG all -- 172.16.0.0/12 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 169.254.0.0/16 0.0.0.0/0
LOG all -- 169.254.0.0/16 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 120.0.0.0/8 0.0.0.0/0
LOG all -- 120.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 119.0.0.0/8 0.0.0.0/0
LOG all -- 119.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 118.0.0.0/8 0.0.0.0/0
LOG all -- 118.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 117.0.0.0/8 0.0.0.0/0
LOG all -- 117.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 116.0.0.0/8 0.0.0.0/0
LOG all -- 116.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 115.0.0.0/8 0.0.0.0/0
LOG all -- 115.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 114.0.0.0/8 0.0.0.0/0
LOG all -- 114.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 113.0.0.0/8 0.0.0.0/0
LOG all -- 113.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 112.0.0.0/8 0.0.0.0/0
LOG all -- 112.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 111.0.0.0/8 0.0.0.0/0
LOG all -- 111.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 110.0.0.0/8 0.0.0.0/0
LOG all -- 110.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 109.0.0.0/8 0.0.0.0/0
LOG all -- 109.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 108.0.0.0/8 0.0.0.0/0
LOG all -- 108.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 107.0.0.0/8 0.0.0.0/0
LOG all -- 107.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 106.0.0.0/8 0.0.0.0/0
LOG all -- 106.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 105.0.0.0/8 0.0.0.0/0
LOG all -- 105.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 104.0.0.0/8 0.0.0.0/0
LOG all -- 104.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 103.0.0.0/8 0.0.0.0/0
LOG all -- 103.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 102.0.0.0/8 0.0.0.0/0
LOG all -- 102.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 101.0.0.0/8 0.0.0.0/0
LOG all -- 101.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 100.0.0.0/8 0.0.0.0/0
LOG all -- 100.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 99.0.0.0/8 0.0.0.0/0
LOG all -- 99.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 98.0.0.0/8 0.0.0.0/0
LOG all -- 98.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 97.0.0.0/8 0.0.0.0/0
LOG all -- 97.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 96.0.0.0/8 0.0.0.0/0
LOG all -- 96.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 95.0.0.0/8 0.0.0.0/0
LOG all -- 95.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 94.0.0.0/8 0.0.0.0/0
LOG all -- 94.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 93.0.0.0/8 0.0.0.0/0
LOG all -- 93.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 92.0.0.0/8 0.0.0.0/0
LOG all -- 92.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 79.0.0.0/8 0.0.0.0/0
LOG all -- 79.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 78.0.0.0/8 0.0.0.0/0
LOG all -- 78.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 77.0.0.0/8 0.0.0.0/0
LOG all -- 77.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 50.0.0.0/8 0.0.0.0/0
LOG all -- 50.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 49.0.0.0/8 0.0.0.0/0
LOG all -- 49.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 42.0.0.0/8 0.0.0.0/0
LOG all -- 42.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 39.0.0.0/8 0.0.0.0/0
LOG all -- 39.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 37.0.0.0/8 0.0.0.0/0
LOG all -- 37.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 36.0.0.0/8 0.0.0.0/0
LOG all -- 36.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 31.0.0.0/8 0.0.0.0/0
LOG all -- 31.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 27.0.0.0/8 0.0.0.0/0
LOG all -- 27.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 23.0.0.0/8 0.0.0.0/0
LOG all -- 23.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 10.0.0.0/8 0.0.0.0/0
LOG all -- 10.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 7.0.0.0/8 0.0.0.0/0
LOG all -- 7.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 5.0.0.0/8 0.0.0.0/0
LOG all -- 5.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 2.0.0.0/8 0.0.0.0/0
LOG all -- 2.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 1.0.0.0/8 0.0.0.0/0
LOG all -- 1.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP all -- 0.0.0.0/8 0.0.0.0/0
LOG all -- 0.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4 prefix `BOGON_SPOOF:'
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
seems to work fine, so i'm not sure why it doesn't work for you...
BTW, i also agree that this is a pretty crappy script...
Last edited by win32sux; 07-16-2006 at 07:57 PM.
|
|
|
07-16-2006, 07:56 PM
|
#10
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
BTW, the order of the rules in the script should be inverted... because as it is, the DROP rule would be inserted before the LOG rule, which makes the LOG rules completely useless... it should look like this instead:
Code:
wget -q http://www.cymru.com/Documents/bogon-bn-nonagg.txt -O /dev/stdout|\
egrep -ve "(^127\.|^192\.168\.|^41\.|^73\.|^76\.|^89\.|^90\.|^121\.|^122\.|^123\.\
|^124\.|^125\.|^126\.|^189\.| ^190\.)"|while read s; do
/sbin/iptables -t nat -I PREROUTING -i eth0 -s $s -j DROP
/sbin/iptables -t nat -I PREROUTING -i eth0 -s $s -j ULOG --ulog-prefix 'BOGON_SPOOF:'
done
i would also make a couple recommendations:
1) use the FORWARD chain for this instead of PREROUTING...
2) get rid of the downloading part from the iptables script... just keep a copy of the file somewhere on the box, so you'd only need the script to grep it without downloading anything... even if you're obsessed with having the very latest version of the file, you'd be better-off with a cron job that downloads the file every so often and only replaces your current one if the MD5 is different...
Last edited by win32sux; 07-16-2006 at 08:19 PM.
|
|
|
07-16-2006, 10:09 PM
|
#11
|
Member
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567
Original Poster
Rep:
|
If you use DROP before ULOG packets will get dropped before any log can take place so no logs , forgive me but that's the way it works for me .
this the entire iptables -t nat -L -n
Code:
root@argo:~# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT udp -- 0.0.0.0/0 192.168.0.2 udp dpt:995 to:192.168.1.6:995
DNAT tcp -- 0.0.0.0/0 192.168.0.2 tcp dpt:995 to:192.168.1.6:995
DNAT tcp -- 0.0.0.0/0 192.168.0.2 tcp dpts:60000:65534 to:192.168.1.6:60000-65534
DNAT tcp -- 0.0.0.0/0 192.168.0.2 tcp dpt:21 to:192.168.1.6:21
DNAT tcp -- 0.0.0.0/0 192.168.0.2 tcp dpt:20 to:192.168.1.6:20
DNAT udp -- 0.0.0.0/0 192.168.0.2 udp dpt:32768 to:192.168.1.6:32768
DNAT tcp -- 0.0.0.0/0 192.168.0.2 tcp dpts:6664:6667 to:192.168.1.6:6664-6667
DNAT tcp -- 0.0.0.0/0 192.168.0.2 tcp dpt:25 to:192.168.1.6:25
DNAT tcp -- 0.0.0.0/0 192.168.0.2 tcp dpt:443 to:192.168.1.4:443
DNAT tcp -- 0.0.0.0/0 192.168.0.2 tcp dpt:80 to:192.168.1.4:80
DROP tcp -- 140.247.0.0/16 192.168.1.0/24
DROP tcp -- 88.198.0.0/16 192.168.1.0/24
DROP tcp -- 66.70.0.0/16 192.168.1.0/24
DROP tcp -- 195.87.0.0/16 192.168.1.0/24
DROP tcp -- 69.147.0.0/16 192.168.1.0/24
DROP tcp -- 149.9.0.0/16 192.168.1.0/24
DROP tcp -- 141.149.0.0/16 192.168.1.0/24
DROP tcp -- 221.203.0.0/16 192.168.1.0/24
DROP tcp -- 80.131.0.0/16 192.168.1.0/24
DROP tcp -- 87.10.0.0/16 192.168.1.0/24
DROP tcp -- 151.0.0.0/8 192.168.1.0/24
DROP tcp -- 83.184.0.0/16 192.168.1.0/24
DROP tcp -- 62.0.0.0/8 192.168.1.0/24
DROP tcp -- 81.73.0.0/16 192.168.1.0/24
DROP tcp -- 212.0.0.0/8 192.168.1.0/24
DROP tcp -- 204.16.0.0/16 192.168.1.0/24
DROP tcp -- 86.216.0.0/16 192.168.1.0/24
DROP tcp -- 85.182.0.0/16 192.168.1.0/24
DROP tcp -- 83.0.0.0/8 192.168.1.0/24
DROP tcp -- 82.0.0.0/8 192.168.1.0/24
DROP tcp -- 87.0.0.0/8 192.168.1.0/24
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:1024:1029
DROP udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 135,136,137,138,139,445
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 135,136,137,138,139,445
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 limit: avg 3/sec burst 5
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 192.168.1.0/24 0.0.0.0/0
SNAT all -- 192.168.1.0/24 192.168.0.0/24 to:192.168.0.2
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain CHECK_FLAGS (0 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 192.168.1.0/24 limit: avg 5/sec burst 5 tcp flags:0x3F/0x02
ACCEPT tcp -- 0.0.0.0/0 192.168.1.0/24 limit: avg 5/sec burst 5 tcp flags:0x3F/0x01
ACCEPT tcp -- 0.0.0.0/0 192.168.1.0/24 limit: avg 5/sec burst 5 tcp flags:0x3F/0x04
DROP tcp -- 0.0.0.0/0 192.168.1.0/24 tcp flags:0x03/0x03
ULOG tcp -- 0.0.0.0/0 192.168.1.0/24 tcp flags:0x03/0x03 limit: avg 5/min burst 5 ULOG copy_range 0 nlgroup 1 prefix `SYN/FIN:' queue_threshold 1
DROP tcp -- 0.0.0.0/0 192.168.1.0/24 tcp flags:0x06/0x06
ULOG tcp -- 0.0.0.0/0 192.168.1.0/24 tcp flags:0x06/0x06 limit: avg 5/min burst 5 ULOG copy_range 0 nlgroup 1 prefix `SYN/RST:' queue_threshold 1
DROP tcp -- 0.0.0.0/0 192.168.1.0/24 tcp flags:0x3F/0x29
ULOG tcp -- 0.0.0.0/0 192.168.1.0/24 tcp flags:0x3F/0x29 limit: avg 5/min burst 5 ULOG copy_range 0 nlgroup 1 prefix `NMAP-XMAS:' queue_threshold 1
And the antispoof did not happen !
Do you know a better way ???
|
|
|
07-16-2006, 10:14 PM
|
#12
|
Member
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567
Original Poster
Rep:
|
As far as i know the ulog should come first and than drop
that's my iptables -t nat -L -n
Code:
root@argo:~# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT udp -- 0.0.0.0/0 192.168.0.2 udp dpt:995 to:192.168.1.6:995
DNAT tcp -- 0.0.0.0/0 192.168.0.2 tcp dpt:995 to:192.168.1.6:995
DNAT tcp -- 0.0.0.0/0 192.168.0.2 tcp dpts:60000:65534 to:192.168.1.6:60000-65534
DNAT tcp -- 0.0.0.0/0 192.168.0.2 tcp dpt:21 to:192.168.1.6:21
DNAT tcp -- 0.0.0.0/0 192.168.0.2 tcp dpt:20 to:192.168.1.6:20
DNAT udp -- 0.0.0.0/0 192.168.0.2 udp dpt:32768 to:192.168.1.6:32768
DNAT tcp -- 0.0.0.0/0 192.168.0.2 tcp dpts:6664:6667 to:192.168.1.6:6664-6667
DNAT tcp -- 0.0.0.0/0 192.168.0.2 tcp dpt:25 to:192.168.1.6:25
DNAT tcp -- 0.0.0.0/0 192.168.0.2 tcp dpt:443 to:192.168.1.4:443
DNAT tcp -- 0.0.0.0/0 192.168.0.2 tcp dpt:80 to:192.168.1.4:80
DROP tcp -- 140.247.0.0/16 192.168.1.0/24
DROP tcp -- 88.198.0.0/16 192.168.1.0/24
DROP tcp -- 66.70.0.0/16 192.168.1.0/24
DROP tcp -- 195.87.0.0/16 192.168.1.0/24
DROP tcp -- 69.147.0.0/16 192.168.1.0/24
DROP tcp -- 149.9.0.0/16 192.168.1.0/24
DROP tcp -- 141.149.0.0/16 192.168.1.0/24
DROP tcp -- 221.203.0.0/16 192.168.1.0/24
DROP tcp -- 80.131.0.0/16 192.168.1.0/24
DROP tcp -- 87.10.0.0/16 192.168.1.0/24
DROP tcp -- 151.0.0.0/8 192.168.1.0/24
DROP tcp -- 83.184.0.0/16 192.168.1.0/24
DROP tcp -- 62.0.0.0/8 192.168.1.0/24
DROP tcp -- 81.73.0.0/16 192.168.1.0/24
DROP tcp -- 212.0.0.0/8 192.168.1.0/24
DROP tcp -- 204.16.0.0/16 192.168.1.0/24
DROP tcp -- 86.216.0.0/16 192.168.1.0/24
DROP tcp -- 85.182.0.0/16 192.168.1.0/24
DROP tcp -- 83.0.0.0/8 192.168.1.0/24
DROP tcp -- 82.0.0.0/8 192.168.1.0/24
DROP tcp -- 87.0.0.0/8 192.168.1.0/24
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:1024:1029
DROP udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 135,136,137,138,139,445
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 135,136,137,138,139,445
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 limit: avg 3/sec burst 5
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 192.168.1.0/24 0.0.0.0/0
SNAT all -- 192.168.1.0/24 192.168.0.0/24 to:192.168.0.2
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
The iptables part of the script did not happen !!!
|
|
|
07-16-2006, 10:57 PM
|
#13
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by gabsik
If you use DROP before ULOG packets will get dropped before any log can take place so no logs , forgive me but that's the way it works for me .
|
yes, that's precisely the point... but you're misunderstanding... when you use the -I the rules get INSERTED at the start of the chain, that's why you need to insert the DROP rule before you insert the LOG rule... this is how iptables works, you can't change that...
to summarize: if you want the LOG to go before the DROP, then you need to insert the DROP *first* and then the LOG...
i'm not sure why it isn't working for you, it works fine here... maybe post your entire script to see if something is happening somewhere which is creating the problem for you?? like i said, i'm not sure...
|
|
|
07-16-2006, 11:31 PM
|
#14
|
Member
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567
Original Poster
Rep:
|
Pardon you are right i missed the -I ... it's not working anyway.
do you know a script better than this one ??
|
|
|
07-16-2006, 11:35 PM
|
#15
|
Member
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567
Original Poster
Rep:
|
Code:
cat /root/bogon-bn-nonagg.txt |\
egrep -ve "(^127\.|^192\.168\.|^41\.|^73\.|^76\.|^89\.|^90\.|^121\.|^122\.|^123\.\
|^124\.|^125\.|^126\.|^189\.| ^190\.)"|while read s; do
/sbin/iptables -t nat -I PREROUTING -i eth0 -s $s -j DROP
/sbin/iptables -t nat -I PREROUTING -i eth0 -s $s -j ULOG --ulog-prefix 'BOGON_SPOOF:'
done
I'm using this and it works cheers !!!
Last edited by gabsik; 07-17-2006 at 12:22 AM.
|
|
|
All times are GMT -5. The time now is 05:32 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|