LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-15-2006, 10:19 AM   #1
gabsik
Member
 
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567

Rep: Reputation: 30
Antispoof iptables codes !


Quote:
# ANTISPOOF
wget -q http://www.cymru.com/Documents/bogon-bn-nonagg.txt -O /dev/stdout|\
egrep -ve "(^127\.|^192\.168\.|^41\.|^73\.|^76\.|^89\.|^90\.|^121\.|^122\.|^123\.|^124\.|^125\.|^126\.|^189\.| ^190\.)"|\
while read s; do echo "\ $ipt -t nat -I PREROUTING -i \$INT -s $s -j ULOG --ulog-prefix 'BOGON_SPOOF:'"; done
#
wget -q http://www.cymru.com/Documents/bogon-bn-nonagg.txt -O /dev/stdout|\
egrep -ve "(^127\.|^192\.168\.|^41\.|^73\.|^76\.|^89\.|^90\.|^121\.|^122\.|^123\.|^124\.|^125\.|^126\.|^189\.| ^190\.)"|\
while read s; do echo "\ $ipt -t nat -I PREROUTING -i \$INT -s $s -j DROP"; done
I'm using this 2 codes in my iptables to prevent spoof but when i launch
Code:
 #iptables -L -n -t nat
,i don't see
Code:
"\ $ipt -t nat -I PREROUTING -i \$INT -s $s -j DROP"
got executed , what's wrong with the above codes ??????
 
Old 07-15-2006, 05:35 PM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
get rid of the echoes if you want the commands to be executed...

Last edited by win32sux; 07-15-2006 at 06:07 PM.
 
Old 07-16-2006, 09:57 AM   #3
gabsik
Member
 
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567

Original Poster
Rep: Reputation: 30
So they look like these ....
Code:
wget -q http://www.cymru.com/Documents/bogon-bn-nonagg.txt -O /dev/stdout|\
egrep -ve "(^127\.|^192\.168\.|^41\.|^73\.|^76\.|^89\.|^90\.|^121\.|^122\.|^123\.|^124\.|^125\.|^126\.|^189\.|^190\.)"|\
while read s; "\ $ipt -t nat -I PREROUTING -i \$INT -s $s -j ULOG --ulog-prefix 'BOGON_SPOOF:'";  done
#
wget -q http://www.cymru.com/Documents/bogon-bn-nonagg.txt -O /dev/stdout|\
egrep -ve "(^127\.|^192\.168\.|^41\.|^73\.|^76\.|^89\.|^90\.|^121\.|^122\.|^123\.|^124\.|^125\.|^126\.|^189\.|^190\.)"|\
while read s; "\ $ipt -t nat -I PREROUTING -i \$INT -s $s -j DROP";  done
These codes doesn't work ... I tried also only with 'do' ....

Code:
wget -q http://www.cymru.com/Documents/bogon-bn-nonagg.txt -O /dev/stdout|\
egrep -ve "(^127\.|^192\.168\.|^41\.|^73\.|^76\.|^89\.|^90\.|^121\.|^122\.|^123\.|^124\.|^125\.|^126\.|^189\.|^190\.)"|\
while read s; do "\ $ipt -t nat -I PREROUTING -i \$INT -s $s -j ULOG --ulog-prefix 'BOGON_SPOOF:'";  done
#
wget -q http://www.cymru.com/Documents/bogon-bn-nonagg.txt -O /dev/stdout|\
egrep -ve "(^127\.|^192\.168\.|^41\.|^73\.|^76\.|^89\.|^90\.|^121\.|^122\.|^123\.|^124\.|^125\.|^126\.|^189\.|^190\.)"|\
while read s; do "\ $ipt -t nat -I PREROUTING -i \$INT -s $s -j DROP";  done

Last edited by gabsik; 07-16-2006 at 10:00 AM.
 
Old 07-16-2006, 10:20 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603
Try this.
Code:
wget -q http://www.cymru.com/Documents/bogon-bn-nonagg.txt -O /dev/stdout|\
egrep -ve "(^127\.|^192\.168\.|^41\.|^73\.|^76\.|^89\.|^90\.|^121\.|^122\.|^123\.\
|^124\.|^125\.|^126\.|^189\.| ^190\.)"|while read s; do 
 /sbin/iptables -t nat -I PREROUTING -i eth0 -s $s -j ULOG --ulog-prefix 'BOGON_SPOOF:'
 /sbin/iptables -t nat -I PREROUTING -i eth0 -s $s -j DROP
done
Who on earth posted this crappy shellcode? ;-p
 
Old 07-16-2006, 10:50 AM   #5
gabsik
Member
 
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567

Original Poster
Rep: Reputation: 30
I'm using an iptables script starting #/bin/bash -x and that's the output:
Code:
+ wget -q http://www.cymru.com/Documents/bogon-bn-nonagg.txt -O /dev/stdout
+ egrep -ve '(^127\.|^192\.168\.|^41\.|^73\.|^76\.|^89\.|^90\.|^121\.|^122\.|^123\.|^124\.|^125\.|^126\.|^189\.| ^190\.)'
+ read s
As you see the iptables command doesn't get executed.
 
Old 07-16-2006, 11:18 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603
Not enough info.
 
Old 07-16-2006, 01:24 PM   #7
gabsik
Member
 
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567

Original Poster
Rep: Reputation: 30
An iptables -L -n -t nat doesn't show a
Code:
 /sbin/iptables -t nat -I PREROUTING -i eth0 -s $s -j ULOG --ulog-prefix 'BOGON_SPOOF:'
 /sbin/iptables -t nat -I PREROUTING -i eth0 -s $s -j DROP
What other infos do you need ???
 
Old 07-16-2006, 01:47 PM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603
Control the script (the one marked "Try this.") for stuff like binary location and devicenames, then run from the commandline, then check iptables -L -n -t nat?
 
Old 07-16-2006, 06:37 PM   #9
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
i tried the script as posted by unSpawn... the only difference is i changed the path to iptables (mine is at /usr/sbin/iptables) and the ULOG to a LOG cuz i don't use ULOG...

Code:
bash-3.00# iptables -t nat -n -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  224.0.0.0/3          0.0.0.0/0           
LOG        all  --  224.0.0.0/3          0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  223.0.0.0/8          0.0.0.0/0           
LOG        all  --  223.0.0.0/8          0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  198.18.0.0/15        0.0.0.0/0           
LOG        all  --  198.18.0.0/15        0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  197.0.0.0/8          0.0.0.0/0           
LOG        all  --  197.0.0.0/8          0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  192.0.2.0/24         0.0.0.0/0           
LOG        all  --  192.0.2.0/24         0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  187.0.0.0/8          0.0.0.0/0           
LOG        all  --  187.0.0.0/8          0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  186.0.0.0/8          0.0.0.0/0           
LOG        all  --  186.0.0.0/8          0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  185.0.0.0/8          0.0.0.0/0           
LOG        all  --  185.0.0.0/8          0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  184.0.0.0/8          0.0.0.0/0           
LOG        all  --  184.0.0.0/8          0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  183.0.0.0/8          0.0.0.0/0           
LOG        all  --  183.0.0.0/8          0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  182.0.0.0/8          0.0.0.0/0           
LOG        all  --  182.0.0.0/8          0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  181.0.0.0/8          0.0.0.0/0           
LOG        all  --  181.0.0.0/8          0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  180.0.0.0/8          0.0.0.0/0           
LOG        all  --  180.0.0.0/8          0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  179.0.0.0/8          0.0.0.0/0           
LOG        all  --  179.0.0.0/8          0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  178.0.0.0/8          0.0.0.0/0           
LOG        all  --  178.0.0.0/8          0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  177.0.0.0/8          0.0.0.0/0           
LOG        all  --  177.0.0.0/8          0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  176.0.0.0/8          0.0.0.0/0           
LOG        all  --  176.0.0.0/8          0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  175.0.0.0/8          0.0.0.0/0           
LOG        all  --  175.0.0.0/8          0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  174.0.0.0/8          0.0.0.0/0           
LOG        all  --  174.0.0.0/8          0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  173.0.0.0/8          0.0.0.0/0           
LOG        all  --  173.0.0.0/8          0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  172.16.0.0/12        0.0.0.0/0           
LOG        all  --  172.16.0.0/12        0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  169.254.0.0/16       0.0.0.0/0           
LOG        all  --  169.254.0.0/16       0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  120.0.0.0/8          0.0.0.0/0           
LOG        all  --  120.0.0.0/8          0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP       all  --  119.0.0.0/8          0.0.0.0/0           
LOG        all  --  119.0.0.0/8          0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  118.0.0.0/8          0.0.0.0/0           
LOG        all  --  118.0.0.0/8          0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  117.0.0.0/8          0.0.0.0/0           
LOG        all  --  117.0.0.0/8          0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  116.0.0.0/8          0.0.0.0/0           
LOG        all  --  116.0.0.0/8          0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  115.0.0.0/8          0.0.0.0/0           
LOG        all  --  115.0.0.0/8          0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  114.0.0.0/8          0.0.0.0/0           
LOG        all  --  114.0.0.0/8          0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  113.0.0.0/8          0.0.0.0/0           
LOG        all  --  113.0.0.0/8          0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  112.0.0.0/8          0.0.0.0/0           
LOG        all  --  112.0.0.0/8          0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  111.0.0.0/8          0.0.0.0/0           
LOG        all  --  111.0.0.0/8          0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  110.0.0.0/8          0.0.0.0/0           
LOG        all  --  110.0.0.0/8          0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  109.0.0.0/8          0.0.0.0/0           
LOG        all  --  109.0.0.0/8          0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  108.0.0.0/8          0.0.0.0/0           
LOG        all  --  108.0.0.0/8          0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  107.0.0.0/8          0.0.0.0/0           
LOG        all  --  107.0.0.0/8          0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  106.0.0.0/8          0.0.0.0/0           
LOG        all  --  106.0.0.0/8          0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  105.0.0.0/8          0.0.0.0/0           
LOG        all  --  105.0.0.0/8          0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  104.0.0.0/8          0.0.0.0/0           
LOG        all  --  104.0.0.0/8          0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  103.0.0.0/8          0.0.0.0/0           
LOG        all  --  103.0.0.0/8          0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  102.0.0.0/8          0.0.0.0/0           
LOG        all  --  102.0.0.0/8          0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  101.0.0.0/8          0.0.0.0/0           
LOG        all  --  101.0.0.0/8          0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  100.0.0.0/8          0.0.0.0/0           
LOG        all  --  100.0.0.0/8          0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  99.0.0.0/8           0.0.0.0/0           
LOG        all  --  99.0.0.0/8           0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  98.0.0.0/8           0.0.0.0/0           
LOG        all  --  98.0.0.0/8           0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  97.0.0.0/8           0.0.0.0/0           
LOG        all  --  97.0.0.0/8           0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  96.0.0.0/8           0.0.0.0/0           
LOG        all  --  96.0.0.0/8           0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:'
DROP       all  --  95.0.0.0/8           0.0.0.0/0           
LOG        all  --  95.0.0.0/8           0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  94.0.0.0/8           0.0.0.0/0           
LOG        all  --  94.0.0.0/8           0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  93.0.0.0/8           0.0.0.0/0           
LOG        all  --  93.0.0.0/8           0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  92.0.0.0/8           0.0.0.0/0           
LOG        all  --  92.0.0.0/8           0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  79.0.0.0/8           0.0.0.0/0           
LOG        all  --  79.0.0.0/8           0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  78.0.0.0/8           0.0.0.0/0           
LOG        all  --  78.0.0.0/8           0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  77.0.0.0/8           0.0.0.0/0           
LOG        all  --  77.0.0.0/8           0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  50.0.0.0/8           0.0.0.0/0           
LOG        all  --  50.0.0.0/8           0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  49.0.0.0/8           0.0.0.0/0           
LOG        all  --  49.0.0.0/8           0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  42.0.0.0/8           0.0.0.0/0           
LOG        all  --  42.0.0.0/8           0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  39.0.0.0/8           0.0.0.0/0           
LOG        all  --  39.0.0.0/8           0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  37.0.0.0/8           0.0.0.0/0           
LOG        all  --  37.0.0.0/8           0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  36.0.0.0/8           0.0.0.0/0           
LOG        all  --  36.0.0.0/8           0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  31.0.0.0/8           0.0.0.0/0           
LOG        all  --  31.0.0.0/8           0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  27.0.0.0/8           0.0.0.0/0           
LOG        all  --  27.0.0.0/8           0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  23.0.0.0/8           0.0.0.0/0           
LOG        all  --  23.0.0.0/8           0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  10.0.0.0/8           0.0.0.0/0           
LOG        all  --  10.0.0.0/8           0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  7.0.0.0/8            0.0.0.0/0           
LOG        all  --  7.0.0.0/8            0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  5.0.0.0/8            0.0.0.0/0           
LOG        all  --  5.0.0.0/8            0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  2.0.0.0/8            0.0.0.0/0           
LOG        all  --  2.0.0.0/8            0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  1.0.0.0/8            0.0.0.0/0           
LOG        all  --  1.0.0.0/8            0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:' 
DROP       all  --  0.0.0.0/8            0.0.0.0/0           
LOG        all  --  0.0.0.0/8            0.0.0.0/0           LOG flags 0 level 4 prefix `BOGON_SPOOF:'

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
seems to work fine, so i'm not sure why it doesn't work for you...

BTW, i also agree that this is a pretty crappy script...

Last edited by win32sux; 07-16-2006 at 07:57 PM.
 
Old 07-16-2006, 07:56 PM   #10
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
BTW, the order of the rules in the script should be inverted... because as it is, the DROP rule would be inserted before the LOG rule, which makes the LOG rules completely useless... it should look like this instead:
Code:
wget -q http://www.cymru.com/Documents/bogon-bn-nonagg.txt -O /dev/stdout|\
egrep -ve "(^127\.|^192\.168\.|^41\.|^73\.|^76\.|^89\.|^90\.|^121\.|^122\.|^123\.\
|^124\.|^125\.|^126\.|^189\.| ^190\.)"|while read s; do
 /sbin/iptables -t nat -I PREROUTING -i eth0 -s $s -j DROP
 /sbin/iptables -t nat -I PREROUTING -i eth0 -s $s -j ULOG --ulog-prefix 'BOGON_SPOOF:'
done
i would also make a couple recommendations:

1) use the FORWARD chain for this instead of PREROUTING...

2) get rid of the downloading part from the iptables script... just keep a copy of the file somewhere on the box, so you'd only need the script to grep it without downloading anything... even if you're obsessed with having the very latest version of the file, you'd be better-off with a cron job that downloads the file every so often and only replaces your current one if the MD5 is different...

Last edited by win32sux; 07-16-2006 at 08:19 PM.
 
Old 07-16-2006, 10:09 PM   #11
gabsik
Member
 
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567

Original Poster
Rep: Reputation: 30
If you use DROP before ULOG packets will get dropped before any log can take place so no logs , forgive me but that's the way it works for me .
this the entire iptables -t nat -L -n
Code:
root@argo:~# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       udp  --  0.0.0.0/0            192.168.0.2         udp dpt:995 to:192.168.1.6:995
DNAT       tcp  --  0.0.0.0/0            192.168.0.2         tcp dpt:995 to:192.168.1.6:995
DNAT       tcp  --  0.0.0.0/0            192.168.0.2         tcp dpts:60000:65534 to:192.168.1.6:60000-65534
DNAT       tcp  --  0.0.0.0/0            192.168.0.2         tcp dpt:21 to:192.168.1.6:21
DNAT       tcp  --  0.0.0.0/0            192.168.0.2         tcp dpt:20 to:192.168.1.6:20
DNAT       udp  --  0.0.0.0/0            192.168.0.2         udp dpt:32768 to:192.168.1.6:32768
DNAT       tcp  --  0.0.0.0/0            192.168.0.2         tcp dpts:6664:6667 to:192.168.1.6:6664-6667
DNAT       tcp  --  0.0.0.0/0            192.168.0.2         tcp dpt:25 to:192.168.1.6:25
DNAT       tcp  --  0.0.0.0/0            192.168.0.2         tcp dpt:443 to:192.168.1.4:443
DNAT       tcp  --  0.0.0.0/0            192.168.0.2         tcp dpt:80 to:192.168.1.4:80
DROP       tcp  --  140.247.0.0/16       192.168.1.0/24
DROP       tcp  --  88.198.0.0/16        192.168.1.0/24
DROP       tcp  --  66.70.0.0/16         192.168.1.0/24
DROP       tcp  --  195.87.0.0/16        192.168.1.0/24
DROP       tcp  --  69.147.0.0/16        192.168.1.0/24
DROP       tcp  --  149.9.0.0/16         192.168.1.0/24
DROP       tcp  --  141.149.0.0/16       192.168.1.0/24
DROP       tcp  --  221.203.0.0/16       192.168.1.0/24
DROP       tcp  --  80.131.0.0/16        192.168.1.0/24
DROP       tcp  --  87.10.0.0/16         192.168.1.0/24
DROP       tcp  --  151.0.0.0/8          192.168.1.0/24
DROP       tcp  --  83.184.0.0/16        192.168.1.0/24
DROP       tcp  --  62.0.0.0/8           192.168.1.0/24
DROP       tcp  --  81.73.0.0/16         192.168.1.0/24
DROP       tcp  --  212.0.0.0/8          192.168.1.0/24
DROP       tcp  --  204.16.0.0/16        192.168.1.0/24
DROP       tcp  --  86.216.0.0/16        192.168.1.0/24
DROP       tcp  --  85.182.0.0/16        192.168.1.0/24
DROP       tcp  --  83.0.0.0/8           192.168.1.0/24
DROP       tcp  --  82.0.0.0/8           192.168.1.0/24
DROP       tcp  --  87.0.0.0/8           192.168.1.0/24
DROP       udp  --  0.0.0.0/0            0.0.0.0/0           udp dpts:1024:1029
DROP       udp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 135,136,137,138,139,445
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 135,136,137,138,139,445
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x16/0x02 limit: avg 3/sec burst 5

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  192.168.1.0/24       0.0.0.0/0
SNAT       all  --  192.168.1.0/24       192.168.0.0/24      to:192.168.0.2

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain CHECK_FLAGS (0 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            192.168.1.0/24      limit: avg 5/sec burst 5 tcp flags:0x3F/0x02
ACCEPT     tcp  --  0.0.0.0/0            192.168.1.0/24      limit: avg 5/sec burst 5 tcp flags:0x3F/0x01
ACCEPT     tcp  --  0.0.0.0/0            192.168.1.0/24      limit: avg 5/sec burst 5 tcp flags:0x3F/0x04
DROP       tcp  --  0.0.0.0/0            192.168.1.0/24      tcp flags:0x03/0x03
ULOG       tcp  --  0.0.0.0/0            192.168.1.0/24      tcp flags:0x03/0x03 limit: avg 5/min burst 5 ULOG copy_range 0 nlgroup 1 prefix `SYN/FIN:' queue_threshold 1
DROP       tcp  --  0.0.0.0/0            192.168.1.0/24      tcp flags:0x06/0x06
ULOG       tcp  --  0.0.0.0/0            192.168.1.0/24      tcp flags:0x06/0x06 limit: avg 5/min burst 5 ULOG copy_range 0 nlgroup 1 prefix `SYN/RST:' queue_threshold 1
DROP       tcp  --  0.0.0.0/0            192.168.1.0/24      tcp flags:0x3F/0x29
ULOG       tcp  --  0.0.0.0/0            192.168.1.0/24      tcp flags:0x3F/0x29 limit: avg 5/min burst 5 ULOG copy_range 0 nlgroup 1 prefix `NMAP-XMAS:' queue_threshold 1
And the antispoof did not happen !
Do you know a better way ???
 
Old 07-16-2006, 10:14 PM   #12
gabsik
Member
 
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567

Original Poster
Rep: Reputation: 30
As far as i know the ulog should come first and than drop
that's my iptables -t nat -L -n
Code:
root@argo:~# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       udp  --  0.0.0.0/0            192.168.0.2         udp dpt:995 to:192.168.1.6:995
DNAT       tcp  --  0.0.0.0/0            192.168.0.2         tcp dpt:995 to:192.168.1.6:995
DNAT       tcp  --  0.0.0.0/0            192.168.0.2         tcp dpts:60000:65534 to:192.168.1.6:60000-65534
DNAT       tcp  --  0.0.0.0/0            192.168.0.2         tcp dpt:21 to:192.168.1.6:21
DNAT       tcp  --  0.0.0.0/0            192.168.0.2         tcp dpt:20 to:192.168.1.6:20
DNAT       udp  --  0.0.0.0/0            192.168.0.2         udp dpt:32768 to:192.168.1.6:32768
DNAT       tcp  --  0.0.0.0/0            192.168.0.2         tcp dpts:6664:6667 to:192.168.1.6:6664-6667
DNAT       tcp  --  0.0.0.0/0            192.168.0.2         tcp dpt:25 to:192.168.1.6:25
DNAT       tcp  --  0.0.0.0/0            192.168.0.2         tcp dpt:443 to:192.168.1.4:443
DNAT       tcp  --  0.0.0.0/0            192.168.0.2         tcp dpt:80 to:192.168.1.4:80
DROP       tcp  --  140.247.0.0/16       192.168.1.0/24
DROP       tcp  --  88.198.0.0/16        192.168.1.0/24
DROP       tcp  --  66.70.0.0/16         192.168.1.0/24
DROP       tcp  --  195.87.0.0/16        192.168.1.0/24
DROP       tcp  --  69.147.0.0/16        192.168.1.0/24
DROP       tcp  --  149.9.0.0/16         192.168.1.0/24
DROP       tcp  --  141.149.0.0/16       192.168.1.0/24
DROP       tcp  --  221.203.0.0/16       192.168.1.0/24
DROP       tcp  --  80.131.0.0/16        192.168.1.0/24
DROP       tcp  --  87.10.0.0/16         192.168.1.0/24
DROP       tcp  --  151.0.0.0/8          192.168.1.0/24
DROP       tcp  --  83.184.0.0/16        192.168.1.0/24
DROP       tcp  --  62.0.0.0/8           192.168.1.0/24
DROP       tcp  --  81.73.0.0/16         192.168.1.0/24
DROP       tcp  --  212.0.0.0/8          192.168.1.0/24
DROP       tcp  --  204.16.0.0/16        192.168.1.0/24
DROP       tcp  --  86.216.0.0/16        192.168.1.0/24
DROP       tcp  --  85.182.0.0/16        192.168.1.0/24
DROP       tcp  --  83.0.0.0/8           192.168.1.0/24
DROP       tcp  --  82.0.0.0/8           192.168.1.0/24
DROP       tcp  --  87.0.0.0/8           192.168.1.0/24
DROP       udp  --  0.0.0.0/0            0.0.0.0/0           udp dpts:1024:1029
DROP       udp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 135,136,137,138,139,445
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 135,136,137,138,139,445
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x16/0x02 limit: avg 3/sec burst 5

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  192.168.1.0/24       0.0.0.0/0
SNAT       all  --  192.168.1.0/24       192.168.0.0/24      to:192.168.0.2

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
The iptables part of the script did not happen !!!
 
Old 07-16-2006, 10:57 PM   #13
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by gabsik
If you use DROP before ULOG packets will get dropped before any log can take place so no logs , forgive me but that's the way it works for me .
yes, that's precisely the point... but you're misunderstanding... when you use the -I the rules get INSERTED at the start of the chain, that's why you need to insert the DROP rule before you insert the LOG rule... this is how iptables works, you can't change that...

to summarize: if you want the LOG to go before the DROP, then you need to insert the DROP *first* and then the LOG...

i'm not sure why it isn't working for you, it works fine here... maybe post your entire script to see if something is happening somewhere which is creating the problem for you?? like i said, i'm not sure...
 
Old 07-16-2006, 11:31 PM   #14
gabsik
Member
 
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567

Original Poster
Rep: Reputation: 30
Pardon you are right i missed the -I ... it's not working anyway.
do you know a script better than this one ??
 
Old 07-16-2006, 11:35 PM   #15
gabsik
Member
 
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567

Original Poster
Rep: Reputation: 30
Code:
cat /root/bogon-bn-nonagg.txt |\
egrep -ve "(^127\.|^192\.168\.|^41\.|^73\.|^76\.|^89\.|^90\.|^121\.|^122\.|^123\.\
|^124\.|^125\.|^126\.|^189\.| ^190\.)"|while read s; do
 /sbin/iptables -t nat -I PREROUTING -i eth0 -s $s -j DROP
 /sbin/iptables -t nat -I PREROUTING -i eth0 -s $s -j ULOG --ulog-prefix 'BOGON_SPOOF:'
done
I'm using this and it works cheers !!!

Last edited by gabsik; 07-17-2006 at 12:22 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables - antispoof and modulated states? lazlow69 Linux - Security 1 07-16-2006 08:29 PM
iptables antispoof protection gabsik Linux - Security 3 06-03-2006 01:25 PM
iptables v1.2.9: Unknown arg `/sbin/iptables' Try `iptables -h' or 'iptables --help' Niceman2005 Linux - Security 4 12-29-2005 09:20 PM
Are the hex codes for colors in a jpg the same codes as used in html? abefroman Linux - Security 3 07-31-2005 04:21 PM
In need of firewall codes on iptables kunal_bhattacharya Linux - Security 5 07-14-2005 03:38 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:32 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration