Blocking almost everything with iptables

GeneralDark · 11-08-2007, 06:56 PM

Can it be something else, now my log is filled with:
(MAC with zz= the hardware router thats connected to the WAN interface on the gentoobox)
The other MAC I have no clue I'm afraid. Checked all the MACs I could think of.

Code:

Nov  8 22:21:12 firewall INPUT DROP: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:yy:yy:yy:yy:yy:yy:yy:yy SRC=192.168.0.2 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=22439 PROTO=UDP SPT=137 DPT=137 LEN=58
Nov  8 22:21:12 firewall INPUT DROP: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:yy:yy:yy:yy:yy:yy:yy:yy SRC=192.168.0.2 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=23183 PROTO=UDP SPT=137 DPT=137 LEN=58
Nov  8 22:21:13 firewall INPUT DROP: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:yy:yy:yy:yy:yy:yy:yy:yy SRC=192.168.0.2 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=23896 PROTO=UDP SPT=137 DPT=137 LEN=58
Nov  8 22:21:16 firewall INPUT DROP: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:yy:yy:yy:yy:yy:yy:yy:yy SRC=192.168.0.2 DST=192.168.0.255 LEN=202 TOS=0x00 PREC=0x00 TTL=128 ID=26576 PROTO=UDP SPT=138 DPT=138 LEN=182
Nov  8 22:21:16 firewall INPUT DROP: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:yy:yy:yy:yy:yy:yy:yy:yy SRC=192.168.0.2 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=26577 PROTO=UDP SPT=137 DPT=137 LEN=58
Nov  8 22:21:17 firewall INPUT DROP: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:yy:yy:yy:yy:yy:yy:yy:yy SRC=192.168.0.2 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=27280 PROTO=UDP SPT=137 DPT=137 LEN=58
Nov  8 22:21:17 firewall INPUT DROP: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:yy:yy:yy:yy:yy:yy:yy:yy SRC=192.168.0.2 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=28049 PROTO=UDP SPT=137 DPT=137 LEN=58
Nov  8 22:21:18 firewall INPUT DROP: IN=eth1 OUT= MAC=01:00:5e:00:00:01:zz:zz:zz:zz:zz:zz:08:00 SRC=192.168.0.1 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=2
Nov  8 22:21:20 firewall INPUT DROP: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:yy:yy:yy:yy:yy:yy:yy:yy SRC=192.168.0.2 DST=192.168.0.255 LEN=202 TOS=0x00 PREC=0x00 TTL=128 ID=30893 PROTO=UDP SPT=138 DPT=138 LEN=182
Nov  8 22:21:20 firewall INPUT DROP: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:yy:yy:yy:yy:yy:yy:yy:yy SRC=192.168.0.2 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=30894 PROTO=UDP SPT=137 DPT=137 LEN=58
Nov  8 22:21:21 firewall INPUT DROP: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:yy:yy:yy:yy:yy:yy:yy:yy SRC=192.168.0.2 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=31679 PROTO=UDP SPT=137 DPT=137 LEN=58
Nov  8 22:21:22 firewall INPUT DROP: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:yy:yy:yy:yy:yy:yy:yy:yy SRC=192.168.0.2 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=32459 PROTO=UDP SPT=137 DPT=137 LEN=58
Nov  8 22:21:24 firewall INPUT DROP: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:yy:yy:yy:yy:yy:yy:yy:yy SRC=192.168.0.2 DST=192.168.0.255 LEN=211 TOS=0x00 PREC=0x00 TTL=128 ID=35145 PROTO=UDP SPT=138 DPT=138 LEN=191
Nov  8 22:23:24 firewall INPUT DROP: IN=eth1 OUT= MAC=01:00:5e:00:00:01:zz:zz:zz:zz:zz:zz:08:00 SRC=192.168.0.1 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=2
Nov  8 22:25:31 firewall INPUT DROP: IN=eth1 OUT= MAC=01:00:5e:00:00:01:zz:zz:zz:zz:zz:zz:08:00 SRC=192.168.0.1 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=2
Nov  8 22:27:37 firewall INPUT DROP: IN=eth1 OUT= MAC=01:00:5e:00:00:01:zz:zz:zz:zz:zz:zz:08:00 SRC=192.168.0.1 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=2
Nov  8 22:28:07 firewall INPUT DROP: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:zz:zz:zz:zz:zz:zz:08:00 SRC=192.168.0.1 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=556
Nov  8 22:29:14 firewall INPUT DROP: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:zz:zz:zz:zz:zz:zz:08:00 SRC=192.168.0.1 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=556
Nov  8 22:29:44 firewall INPUT DROP: IN=eth1 OUT= MAC=01:00:5e:00:00:01:zz:zz:zz:zz:zz:zz:08:00 SRC=192.168.0.1 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=2

That happend after I unplugged the cable to my workstation in eth0 on gentoobox.
This is the last entries of the log however. So it stopped doing, whatever its doing, to now (01.55 AM). How come? What packets is this?
Atleast it tries to connect on the right interface, but it still isnt working. Port 138 UDP is netbios, but since I dont have a samba server I cant see why its trying to use the netbios service.
I know it getting boring, sry for that.

Thanks for the help so far

And thanks in advanced for the (hopefully) incoming answers

nowshining · 12-01-2007, 01:54 PM

have u tried out arno-iptables-firewall it blocks all inbound and to configure it u use/etc/arno-iptables-firewall/firewall.conf

easy to read and understand and there is a place in ther to block outbound ports if u can find, u can intsert ur own firewall fules in custom-rules - same folder to restart the firewall open up a terminal type

sudo /etc/init.d/arno-iptables-firewall restart

http://rocky.eld.leidenuniv.nl/

http://rocky.eld.leidenuniv.nl/iptables-firewall/

GeneralDark · 12-03-2007, 03:17 PM

Thx alot

By skipping the "blocking almost all outgoig trafic" rules it was much easier

Thx for the arno script! Working like a charm

nowshining · 12-04-2007, 04:36 PM

ur welcome