LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-02-2006, 05:45 PM   #1
ithawtewrong
Member
 
Registered: Jul 2004
Location: Mile High
Posts: 161

Rep: Reputation: 30
Firestarter - iptables and blocking ranges


I'm using Firestarter and made and Outbound rule to block a range of IP's that was listed on isc.sans.org as being notorious scripting bad guys. I tried to test it out just by pinging an address in that range. I got this in my log file and can't seem to decipher what happened. The message seems to have caught a different IP range coming in, but then it list my source in [] with the actual destination I pinged. The thing I found odd was that while the range is supposed to be blocked I got replies on the ping.

Edited:
Oct 31 19:33:28 localhost kernel: [ 6459.478636] Inbound IN=wlan0 OUT= MAC=MY:MA:CAD:RE:SS:OT:HE:RM:AC:ADR SRC=213.17.154.194 DST=192.168.15.2 LEN=56 TOS=0x00 PREC=0x20 TTL=47 ID=58444 DF PROTO=ICMP TYPE=3 CODE=1 [SRC=192.168.15.2 DST=85.255.1.1 LEN=84 TOS=0x18 PREC=0x20 TTL=43 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=36134 SEQ=18 ]

I also don't understand, and can't find documentation on what LSO means in the OUTBOUND chain that is created by Firestarter and shows as output when I run iptables -L:

Chain OUTBOUND (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED
LSO all -- anywhere 85.255.0.0/16
ACCEPT all -- anywhere anywhere

The range I wanted to block is 85.255.112.0 - 85.255.127.0. I know the way I entered it encompasses a larger IP range, but my initial try was simply to see if the traffic would be blocked.

I'd also like to know if the revised chain below would block Incoming and Outgoing packets to the IP range specified above.

/sbin/iptables -A INPUT -p all -m iprange --src-range 85.255.112.0-85.255.127.0 -j DROP
/sbin/iptables -A OUTPUT -p all -m iprange --dst-range 85.255.112.0-85.255.127.0 -j DROP

So I guess to summarize I'm trying to decipher my log output, get an explanation on the LSO meaning to iptables, and if the new rule I have listed would work for what I want to do.

Thanks for your time.
 
Old 11-04-2006, 08:04 AM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
you'd have to post your iptables configuration for us to see what's really going on:
Code:
iptables -L -n -v
that said, if your iprange rules aren't working, i'd *suspect* it's cuz the packets are getting sent to ACCEPT by a rule above your iprange/DROP rules... if that's the case, the switching to a -I (insert) instead of a -A (append) would do the trick... but like i said, there no way to tell without actually seeing what your iptables configuration looks like...
 
Old 11-04-2006, 01:35 PM   #3
ithawtewrong
Member
 
Registered: Jul 2004
Location: Mile High
Posts: 161

Original Poster
Rep: Reputation: 30
Here's the output of iptables -L -n -v

Chain INBOUND (1 references)
pkts bytes target prot opt in out source destination
5228 7753K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 LSI all -- * * 0.0.0.0/0 0.0.0.0/0

Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 68.87.69.146 0.0.0.0/0 tcp flags:!0x17/0x02
9 1125 ACCEPT udp -- * * 68.87.69.146 0.0.0.0/0
0 0 ACCEPT tcp -- * * 68.87.85.98 0.0.0.0/0 tcp flags:!0x17/0x02
0 0 ACCEPT udp -- * * 68.87.85.98 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0 limit: avg 1/sec burst 5
0 0 LSI udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:33434
5 280 LSI icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- wlan0 * 0.0.0.0/0 255.255.255.255
0 0 DROP all -- * * 0.0.0.0/0 192.168.15.7
0 0 DROP all -- * * 224.0.0.0/8 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/8
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 LSI all -f * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5
5228 7753K INBOUND all -- wlan0 * 0.0.0.0/0 0.0.0.0/0
0 0 LOG_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Unknown Input'

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0 limit: avg 1/sec burst 5
0 0 LSI udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:33434
0 0 LSI icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Unknown Forward'

Chain LOG_FILTER (5 references)
pkts bytes target prot opt in out source destination

Chain LSI (6 references)
pkts bytes target prot opt in out source destination
5 280 LOG_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04
0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
5 280 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
5 280 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain LSO (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Outbound '
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Chain OUTBOUND (1 references)
pkts bytes target prot opt in out source destination
7 588 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
2835 126K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 LSO all -- * * 0.0.0.0/0 85.255.0.0/16
13 572 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 192.168.15.2 68.87.69.146 tcp dpt:53
9 657 ACCEPT udp -- * * 192.168.15.2 68.87.69.146 udp dpt:53
0 0 ACCEPT tcp -- * * 192.168.15.2 68.87.85.98 tcp dpt:53
0 0 ACCEPT udp -- * * 192.168.15.2 68.87.85.98 udp dpt:53
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 224.0.0.0/8 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/8
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0
12 480 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
2855 127K OUTBOUND all -- * wlan0 0.0.0.0/0 0.0.0.0/0
0 0 LOG_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Unknown Output'

This morning when I tried to ping the same address I got no reply, but I get the same entry in /var/log/messages that I posted above. It appears that the ping to 85.255.1.1 gets redirected to another IP (213.17.154.194) then tries to reply. Is that interpretation correct?
 
Old 11-04-2006, 02:08 PM   #4
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
i took a quick look and couldn't find anyting with the IPs you used in the iprange rules... are you sure you executed those commands?? in any case, these will filter any packets to/from those ranges, no matter what your config is like:
Code:
iptables -I INPUT -m iprange --src-range 85.255.112.0-85.255.127.0 -j DROP
iptables -I OUTPUT -m iprange --dst-range 85.255.112.0-85.255.127.0 -j DROP

Last edited by win32sux; 11-04-2006 at 02:10 PM.
 
Old 11-04-2006, 02:41 PM   #5
ithawtewrong
Member
 
Registered: Jul 2004
Location: Mile High
Posts: 161

Original Poster
Rep: Reputation: 30
Thanks for the follow up. I appreciate it. I'm not familiar with firewalls and it's one of those things that if they aren't setup right then what's the point?
I'll make the changes.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Blocking IP ranges to the Internet caps_phisto Linux - Security 1 09-18-2006 11:19 AM
Firestarter Blocking Some Pings douceur Linux - Security 0 07-20-2005 10:41 AM
Forwarding port ranges using iptables --to ? ivj Linux - Networking 13 10-13-2004 04:05 AM
Blocking IP Address ranges in dhcpd.conf pmcdaid Linux - Networking 4 06-09-2004 10:18 AM
Blocking Iptables Ranges SuperSadSmile Linux - Security 6 02-09-2004 03:57 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:05 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration