Firestarter

ithawtewrong · 11-02-2006, 04:45 PM

I'm using Firestarter and made and Outbound rule to block a range of IP's that was listed on isc.sans.org as being notorious scripting bad guys. I tried to test it out just by pinging an address in that range. I got this in my log file and can't seem to decipher what happened. The message seems to have caught a different IP range coming in, but then it list my source in [] with the actual destination I pinged. The thing I found odd was that while the range is supposed to be blocked I got replies on the ping.

Edited:
Oct 31 19:33:28 localhost kernel: [ 6459.478636] Inbound IN=wlan0 OUT= MAC=MY:MA:CA

D:RE:SS:OT:HE:RM:AC:AD

R SRC=213.17.154.194 DST=192.168.15.2 LEN=56 TOS=0x00 PREC=0x20 TTL=47 ID=58444 DF PROTO=ICMP TYPE=3 CODE=1 [SRC=192.168.15.2 DST=85.255.1.1 LEN=84 TOS=0x18 PREC=0x20 TTL=43 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=36134 SEQ=18 ]

I also don't understand, and can't find documentation on what LSO means in the OUTBOUND chain that is created by Firestarter and shows as output when I run iptables -L:

Chain OUTBOUND (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED
LSO all -- anywhere 85.255.0.0/16
ACCEPT all -- anywhere anywhere

The range I wanted to block is 85.255.112.0 - 85.255.127.0. I know the way I entered it encompasses a larger IP range, but my initial try was simply to see if the traffic would be blocked.

I'd also like to know if the revised chain below would block Incoming and Outgoing packets to the IP range specified above.

/sbin/iptables -A INPUT -p all -m iprange --src-range 85.255.112.0-85.255.127.0 -j DROP
/sbin/iptables -A OUTPUT -p all -m iprange --dst-range 85.255.112.0-85.255.127.0 -j DROP

So I guess to summarize I'm trying to decipher my log output, get an explanation on the LSO meaning to iptables, and if the new rule I have listed would work for what I want to do.

Thanks for your time.

win32sux · 11-04-2006, 07:04 AM

you'd have to post your iptables configuration for us to see what's really going on:

Code:

iptables -L -n -v

that said, if your iprange rules aren't working, i'd *suspect* it's cuz the packets are getting sent to ACCEPT by a rule above your iprange/DROP rules... if that's the case, the switching to a -I (insert) instead of a -A (append) would do the trick... but like i said, there no way to tell without actually seeing what your iptables configuration looks like...

ithawtewrong · 11-04-2006, 12:35 PM

Here's the output of iptables -L -n -v

Chain INBOUND (1 references)
pkts bytes target prot opt in out source destination
5228 7753K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 LSI all -- * * 0.0.0.0/0 0.0.0.0/0

Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 68.87.69.146 0.0.0.0/0 tcp flags:!0x17/0x02
9 1125 ACCEPT udp -- * * 68.87.69.146 0.0.0.0/0
0 0 ACCEPT tcp -- * * 68.87.85.98 0.0.0.0/0 tcp flags:!0x17/0x02
0 0 ACCEPT udp -- * * 68.87.85.98 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0 limit: avg 1/sec burst 5
0 0 LSI udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:33434
5 280 LSI icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- wlan0 * 0.0.0.0/0 255.255.255.255
0 0 DROP all -- * * 0.0.0.0/0 192.168.15.7
0 0 DROP all -- * * 224.0.0.0/8 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/8
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 LSI all -f * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5
5228 7753K INBOUND all -- wlan0 * 0.0.0.0/0 0.0.0.0/0
0 0 LOG_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Unknown Input'

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0 limit: avg 1/sec burst 5
0 0 LSI udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:33434
0 0 LSI icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Unknown Forward'

Chain LOG_FILTER (5 references)
pkts bytes target prot opt in out source destination

Chain LSI (6 references)
pkts bytes target prot opt in out source destination
5 280 LOG_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04
0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
5 280 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
5 280 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain LSO (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Outbound '
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Chain OUTBOUND (1 references)
pkts bytes target prot opt in out source destination
7 588 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
2835 126K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 LSO all -- * * 0.0.0.0/0 85.255.0.0/16
13 572 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 192.168.15.2 68.87.69.146 tcp dpt:53
9 657 ACCEPT udp -- * * 192.168.15.2 68.87.69.146 udp dpt:53
0 0 ACCEPT tcp -- * * 192.168.15.2 68.87.85.98 tcp dpt:53
0 0 ACCEPT udp -- * * 192.168.15.2 68.87.85.98 udp dpt:53
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 224.0.0.0/8 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/8
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0
12 480 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
2855 127K OUTBOUND all -- * wlan0 0.0.0.0/0 0.0.0.0/0
0 0 LOG_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Unknown Output'

This morning when I tried to ping the same address I got no reply, but I get the same entry in /var/log/messages that I posted above. It appears that the ping to 85.255.1.1 gets redirected to another IP (213.17.154.194) then tries to reply. Is that interpretation correct?

win32sux · 11-04-2006, 01:08 PM

i took a quick look and couldn't find anyting with the IPs you used in the iprange rules... are you sure you executed those commands?? in any case, these will filter any packets to/from those ranges, no matter what your config is like:

Code:

iptables -I INPUT -m iprange --src-range 85.255.112.0-85.255.127.0 -j DROP
iptables -I OUTPUT -m iprange --dst-range 85.255.112.0-85.255.127.0 -j DROP

ithawtewrong · 11-04-2006, 01:41 PM

Thanks for the follow up. I appreciate it. I'm not familiar with firewalls and it's one of those things that if they aren't setup right then what's the point?
I'll make the changes.