I'm using Firestarter and made and Outbound rule to block a range of IP's that was listed on isc.sans.org as being notorious scripting bad guys. I tried to test it out just by pinging an address in that range. I got this in my log file and can't seem to decipher what happened. The message seems to have caught a different IP range coming in, but then it list my source in [] with the actual destination I pinged. The thing I found odd was that while the range is supposed to be blocked I got replies on the ping.
Edited:
Oct 31 19:33:28 localhost kernel: [ 6459.478636] Inbound IN=wlan0 OUT= MAC=MY:MA:CA
D:RE:SS:OT:HE:RM:AC:AD
R SRC=213.17.154.194 DST=192.168.15.2 LEN=56 TOS=0x00 PREC=0x20 TTL=47 ID=58444 DF PROTO=ICMP TYPE=3 CODE=1 [SRC=192.168.15.2 DST=85.255.1.1 LEN=84 TOS=0x18 PREC=0x20 TTL=43 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=36134 SEQ=18 ]
I also don't understand, and can't find documentation on what LSO means in the OUTBOUND chain that is created by Firestarter and shows as output when I run iptables -L:
Chain OUTBOUND (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED
LSO all -- anywhere 85.255.0.0/16
ACCEPT all -- anywhere anywhere
The range I wanted to block is 85.255.112.0 - 85.255.127.0. I know the way I entered it encompasses a larger IP range, but my initial try was simply to see if the traffic would be blocked.
I'd also like to know if the revised chain below would block Incoming and Outgoing packets to the IP range specified above.
/sbin/iptables -A INPUT -p all -m iprange --src-range 85.255.112.0-85.255.127.0 -j DROP
/sbin/iptables -A OUTPUT -p all -m iprange --dst-range 85.255.112.0-85.255.127.0 -j DROP
So I guess to summarize I'm trying to decipher my log output, get an explanation on the LSO meaning to iptables, and if the new rule I have listed would work for what I want to do.
Thanks for your time.