LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-23-2007, 04:29 PM   #1
Rekna
Member
 
Registered: Mar 2004
Posts: 33

Rep: Reputation: 15
Firewall blocking


Hi,

I'm using firestarter to configure iptables and i'm getting messages similar to the following in my logs.

Feb 23 14:13:15 freevo kernel: Inbound IN=eth0 OUT= MAC= SRC=192.168.0.50 DST=239.255.255.250 LEN=345 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1900 DPT=1900 LEN=325


I have my firewall set to let outbound traffic through by default and deny inbound traffic by default. This message should be outbound as my server ip is 192.168.0.50. What is causing this to be blocked and is there a way to let this through?

Thanks
 
Old 02-23-2007, 05:22 PM   #2
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
239.255.255.250 is a class D / multicast address.

Port 1900 appears to be Universal Plug N Play.

Is it possible firestarter is smart enough to block this type of udp traffic? We'll find it if you can post the results of:
Code:
# iptables -nvL
Please put it in code tags so that it's readable.
 
Old 02-23-2007, 05:35 PM   #3
Rekna
Member
 
Registered: Mar 2004
Posts: 33

Original Poster
Rep: Reputation: 15
Here is the information you requested.

Code:
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  *      *       192.168.0.1          0.0.0.0/0           tcp flags:!0x17/0x02
 4679 1442K ACCEPT     udp  --  *      *       192.168.0.1          0.0.0.0/0
 2319 7620K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    3   168 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 10/sec burst 5
    0     0 DROP       all  --  *      *       255.255.255.255      0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
    0     0 LSI        all  -f  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 10/min burst 5
 5252  549K INBOUND    all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG_FILTER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Unknown Input'

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 10/sec burst 5
    0     0 LOG_FILTER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Unknown Forward'

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  *      *       192.168.0.50         192.168.0.1         tcp dpt:53
  229 13886 ACCEPT     udp  --  *      *       192.168.0.50         192.168.0.1         udp dpt:53
 2319 7620K ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      *       255.255.255.255      0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
 6456 2734K OUTBOUND   all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
    0     0 LOG_FILTER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Unknown Output'

Chain INBOUND (1 references)
 pkts bytes target     prot opt in     out     source               destination
 4622  471K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
  455 34580 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       155.98.17.38         0.0.0.0/0           tcp dpt:22
    0     0 ACCEPT     udp  --  *      *       155.98.17.38         0.0.0.0/0           udp dpt:22
    0     0 ACCEPT     tcp  --  *      *       155.98.17.38         0.0.0.0/0           tcp dpt:80
    0     0 ACCEPT     udp  --  *      *       155.98.17.38         0.0.0.0/0           udp dpt:80
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0           tcp dpts:137:139
   23  4425 ACCEPT     udp  --  *      *       192.168.0.0/24       0.0.0.0/0           udp dpts:137:139
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0           tcp dpt:445
    0     0 ACCEPT     udp  --  *      *       192.168.0.0/24       0.0.0.0/0           udp dpt:445
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0           tcp dpt:22
    0     0 ACCEPT     udp  --  *      *       192.168.0.0/24       0.0.0.0/0           udp dpt:22
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0           tcp dpt:80
    0     0 ACCEPT     udp  --  *      *       192.168.0.0/24       0.0.0.0/0           udp dpt:80
    5   220 ACCEPT     tcp  --  *      *       70.192.0.0/15        0.0.0.0/0           tcp dpt:9201
    0     0 ACCEPT     udp  --  *      *       70.192.0.0/15        0.0.0.0/0           udp dpt:9201
    0     0 ACCEPT     tcp  --  *      *       155.98.80.0/22       0.0.0.0/0           tcp dpt:22
    0     0 ACCEPT     udp  --  *      *       155.98.80.0/22       0.0.0.0/0           udp dpt:22
    0     0 ACCEPT     tcp  --  *      *       155.98.80.0/22       0.0.0.0/0           tcp dpt:80
    0     0 ACCEPT     udp  --  *      *       155.98.80.0/22       0.0.0.0/0           udp dpt:80
    0     0 ACCEPT     tcp  --  *      *       155.98.17.0/24       0.0.0.0/0           tcp dpt:22
    0     0 ACCEPT     udp  --  *      *       155.98.17.0/24       0.0.0.0/0           udp dpt:22
    0     0 ACCEPT     tcp  --  *      *       155.98.17.0/24       0.0.0.0/0           tcp dpt:80
    0     0 ACCEPT     udp  --  *      *       155.98.17.0/24       0.0.0.0/0           udp dpt:80
   42  2016 ACCEPT     tcp  --  *      *       67.182.211.67        0.0.0.0/0           tcp dpt:80
    0     0 ACCEPT     udp  --  *      *       67.182.211.67        0.0.0.0/0           udp dpt:80
    3   188 ACCEPT     tcp  --  *      *       67.182.211.67        0.0.0.0/0           tcp dpt:22
    0     0 ACCEPT     udp  --  *      *       67.182.211.67        0.0.0.0/0           udp dpt:22
  102 35639 LSI        all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain LOG_FILTER (5 references)
 pkts bytes target     prot opt in     out     source               destination

Chain LSI (2 references)
 pkts bytes target     prot opt in     out     source               destination
  102 35639 LOG_FILTER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x04 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x04
    0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8
   64 20452 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
  102 35639 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain LSO (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG_FILTER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Outbound '
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable

Chain OUTBOUND (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
 5872 2663K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
  213 16188 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
  371 54163 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Last edited by Rekna; 02-24-2007 at 12:31 AM.
 
Old 02-24-2007, 12:08 AM   #4
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Code tags - not quote tags. Code tags make the columns line up nicely.

Anyway, the short answer is we can insert an iptables rule in the OUTPUT chain to explicitly allow outbound udp to that port. Is this what you want?

Another consideration is whether firestarter will clobber our new rule as soon as you restart it. I don't use/know firestarter - is there a facility to add your own rules with it?
 
Old 02-24-2007, 12:31 AM   #5
Rekna
Member
 
Registered: Mar 2004
Posts: 33

Original Poster
Rep: Reputation: 15
sorry I miss read what you said
 
Old 02-24-2007, 11:18 PM   #6
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
I was hoping to get some more info from you (like answers to the two questions I asked).

For now let's say you want to allow that outbound traffic for that particular udp port. Here's a rather sloppy way to do that.
Code:
# iptables -I OUTPUT 3 -p udp -s 192.168.0.50 --dport 1900 -j ACCEPT
Note that I'm not advising that you do that. And I'll reiterate that firestarter will probably clobber the rule after you restart it. So if you want this to remain in place permanently, you'll have to find a way to add it through firestarter.
 
Old 02-27-2007, 07:03 PM   #7
Rekna
Member
 
Registered: Mar 2004
Posts: 33

Original Poster
Rep: Reputation: 15
Sorry about missing those questions.

I don't believe I can add lines directly into the firestarter configuration unfortunately. However after playing with the rules and watching the lines I found that if I added 192.168.0.50 to the inbound allow-from servers then this blocking no longer appears.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
SUSE 10 firewall blocking johnhawk Linux - Security 1 07-18-2006 04:09 AM
firewall blocking internet k4zau Linux - Networking 1 09-24-2004 03:18 PM
firewall blocking teamspeak webmin??? GrumpyGnome Linux - Software 1 06-12-2004 08:18 PM
firewall traffic blocking help jaylee Linux - Security 8 06-30-2003 11:44 AM
Firewall not blocking ports... bfloeagle Linux - Security 9 05-20-2003 03:53 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:38 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration