Firewall blocking

Rekna · 02-23-2007, 03:29 PM

Hi,

I'm using firestarter to configure iptables and i'm getting messages similar to the following in my logs.

Feb 23 14:13:15 freevo kernel: Inbound IN=eth0 OUT= MAC= SRC=192.168.0.50 DST=239.255.255.250 LEN=345 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1900 DPT=1900 LEN=325

I have my firewall set to let outbound traffic through by default and deny inbound traffic by default. This message should be outbound as my server ip is 192.168.0.50. What is causing this to be blocked and is there a way to let this through?

Thanks

anomie · 02-23-2007, 04:22 PM

239.255.255.250 is a class D / multicast address.

Port 1900 appears to be Universal Plug N Play.

Is it possible firestarter is smart enough to block this type of udp traffic? We'll find it if you can post the results of:

Code:

# iptables -nvL

Please put it in code tags so that it's readable.

Rekna · 02-23-2007, 04:35 PM

Here is the information you requested.

Code:

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  *      *       192.168.0.1          0.0.0.0/0           tcp flags:!0x17/0x02
 4679 1442K ACCEPT     udp  --  *      *       192.168.0.1          0.0.0.0/0
 2319 7620K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    3   168 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 10/sec burst 5
    0     0 DROP       all  --  *      *       255.255.255.255      0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
    0     0 LSI        all  -f  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 10/min burst 5
 5252  549K INBOUND    all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG_FILTER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Unknown Input'

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 10/sec burst 5
    0     0 LOG_FILTER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Unknown Forward'

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  *      *       192.168.0.50         192.168.0.1         tcp dpt:53
  229 13886 ACCEPT     udp  --  *      *       192.168.0.50         192.168.0.1         udp dpt:53
 2319 7620K ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      *       255.255.255.255      0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
 6456 2734K OUTBOUND   all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
    0     0 LOG_FILTER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Unknown Output'

Chain INBOUND (1 references)
 pkts bytes target     prot opt in     out     source               destination
 4622  471K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
  455 34580 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       155.98.17.38         0.0.0.0/0           tcp dpt:22
    0     0 ACCEPT     udp  --  *      *       155.98.17.38         0.0.0.0/0           udp dpt:22
    0     0 ACCEPT     tcp  --  *      *       155.98.17.38         0.0.0.0/0           tcp dpt:80
    0     0 ACCEPT     udp  --  *      *       155.98.17.38         0.0.0.0/0           udp dpt:80
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0           tcp dpts:137:139
   23  4425 ACCEPT     udp  --  *      *       192.168.0.0/24       0.0.0.0/0           udp dpts:137:139
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0           tcp dpt:445
    0     0 ACCEPT     udp  --  *      *       192.168.0.0/24       0.0.0.0/0           udp dpt:445
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0           tcp dpt:22
    0     0 ACCEPT     udp  --  *      *       192.168.0.0/24       0.0.0.0/0           udp dpt:22
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0           tcp dpt:80
    0     0 ACCEPT     udp  --  *      *       192.168.0.0/24       0.0.0.0/0           udp dpt:80
    5   220 ACCEPT     tcp  --  *      *       70.192.0.0/15        0.0.0.0/0           tcp dpt:9201
    0     0 ACCEPT     udp  --  *      *       70.192.0.0/15        0.0.0.0/0           udp dpt:9201
    0     0 ACCEPT     tcp  --  *      *       155.98.80.0/22       0.0.0.0/0           tcp dpt:22
    0     0 ACCEPT     udp  --  *      *       155.98.80.0/22       0.0.0.0/0           udp dpt:22
    0     0 ACCEPT     tcp  --  *      *       155.98.80.0/22       0.0.0.0/0           tcp dpt:80
    0     0 ACCEPT     udp  --  *      *       155.98.80.0/22       0.0.0.0/0           udp dpt:80
    0     0 ACCEPT     tcp  --  *      *       155.98.17.0/24       0.0.0.0/0           tcp dpt:22
    0     0 ACCEPT     udp  --  *      *       155.98.17.0/24       0.0.0.0/0           udp dpt:22
    0     0 ACCEPT     tcp  --  *      *       155.98.17.0/24       0.0.0.0/0           tcp dpt:80
    0     0 ACCEPT     udp  --  *      *       155.98.17.0/24       0.0.0.0/0           udp dpt:80
   42  2016 ACCEPT     tcp  --  *      *       67.182.211.67        0.0.0.0/0           tcp dpt:80
    0     0 ACCEPT     udp  --  *      *       67.182.211.67        0.0.0.0/0           udp dpt:80
    3   188 ACCEPT     tcp  --  *      *       67.182.211.67        0.0.0.0/0           tcp dpt:22
    0     0 ACCEPT     udp  --  *      *       67.182.211.67        0.0.0.0/0           udp dpt:22
  102 35639 LSI        all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain LOG_FILTER (5 references)
 pkts bytes target     prot opt in     out     source               destination

Chain LSI (2 references)
 pkts bytes target     prot opt in     out     source               destination
  102 35639 LOG_FILTER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x04 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x04
    0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8
   64 20452 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
  102 35639 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain LSO (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG_FILTER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Outbound '
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable

Chain OUTBOUND (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
 5872 2663K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
  213 16188 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
  371 54163 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

anomie · 02-23-2007, 11:08 PM

Code tags - not quote tags.

Code tags make the columns line up nicely.

Anyway, the short answer is we can insert an iptables rule in the OUTPUT chain to explicitly allow outbound udp to that port. Is this what you want?

Another consideration is whether firestarter will clobber our new rule as soon as you restart it. I don't use/know firestarter - is there a facility to add your own rules with it?

Rekna · 02-23-2007, 11:31 PM

sorry I miss read what you said

anomie · 02-24-2007, 10:18 PM

I was hoping to get some more info from you (like answers to the two questions I asked).

For now let's say you want to allow that outbound traffic for that particular udp port. Here's a rather sloppy way to do that.

Code:

# iptables -I OUTPUT 3 -p udp -s 192.168.0.50 --dport 1900 -j ACCEPT

Note that I'm not advising that you do that. And I'll reiterate that firestarter will probably clobber the rule after you restart it. So if you want this to remain in place permanently, you'll have to find a way to add it through firestarter.

Rekna · 02-27-2007, 06:03 PM

Sorry about missing those questions.

I don't believe I can add lines directly into the firestarter configuration unfortunately. However after playing with the rules and watching the lines I found that if I added 192.168.0.50 to the inbound allow-from servers then this blocking no longer appears.