Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
02-23-2007, 04:29 PM
|
#1
|
Member
Registered: Mar 2004
Posts: 33
Rep:
|
Firewall blocking
Hi,
I'm using firestarter to configure iptables and i'm getting messages similar to the following in my logs.
Feb 23 14:13:15 freevo kernel: Inbound IN=eth0 OUT= MAC= SRC=192.168.0.50 DST=239.255.255.250 LEN=345 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1900 DPT=1900 LEN=325
I have my firewall set to let outbound traffic through by default and deny inbound traffic by default. This message should be outbound as my server ip is 192.168.0.50. What is causing this to be blocked and is there a way to let this through?
Thanks
|
|
|
02-23-2007, 05:22 PM
|
#2
|
Senior Member
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Rep:
|
239.255.255.250 is a class D / multicast address.
Port 1900 appears to be Universal Plug N Play.
Is it possible firestarter is smart enough to block this type of udp traffic? We'll find it if you can post the results of:
Please put it in code tags so that it's readable.
|
|
|
02-23-2007, 05:35 PM
|
#3
|
Member
Registered: Mar 2004
Posts: 33
Original Poster
Rep:
|
Here is the information you requested.
Code:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 192.168.0.1 0.0.0.0/0 tcp flags:!0x17/0x02
4679 1442K ACCEPT udp -- * * 192.168.0.1 0.0.0.0/0
2319 7620K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3 168 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 LSI all -f * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5
5252 549K INBOUND all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 LOG_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Unknown Input'
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5
0 0 LOG_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Unknown Forward'
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 192.168.0.50 192.168.0.1 tcp dpt:53
229 13886 ACCEPT udp -- * * 192.168.0.50 192.168.0.1 udp dpt:53
2319 7620K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
6456 2734K OUTBOUND all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 LOG_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Unknown Output'
Chain INBOUND (1 references)
pkts bytes target prot opt in out source destination
4622 471K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
455 34580 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 155.98.17.38 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT udp -- * * 155.98.17.38 0.0.0.0/0 udp dpt:22
0 0 ACCEPT tcp -- * * 155.98.17.38 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT udp -- * * 155.98.17.38 0.0.0.0/0 udp dpt:80
0 0 ACCEPT tcp -- * * 192.168.0.0/24 0.0.0.0/0 tcp dpts:137:139
23 4425 ACCEPT udp -- * * 192.168.0.0/24 0.0.0.0/0 udp dpts:137:139
0 0 ACCEPT tcp -- * * 192.168.0.0/24 0.0.0.0/0 tcp dpt:445
0 0 ACCEPT udp -- * * 192.168.0.0/24 0.0.0.0/0 udp dpt:445
0 0 ACCEPT tcp -- * * 192.168.0.0/24 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT udp -- * * 192.168.0.0/24 0.0.0.0/0 udp dpt:22
0 0 ACCEPT tcp -- * * 192.168.0.0/24 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT udp -- * * 192.168.0.0/24 0.0.0.0/0 udp dpt:80
5 220 ACCEPT tcp -- * * 70.192.0.0/15 0.0.0.0/0 tcp dpt:9201
0 0 ACCEPT udp -- * * 70.192.0.0/15 0.0.0.0/0 udp dpt:9201
0 0 ACCEPT tcp -- * * 155.98.80.0/22 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT udp -- * * 155.98.80.0/22 0.0.0.0/0 udp dpt:22
0 0 ACCEPT tcp -- * * 155.98.80.0/22 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT udp -- * * 155.98.80.0/22 0.0.0.0/0 udp dpt:80
0 0 ACCEPT tcp -- * * 155.98.17.0/24 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT udp -- * * 155.98.17.0/24 0.0.0.0/0 udp dpt:22
0 0 ACCEPT tcp -- * * 155.98.17.0/24 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT udp -- * * 155.98.17.0/24 0.0.0.0/0 udp dpt:80
42 2016 ACCEPT tcp -- * * 67.182.211.67 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT udp -- * * 67.182.211.67 0.0.0.0/0 udp dpt:80
3 188 ACCEPT tcp -- * * 67.182.211.67 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT udp -- * * 67.182.211.67 0.0.0.0/0 udp dpt:22
102 35639 LSI all -- * * 0.0.0.0/0 0.0.0.0/0
Chain LOG_FILTER (5 references)
pkts bytes target prot opt in out source destination
Chain LSI (2 references)
pkts bytes target prot opt in out source destination
102 35639 LOG_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04
0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
64 20452 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
102 35639 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain LSO (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Outbound '
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTBOUND (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
5872 2663K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
213 16188 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
371 54163 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Last edited by Rekna; 02-24-2007 at 12:31 AM.
|
|
|
02-24-2007, 12:08 AM
|
#4
|
Senior Member
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Rep:
|
Code tags - not quote tags. Code tags make the columns line up nicely.
Anyway, the short answer is we can insert an iptables rule in the OUTPUT chain to explicitly allow outbound udp to that port. Is this what you want?
Another consideration is whether firestarter will clobber our new rule as soon as you restart it. I don't use/know firestarter - is there a facility to add your own rules with it?
|
|
|
02-24-2007, 12:31 AM
|
#5
|
Member
Registered: Mar 2004
Posts: 33
Original Poster
Rep:
|
sorry I miss read what you said
|
|
|
02-24-2007, 11:18 PM
|
#6
|
Senior Member
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Rep:
|
I was hoping to get some more info from you (like answers to the two questions I asked).
For now let's say you want to allow that outbound traffic for that particular udp port. Here's a rather sloppy way to do that.
Code:
# iptables -I OUTPUT 3 -p udp -s 192.168.0.50 --dport 1900 -j ACCEPT
Note that I'm not advising that you do that. And I'll reiterate that firestarter will probably clobber the rule after you restart it. So if you want this to remain in place permanently, you'll have to find a way to add it through firestarter.
|
|
|
02-27-2007, 07:03 PM
|
#7
|
Member
Registered: Mar 2004
Posts: 33
Original Poster
Rep:
|
Sorry about missing those questions.
I don't believe I can add lines directly into the firestarter configuration unfortunately. However after playing with the rules and watching the lines I found that if I added 192.168.0.50 to the inbound allow-from servers then this blocking no longer appears.
|
|
|
All times are GMT -5. The time now is 05:38 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|