how to block port 135

marcossf · 04-03-2007, 12:03 PM

Hi

My server (fedora 5) is receiving hundreds of scans on port 135 everyday. It's normal, I know. That's why I'm trying to drop all packets to/from port 135 with iptables (version 1.3.5). But when I look at the network traffic with iptraf 3.0.0, it still shows packets arriving on port 135.

Can somebody take a look at my iptables config file? As you can see, I tried everything!
Is iptraf catching packets before iptables?

# Generated by iptables-save v1.3.5 on Fri Mar 30 17:49:54 2007
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [16303:6247268]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -p tcp -m multiport --dports 135 -j DROP
-A INPUT -p udp -m multiport --dports 135 -j DROP
-A INPUT -p tcp -m tcp --dport 135 -j DROP
-A INPUT -p udp -m udp --dport 135 -j DROP
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A OUTPUT -p tcp -m multiport --sports 135 -j DROP
-A OUTPUT -p udp -m multiport --sports 135 -j DROP
-A OUTPUT -p udp -m udp --sport 123 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 135 -j DROP
-A OUTPUT -p udp -m udp --sport 135 -j DROP
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 123 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 9081 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m iprange --src-range 444.444.444.444-555.555.555.555 -j ACCEPT
-A RH-Firewall-1-INPUT -s 333.333.333.333 -p tcp -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Fri Mar 30 17:49:54 2007
# OF COURSE THE IP ADDRESSES SHOWED ABOVE WHERE CHANGED

Thank you

Marcos

stress_junkie · 04-03-2007, 05:18 PM

These are the iptables rules that Shorewall made for me. This listing came from me entering iptables -L.

Code:

Chain DropSMB (1 references)
target     prot opt source               destination
DROP       udp  --  anywhere             anywhere            udp dpt:135
DROP       udp  --  anywhere             anywhere            udp dpts:netbios-ns:netbios-ssn
DROP       udp  --  anywhere             anywhere            udp dpt:microsoft-ds
DROP       tcp  --  anywhere             anywhere            tcp dpt:135
DROP       tcp  --  anywhere             anywhere            tcp dpt:netbios-ssn
DROP       tcp  --  anywhere             anywhere            tcp dpt:microsoft-ds

Capt_Caveman · 04-03-2007, 06:27 PM

Your rules look like they should block those packets. I believe the reason you're still seeing them with IPtraf is because it uses raw sockets and looks at network traffic earlier in the network stack before iptables handles the packets. So they're still getting dropped, you're just peaking at the traffic before it gets dropped. To be sure, do iptables -vnL. Look at the output showing your dport 135 rules and see if the packet and byte counters show anything being blocked. It will look something like this (packet and byte counters are the 1st and 2nd numbers):

Code:

12203 1550K DROP     all  --  eth0   *    0.0.0.0/0    0.0.0.0/0  tcp dpt:135

If those rules aren't working for some reason, then those numbers will be zero.

marcossf · 04-04-2007, 10:41 AM

iptables is working!
iptraf catches packets before iptables.
thank you.