LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-13-2003, 08:48 AM   #1
Klaus Pforte
LQ Newbie
 
Registered: Jul 2003
Posts: 10

Rep: Reputation: 0
iptables: block ports and RELATED, ESTABLISHED


Hi,

I have iptables 1.2.5 and the following problem.

I want to block some special ports, but I want to allow most RELATED and ESTABLISHED traffic.

I did:

...
$IPTABLES -t filter -A INPUT -p tcp -m multiport --dport 161,162,7100,8080,3128,1080,2049,4045,31337 -j DROP
$IPTABLES -t filter -A INPUT -p udp -m multiport --dport 161,162,7100,8080,3128,1080,2049,4045,31337 -j DROP

$IPTABLES -t filter -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT $IPTABLES -t filter -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -t filter -A INPUT -p tcp --dport 1024:65535 -m state --state RELATED -j ACCEPT
$IPTABLES -t filter -A INPUT -p udp --dport 1024:65535 -m state --state RELATED -j ACCEPT
$IPTABLES -t filter -A INPUT -m state --state INVALID -j DROP
...

Everything works fine, but my Snort reports some traffic on port 1080 and 8080 and some others from the above.
Why they don't closed? I tried reverse:

$IPTABLES -t filter -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT $IPTABLES -t filter -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -t filter -A INPUT -p tcp --dport 1024:65535 -m state --state RELATED -j ACCEPT
$IPTABLES -t filter -A INPUT -p udp --dport 1024:65535 -m state --state RELATED -j ACCEPT
$IPTABLES -t filter -A INPUT -m state --state INVALID -j DROP

$IPTABLES -t filter -A INPUT -p tcp -m multiport --dport 161,162,7100,8080,3128,1080,2049,4045,31337 -j DROP
$IPTABLES -t filter -A INPUT -p udp -m multiport --dport 161,162,7100,8080,3128,1080,2049,4045,31337 -j DROP


But no effect.
Maybe it's very easy to solve, I'm new with firewalling and iptables.

Thanks for help,
Greetings from Black Forrest, Germany,
Klaus
 
Old 07-14-2003, 06:15 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
IMO the best way to learn it yourself, after reading the iptables tutorial (see 1st sticky thread in this forum, post #2 or ffwd to http://iptables-tutorial.frozentux.n...-tutorial.html), would be to add LOG target rules just before the target decision, something like

for dport in 161 162 1080 2049 3128 4045 31337 7100 8080; do
$IPTABLES -A INPUT -p tcp --syn -m state --state NEW --dport $dport -j LOG --log-prefix "SYN on port $dport"; done

before

$IPTABLES -t filter -A INPUT -p tcp -m multiport --dport 161,162,7100,8080,3128,1080,2049,4045,31337 -j DROP

That way you can see what goes on.
This example would trigger attempts setting up a new connection (TCP SYN flag set) to those destination ports.
Btw, post some of those Snort alerts if you can.
 
Old 07-14-2003, 12:40 PM   #3
Klaus Pforte
LQ Newbie
 
Registered: Jul 2003
Posts: 10

Original Poster
Rep: Reputation: 0
Thanks a lot, unSpawn.

I will try the logging thing, good idea.
The tutorial (the best one I know) i read very carefully. But I found no solution for that.

The problem occurs mostly on the ports 1080 and 8080 and I don't know the state of these connections. With the logging I will find it.

Before this here are two of the snort-logs:

[**] [1:620:3] SCAN Proxy (8080) attempt [**]
[Classification: Attempted Information Leak] [Priority: 2]
07/14-03:21:56.130771 38.112.199.137:5625 -> 217.160.95.177:8080
TCP TTL:112 TOS:0x0 ID:256 IpLen:20 DgmLen:40
******S* Seq: 0x28376839 Ack: 0x0 Win: 0x4000 TcpLen: 20

[**] [1:615:4] SCAN SOCKS Proxy attempt [**]
[Classification: Attempted Information Leak] [Priority: 2]
07/14-00:35:46.052020 209.164.40.234:3652 -> 217.160.95.177:1080
TCP TTL:113 TOS:0x0 ID:58795 IpLen:20 DgmLen:48 DF
******S* Seq: 0x7BFC0699 Ack: 0x0 Win: 0xFAF0 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
[Xref => http://help.undernet.org/proxyscan/]


I will post the results from the logging.

Greetings,
Klaus Pforte
 
Old 07-16-2003, 02:03 PM   #4
Klaus Pforte
LQ Newbie
 
Registered: Jul 2003
Posts: 10

Original Poster
Rep: Reputation: 0
O.K. My mistake.

I found that Snort is sitting IN FRONT of iptables.
So he/she logs all what could be dangerous, but unfiltered from iptables.

Then I wrote filter rules, tested them with iptables-logs and now I'm happy. Nothing comes through.

O.K. nearly nothing.
I work on it.

Greetings,
Klaus
 
Old 07-16-2003, 07:10 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
No, that ain't exactly true. In short Snort hooks in "below" the netfilter part, and so should always see each and every packet before it hits Netfilter. Leaves me kinda wondering what rules you wrote...
 
Old 07-17-2003, 12:01 AM   #6
Klaus Pforte
LQ Newbie
 
Registered: Jul 2003
Posts: 10

Original Poster
Rep: Reputation: 0
Quote:
Originally posted by unSpawn
No, that ain't exactly true. In short Snort hooks in "below" the netfilter part, and so should always see each and every packet before it hits Netfilter. Leaves me kinda wondering what rules you wrote...
Why wondering?
Tell me, I want to learn and to know how to make them better.
I'm really new to iptables, read a really lot in the last weeks but my experiences are not so much.

Thanks again,
Klaus
 
Old 07-17-2003, 11:00 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Ah, well. I should have just asked you to post those Snort rules (if they are, if they're Iptables rules I've said nothing).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to use ESTABLISHED,RELATED best? Pastorino Linux - Security 2 08-30-2005 06:21 PM
IPTables and PPTPD :S (to block or not to block) thewonka Linux - Networking 0 03-24-2005 07:58 PM
block m$ related ports using iptables carboncopy Linux - Security 8 01-28-2005 01:30 PM
what is ESTABLISHED, RELATED or NEW gpagedar Linux - Networking 3 10-01-2003 01:29 AM
how to block ports furquan Linux - Security 9 02-21-2002 07:23 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:41 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration