Hi all,
I have a problem that I'm just about at wits end trying to solve:
Each time I go on the net to browse or to check on my email (I use my ISP's web mail services) - I find that my email list includes mainly MANY (up to 150 - 180 in a few instances) of 'undeliverable' or 'returned' messages - this is becoming a right PITA in having to delete these from my email inbox each time.
NOTE: I don't use any pop3 links as I only download wanted emails via my web browser (Opera 8.5).
I have gone over my iptables/guarddog firewall rules several times to try and eliminate this problem but don't seem to have any success - I have set up the firewall for policy DROP on INPUT,OUTPUT, & FORWARD chains then have selectively opened those ports that I really need to allow connection to the web through my 56K dialup modem.
Hers a copy of my iptables - sorry if it is a bit on the long side but this is what Guarddog has done:
------------------------------------------------------------------------------------
#!/bin/bash
# [Guarddog2]
# DO NOT EDIT!
# This firewall script was generated by "Guarddog" by Simon Edwards
#
http://www.simonzone.com/software/guarddog/ This script requires Linux
# kernel version 2.2.x and ipchains OR Linux kernel 2.4.x and iptables.
#
# [Description]
#
# [Config]
# LOCALPORTRANGESTART=1024
# LOCALPORTRANGEEND=5999
# DISABLED=0
# LOGREJECT=1
# LOGDROP=1
# LOGABORTEDTCP=1
# LOGIPOPTIONS=1
# LOGTCPOPTIONS=1
# LOGTCPSEQUENCE=1
# LOGLEVEL=4
# LOGRATELIMIT=1
# LOGRATE=5
# LOGRATEUNIT=0
# LOGRATEBURST=10
# LOGWARNLIMIT=1
# LOGWARNRATE=2
# LOGWARNRATEUNIT=1
# DHCPC=0
# DHCPCINTERFACENAME=eth0
# DHCPD=0
# DHCPDINTERFACENAME=eth0
# ALLOWTCPTIMESTAMPS=0
# [UserDefinedProtocol]
# ID=1
# NAME=http-88
# TYPE=TCP
# PORT=88:88
# BIDIRECTIONAL=1
# [UserDefinedProtocol]
# ID=3
# NAME=loc
# TYPE=TCP
# PORT=8765:8765
# BIDIRECTIONAL=1
# [UserDefinedProtocol]
# ID=4
# NAME=3030
# TYPE=TCP
# PORT=3030:3030
# BIDIRECTIONAL=1
# [UserDefinedProtocol]
# ID=8
# NAME=stun
# TYPE=UDP
# PORT=3478:3478
# BIDIRECTIONAL=1
# [UserDefinedProtocol]
# ID=2
# NAME=sip
# TYPE=UDP
# PORT=5060:5060
# BIDIRECTIONAL=1
# [UserDefinedProtocol]
# ID=5
# NAME=lisa
# TYPE=TCP
# PORT=7741:7741
# BIDIRECTIONAL=1
# [ServerZone] Internet
# [ClientZone] Local
# CONNECTED=1
# PROTOCOL=ftp
# PROTOCOL=domain
# PROTOCOL=https
# PROTOCOL=http
# [ServerZone] Local
# [ClientZone] Internet
# CONNECTED=1
# [End]
# Real code starts here
# If you change the line below then also change the # DISABLED line above.
DISABLE_GUARDDOG=0
if test -z $GUARDDOG_VERBOSE; then
GUARDDOG_VERBOSE=0
fi;
if [ $DISABLE_GUARDDOG -eq 0 ]; then
# Set the path
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin
# Detect which filter command we should use.
FILTERSYS=0
# 0 = unknown, 1 = ipchains, 2 = iptables
# Check for ipchains.
if [ -e /sbin/ipchains ]; then
FILTERSYS=1
fi;
if [ -e /usr/sbin/ipchains ]; then
FILTERSYS=1
fi;
if [ -e /usr/local/sbin/ipchains ]; then
FILTERSYS=1
fi;
# Check for iptables support.
if [ -e /proc/sys/kernel/osrelease ]; then
KERNEL_VERSION=`sed "s/^\([0-9][0-9]*\.[0-9][0-9]*\).*\$/\1/" < /proc/sys/kernel/osrelease`
if [ $KERNEL_VERSION == "2.6" ]; then
KERNEL_VERSION="2.4"
fi;
if [ $KERNEL_VERSION == "2.5" ]; then
KERNEL_VERSION="2.4"
fi;
if [ $KERNEL_VERSION == "2.4" ]; then
if [ -e /sbin/iptables ]; then
FILTERSYS=2
fi;
if [ -e /usr/sbin/iptables ]; then
FILTERSYS=2
fi;
if [ -e /usr/local/sbin/iptables ]; then
FILTERSYS=2
fi;
fi;
fi;
if [ $FILTERSYS -eq 0 ]; then
logger -p auth.info -t guarddog "ERROR Can't determine the firewall command! (Is ipchains or iptables installed?)"
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "ERROR Can't determine the firewall command! (Is ipchains or iptables installed?)"
false
fi;
if [ $FILTERSYS -eq 1 ]; then
################################################################################
###### ipchains ###############
###############################
<snipped for length purposes>
if [ $FILTERSYS -eq 2 ]; then
###############################################################################
###### iptables firewall ######
###############################
logger -p auth.info -t guarddog Configuring iptables firewall now.
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Using iptables."
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Resetting firewall rules."
# Shut down all traffic
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
# Delete any existing chains
iptables -F
iptables -X
iptables -Z
# Load any special kernel modules.
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Loading kernel modules."
modprobe ip_conntrack_ftp
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Setting kernel parameters."
# Turn on kernel IP spoof protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 2> /dev/null
# Set the TCP timestamps config
echo 0 > /proc/sys/net/ipv4/tcp_timestamps 2> /dev/null
# Enable TCP SYN Cookie Protection if available
test -e /proc/sys/net/ipv4/tcp_syncookies && echo 1 > /proc/sys/net/ipv4/tcp_syncookies 2> /dev/null
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route 2> /dev/null
echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route 2> /dev/null
# Disable ICMP redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects 2> /dev/null
# Log truly weird packets.
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians 2> /dev/null
echo 1 > /proc/sys/net/ipv4/conf/default/log_martians 2> /dev/null
# Switch the current language for a moment
GUARDDOG_BACKUP_LANG=$LANG
GUARDDOG_BACKUP_LC_ALL=$LC_ALL
LANG=US
LC_ALL=US
export LANG
export LC_ALL
# Set kernel rp_filter. NICs used for IPSEC should not have rp_fitler turned on.
# Find the IPs of any ipsecX NICs
IPSEC_IPS="`ifconfig | gawk '/^ipsec\w/ { grabip = 1}
/inet addr:[[:digit:]\\.]+/ { if(grabip==1) printf \"%s \",gensub(/^.*inet addr

[[:digit:]\\.]+).*$/,\"\\\\1\",\"g\",$0)
grabip = 0}'`"
# Build a list of NIC names and metching IPs
IP_NIC_PAIRS="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\",$1)}
/inet addr:.*/ {match($0,/inet addr:[[:digit:]\.]+/)
ip=substr($0,RSTART+10,RLENGTH-10)
printf \"%s_%s\\n\",nic,ip }'`"
# Restore the language setting
LANG=$GUARDDOG_BACKUP_LANG
LC_ALL=$GUARDDOG_BACKUP_LC_ALL
export LANG
export LC_ALL
# Activate rp_filter for each NIC, except for NICs that are using
# an IP that is involved with IPSEC.
for X in $IP_NIC_PAIRS ; do
NIC="`echo \"$X\" | cut -f 1 -d _`"
IP="`echo \"$X\" | cut -f 2 -d _`"
RPF="1"
for SEC_IP in $IPSEC_IPS ; do
if [[ $SEC_IP == $IP ]]; then
RPF="0"
fi
done
echo $RPF > /proc/sys/net/ipv4/conf/$NIC/rp_filter 2> /dev/null
done
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter 2> /dev/null
echo "1024 5999" > /proc/sys/net/ipv4/ip_local_port_range 2> /dev/null
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Configuring firewall rules."
# Set up our logging and packet 'executing' chains
iptables -N logdrop2
iptables -A logdrop2 -j LOG --log-prefix "DROPPED " --log-level 4 --log-ip-options --log-tcp-options --log-tcp-sequence
iptables -A logdrop2 -j DROP
iptables -N logdrop
iptables -A logdrop -m limit --limit 5/second --limit-burst 10 -j logdrop2
iptables -A logdrop -m limit --limit 2/minute --limit-burst 1 -j LOG --log-prefix "LIMITED " --log-level 4
iptables -A logdrop -j DROP
iptables -N logreject2
iptables -A logreject2 -j LOG --log-prefix "REJECTED " --log-level 4 --log-ip-options --log-tcp-options --log-tcp-sequence
iptables -A logreject2 -p tcp -j REJECT --reject-with tcp-reset
iptables -A logreject2 -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A logreject2 -j DROP
iptables -N logreject
iptables -A logreject -m limit --limit 5/second --limit-burst 10 -j logreject2
iptables -A logreject -m limit --limit 2/minute --limit-burst 1 -j LOG --log-prefix "LIMITED " --log-level 4
iptables -A logreject -p tcp -j REJECT --reject-with tcp-reset
iptables -A logreject -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A logreject -j DROP
iptables -N logaborted2
iptables -A logaborted2 -j LOG --log-prefix "ABORTED " --log-level 4 --log-ip-options --log-tcp-options --log-tcp-sequence
iptables -A logaborted2 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -N logaborted
iptables -A logaborted -m limit --limit 5/second --limit-burst 10 -j logaborted2
iptables -A logaborted -m limit --limit 2/minute --limit-burst 1 -j LOG --log-prefix "LIMITED " --log-level 4
# Allow loopback traffic
for interface in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1> $interface
done
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Switch the current language for a moment
GUARDDOG_BACKUP_LANG=$LANG
GUARDDOG_BACKUP_LC_ALL=$LC_ALL
LANG=US
LC_ALL=US
export LANG
export LC_ALL
# Accept broadcasts from ourself.
IP_BCAST_PAIRS="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\",$1)}
/inet addr:.*Bcast/ {match($0,/inet addr:[[:digit:]\\.]+/)
ip=substr($0,RSTART+10,RLENGTH-10)
match($0,/Bcast:[[:digit:]\\.]+/)
bcast = substr($0,RSTART+6,RLENGTH-6)
printf \"%s_%s_%s\\n\",nic,ip,bcast }'`"
# Restore the language setting
LANG=$GUARDDOG_BACKUP_LANG
LC_ALL=$GUARDDOG_BACKUP_LC_ALL
export LANG
export LC_ALL
for X in $IP_BCAST_PAIRS ; do
NIC="`echo \"$X\" | cut -f 1 -d _`"
IP="`echo \"$X\" | cut -f 2 -d _`"
BCAST="`echo \"$X\" | cut -f 3 -d _`"
iptables -A INPUT -i $NIC -s $IP -d $BCAST -j ACCEPT
done
# Detect aborted TCP connections.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -p tcp --tcp-flags RST RST -j logaborted
# Quickly allow anything that belongs to an already established connection.
iptables -A INPUT -p tcp ! --syn -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow certain critical ICMP types
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT # Dest unreachable
iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j ACCEPT # Dest unreachable
iptables -A FORWARD -p icmp --icmp-type destination-unreachable -j ACCEPT &> /dev/null # Dest unreachable
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT # Time exceeded
iptables -A OUTPUT -p icmp --icmp-type time-exceeded -j ACCEPT # Time exceeded
iptables -A FORWARD -p icmp --icmp-type time-exceeded -j ACCEPT &> /dev/null # Time exceeded
iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT # Parameter Problem
iptables -A OUTPUT -p icmp --icmp-type parameter-problem -j ACCEPT # Parameter Problem
iptables -A FORWARD -p icmp --icmp-type parameter-problem -j ACCEPT &> /dev/null # Parameter Problem
# Switch the current language for a moment
GUARDDOG_BACKUP_LANG=$LANG
GUARDDOG_BACKUP_LC_ALL=$LC_ALL
LANG=US
LC_ALL=US
export LANG
export LC_ALL
# Work out our local IPs.
NIC_IP="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\",\$1)}
/inet addr:/ { match(\$0,/inet addr:[[:digit:]\\.]+/)
printf \"%s_%s\\n\",nic,substr(\$0,RSTART+10,RLENGTH-10) }
/Bcast/ { match(\$0,/Bcast:[[:digit:]\\.]+/)
printf \"%s_%s\\n\",nic,substr(\$0,RSTART+6,RLENGTH-6) }'`"
# Restore the language setting
LANG=$GUARDDOG_BACKUP_LANG
LC_ALL=$GUARDDOG_BACKUP_LC_ALL
export LANG
export LC_ALL
# Create the nicfilt chain
iptables -N nicfilt
GOT_LO=0
NIC_COUNT=0
for X in $NIC_IP ; do
NIC="`echo \"$X\" | cut -f 1 -d _`"
iptables -A nicfilt -i $NIC -j RETURN
# We also take this opportunity to see if we only have a lo interface.
if [ $NIC == "lo" ]; then
GOT_LO=1
fi
let NIC_COUNT=$NIC_COUNT+1
done
IPS="`echo \"$NIC_IP\" | cut -f 2 -d _`"
iptables -A nicfilt -j logdrop
# Do we have just a lo interface?
if [ $GOT_LO -eq 1 ] && [ $NIC_COUNT -eq 1 ] ; then
MIN_MODE=1
else
MIN_MODE=0
fi
# Are there *any* interfaces?
if [ $NIC_COUNT -eq 0 ] ; then
MIN_MODE=1
fi
# If we only have a lo interface or no interfaces then we assume that DNS
# is not going to work and just skip any iptables calls that need DNS.
# Create the filter chains
# Create chain to filter traffic going from 'Internet' to 'Local'
iptables -N f0to1
# Create chain to filter traffic going from 'Local' to 'Internet'
iptables -N f1to0
# Add rules to the filter chains
# Traffic from 'Internet' to 'Local'
# Rejected traffic from 'Internet' to 'Local'
# Traffic from 'Local' to 'Internet'
# Allow 'ftp'
# Control connection
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 21:21 -m state --state NEW -j ACCEPT
# Data connection
# - Handled by netfilter state tracking
# Data connection passive mode
# - Handled by netfilter state tracking
# Allow 'domain'
iptables -A f1to0 -p tcp --sport 0:65535 --dport 53:53 -m state --state NEW -j ACCEPT
iptables -A f1to0 -p udp --sport 0:65535 --dport 53:53 -j ACCEPT
# Allow 'https'
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 443:443 -m state --state NEW -j ACCEPT
# Allow 'http'
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 80:80 -m state --state NEW -j ACCEPT
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 8080:8080 -m state --state NEW -j ACCEPT
#iptables -A f1to0 -p tcp --sport 1024:5999 --dport 8008:8008 -m state --state NEW -j ACCEPT
#iptables -A f1to0 -p tcp --sport 1024:5999 --dport 8000:8000 -m state --state NEW -j ACCEPT
#iptables -A f1to0 -p tcp --sport 1024:5999 --dport 8888:8888 -m state --state NEW -j ACCEPT
# Rejected traffic from 'Local' to 'Internet'
# Place DROP and log rules at the end of our filter chains
iptables -A f0to1 -p udp -s 0/0 --dport 137 -j logdrop
iptables -A f0to1 -p udp -s 0/0 --dport 138 -j logdrop
iptables -A f0to1 -p udp -s 0/0 --dport 139 -j logdrop
# Deny new tcp connections from remote hosts
iptables -A INPUT -i ppp0 -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
iptables -A INPUT -i ppp0 -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -i ppp0 -p tcp -m state --state NEW -j logdrop
# Disable apache port on local host
iptables -A INPUT -i ppp0 -p tcp -s 0/0 --dport 80 -j logdrop
#iptables -A OUTPUT -o ppp0 -p tcp -s 0/0 --dport 80 -j logdrop
# Failing all the rules above, we log and DROP the packet.
iptables -A f0to1 -j logdrop
# Failing all the rules above, we log and DROP the packet.
iptables -A f1to0 -j logdrop
# Add some temp DNS accept rules to the input and output chains.
# This is so that we can pass domain names to ipchains and have iptables be
# able to look it up without being blocked by the our half-complete firewall.
if [ $MIN_MODE -eq 0 ] ; then
iptables -A OUTPUT -p tcp --sport 0:65535 --dport 53:53 -j ACCEPT
iptables -A INPUT -p tcp ! --syn --sport 53:53 --dport 0:65535 -j ACCEPT
iptables -A OUTPUT -p udp --sport 0:65535 --dport 53:53 -j ACCEPT
iptables -A INPUT -p udp --sport 53:53 --dport 0:65535 -j ACCEPT
fi
# Chain to split traffic coming from zone 'Internet' by dest zone
iptables -N s0
for X in $IPS ; do
iptables -A s0 -d $X -j f0to1
done
if [ $MIN_MODE -eq 0 ] ; then
true # make sure this if [] has at least something in it.
fi
iptables -A s0 -j logdrop
# Chain to split traffic coming from zone 'Local' by dest zone
iptables -N s1
if [ $MIN_MODE -eq 0 ] ; then
true # make sure this if [] has at least something in it.
fi
iptables -A s1 -j f1to0
# Create the srcfilt chain
iptables -N srcfilt
if [ $MIN_MODE -eq 0 ] ; then
true # make sure this if [] has at least something in it.
fi
# Assume internet default rule
iptables -A srcfilt -j s0
if [ $MIN_MODE -eq 0 ] ; then
# Remove the temp DNS accept rules
iptables -D OUTPUT -p tcp --sport 0:65535 --dport 53:53 -j ACCEPT
iptables -D INPUT -p tcp ! --syn --sport 53:53 --dport 0:65535 -j ACCEPT
iptables -D OUTPUT -p udp --sport 0:65535 --dport 53:53 -j ACCEPT
iptables -D INPUT -p udp --sport 53:53 --dport 0:65535 -j ACCEPT
fi
# The output chain is very simple. We direct everything to the
# 'source is local' split chain.
iptables -A OUTPUT -j s1
iptables -A INPUT -j nicfilt
iptables -A INPUT -j srcfilt
# All traffic on the forward chains goes to the srcfilt chain.
iptables -A FORWARD -j srcfilt &> /dev/null
logger -p auth.info -t guarddog Finished configuring firewall
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Finished."
fi;
fi;
true
----------------------------------------------------------------------------------
What I'm after is if some kind sould could direct me as to what rule(s) may be concocted to use say my browser's PID or even my 'user' UID as a way of restricting "all" outgoing packets to only be mine and no other 'hidden' user.
I have run Chkrootkit and have Tripwire installed and use it many times but have not been able to find any virus or trojan or rootkit - BUT still feel that somehow my machine is being used as a relay for unwanted emails so would like to see if I can close this gate somehow via my firewall.
Any help would be much appreciated....