Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to
LinuxQuestions.org , a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free.
Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please
contact us . If you need to reset your password,
click here .
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a
virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month.
Click here for more info.
06-25-2007, 10:56 PM
#1
Member
Registered: Dec 2006
Posts: 606
Rep:
IpTables Help - Hacked by ISP
Hello all expert Linux administrator, i truly noob to Linux iptables.
I hacked by ISP because i realized that my iptables rules has 2 additional rules which accept them.
I very suffered, disappointed and stressful for few weeks without Linux. I afraid connect to internet.
My Iptables requirements:
1. Delete the unnecessary rules edit/add by my ISP.
2. Block my ISP access to my network
3. Block any incoming connection which not request by me.
4. Block ICMP and DOS.
Below is my latest iptables configuration file which edited by my ISP.
Quote:
Table: mangle
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
Table: filter
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT tcp -- 192.168.1.1 0.0.0.0/0 tcp flags:!0x17/0x02
2 ACCEPT udp -- 192.168.1.1 0.0.0.0/0
3 ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5
5 DROP 0 -- 0.0.0.0/0 255.255.255.255
6 DROP 0 -- 0.0.0.0/0 192.168.1.255
7 DROP 0 -- 255.255.255.255 0.0.0.0/0
8 DROP 0 -- 0.0.0.0/0 0.0.0.0
9 DROP 0 -- 0.0.0.0/0 0.0.0.0/0 state INVALID
10 LSI 0 -f 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5
11 INBOUND 0 -- 0.0.0.0/0 0.0.0.0/0
12 LOG_FILTER 0 -- 0.0.0.0/0 0.0.0.0/0
13 LOG 0 -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Unknown Input'
Chain FORWARD (policy DROP)
num target prot opt source destination
1 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5
2 LOG_FILTER 0 -- 0.0.0.0/0 0.0.0.0/0
3 LOG 0 -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Unknown Forward'
Chain OUTPUT (policy DROP)
num target prot opt source destination
1 ACCEPT tcp -- 192.168.1.2 192.168.1.1 tcp dpt:53
2 ACCEPT udp -- 192.168.1.2 192.168.1.1 udp dpt:53
3 ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0
4 DROP 0 -- 255.255.255.255 0.0.0.0/0
5 DROP 0 -- 0.0.0.0/0 0.0.0.0
6 DROP 0 -- 0.0.0.0/0 0.0.0.0/0 state INVALID
7 OUTBOUND 0 -- 0.0.0.0/0 0.0.0.0/0
8 LOG_FILTER 0 -- 0.0.0.0/0 0.0.0.0/0
9 LOG 0 -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Unknown Output'
Chain INBOUND (1 references)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 LSI 0 -- 0.0.0.0/0 0.0.0.0/0
Chain LOG_FILTER (5 references)
num target prot opt source destination
Chain LSI (2 references)
num target prot opt source destination
1 LOG_FILTER 0 -- 0.0.0.0/0 0.0.0.0/0
2 LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
3 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02
4 LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
5 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04
6 LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
7 DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
8 LOG 0 -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
9 DROP 0 -- 0.0.0.0/0 0.0.0.0/0
Chain LSO (0 references)
num target prot opt source destination
1 LOG_FILTER 0 -- 0.0.0.0/0 0.0.0.0/0
2 LOG 0 -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Outbound '
3 REJECT 0 -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTBOUND (1 references)
num target prot opt source destination
1 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
4 ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0
I hope you all can help me out.
Thanks four your help.
Your help is greatly appreciated by me and others.
06-25-2007, 11:00 PM
#2
Member
Registered: Dec 2006
Posts: 606
Original Poster
Rep:
I realized the Chain input and output has been add 2 rules by my ISP which is 1 ACCEPT tcp -- 192.168.1.1 0.0.0.0/0 tcp flags:!0x17/0x02
2 ACCEPT udp -- 192.168.1.1 0.0.0.0/0
06-25-2007, 11:04 PM
#3
LQ Guru
Registered: Nov 2004
Location: San Jose, CA
Distribution: Debian, Arch
Posts: 8,507
Rep:
How did your ISP get access to your system in the first place?
Do you run any servers on your computer?
06-25-2007, 11:09 PM
#4
Member
Registered: Dec 2006
Posts: 606
Original Poster
Rep:
I do not have any server. I have no idea how they can accessed to my network.
06-25-2007, 11:24 PM
#5
Member
Registered: Dec 2006
Posts: 606
Original Poster
Rep:
A step by step and some explanations in how to solve this is required because i am very stupid.
Thanks.
06-25-2007, 11:32 PM
#6
Member
Registered: Dec 2006
Posts: 606
Original Poster
Rep:
I also download the arno iptables.
06-26-2007, 01:41 AM
#7
LQ Newbie
Registered: May 2007
Location: South Dakota
Distribution: Debian Etch (8), XP (1), FreeBSD (1), HP-UX (1)
Posts: 23
Rep:
Are there any other indications your system was compromised? Type last and see who has all logged in properly, and from where.
Those rules may have been added with an update to a basic firewall config with your distribution.
Are you running tripwire to find any filesystem changes? Usually, an extra port will be open that brings the hacker to a suid root shell (no login), or an extra binary in /cgi-bin if running a web server, so more attacks can be launched.
Are all log files intact? /var/log/syslog /var/log/messages, etc. If there are files there, which there should be, if not, your machine was probably compromised. Time consuming, but read them.
If you block packets to/from your ISP, it will keep you from connecting to the internet, since you would be blocking all inbound traffic from your ISP router.
What distribution of Linux are you using? Package names and detailed instructions can be given when the distro is known. (RedHat, Debian, etc)
06-26-2007, 06:46 AM
#8
Member
Registered: Dec 2006
Posts: 606
Original Poster
Rep:
How about stateful frewall ? I have read some articles which can block second connections to my network.
How to install arno-iptables ? A step by step may required.
Thanks for your help.
Last edited by Peter_APIIT; 06-26-2007 at 06:47 AM .
06-26-2007, 08:07 AM
#9
Member
Registered: Dec 2006
Posts: 606
Original Poster
Rep:
This is my latest Iptables Rules.
Quote:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 192.168.1.1 anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
ACCEPT udp -- 192.168.1.1 anywhere
ACCEPT 0 -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere limit: avg 10/sec burst 5
DROP 0 -- anywhere 255.255.255.255
DROP 0 -- anywhere 192.168.1.255
DROP 0 -- 255.255.255.255 anywhere
DROP 0 -- anywhere 0.0.0.0
DROP 0 -- anywhere anywhere state INVALID
LSI 0 -f anywhere anywhere limit: avg 10/min burst 5
INBOUND 0 -- anywhere anywhere
LOG_FILTER 0 -- anywhere anywhere
LOG 0 -- anywhere anywhere LOG level info prefix `Unknown Input'
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere limit: avg 10/sec burst 5
LOG_FILTER 0 -- anywhere anywhere
LOG 0 -- anywhere anywhere LOG level info prefix `Unknown Forward'
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 192.168.1.2 192.168.1.1 tcp dpt:domain
ACCEPT udp -- 192.168.1.2 192.168.1.1 udp dpt:domain
ACCEPT 0 -- anywhere anywhere
DROP 0 -- 255.255.255.255 anywhere
DROP 0 -- anywhere 0.0.0.0
DROP 0 -- anywhere anywhere state INVALID
OUTBOUND 0 -- anywhere anywhere
LOG_FILTER 0 -- anywhere anywhere
LOG 0 -- anywhere anywhere LOG level info prefix `Unknown Output'
Chain INBOUND (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED
LSI 0 -- anywhere anywhere
Chain LOG_FILTER (5 references)
target prot opt source destination
Chain LSI (2 references)
target prot opt source destination
LOG_FILTER 0 -- anywhere anywhere
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5 LOG level info prefix `Inbound '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5 LOG level info prefix `Inbound '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST
LOG icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5 LOG level info prefix `Inbound '
DROP icmp -- anywhere anywhere icmp echo-request
LOG 0 -- anywhere anywhere limit: avg 5/sec burst 5 LOG level info prefix `Inbound '
DROP 0 -- anywhere anywhere
Chain LSO (0 references)
target prot opt source destination
LOG_FILTER 0 -- anywhere anywhere
LOG 0 -- anywhere anywhere limit: avg 5/sec burst 5 LOG level info prefix `Outbound '
REJECT 0 -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTBOUND (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT 0 -- anywhere anywhere
eth0 Link encap:Ethernet HWaddr 00:18:F3:A3:22:BB
inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::218:f3ff:fea3:22bb/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:23 errors:0 dropped:0 overruns:0 frame:0
TX packets:47 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2970 (2.9 KiB) TX bytes:4754 (4.6 KiB)
Interrupt:17 Base address:0xa000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:2871 errors:0 dropped:0 overruns:0 frame:0
TX packets:2871 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:18070048 (17.2 MiB) TX bytes:18070048 (17.2 MiB)
Any problem with my settings ?
How do i connect my internet messenger? I cannot connect the pidgin.
Thanks for your help.
Your help is greatly appreciated by me and others.
06-27-2007, 05:19 AM
#10
Member
Registered: Dec 2006
Posts: 606
Original Poster
Rep:
Please help me. Thanks.
06-27-2007, 10:01 AM
#11
LQ Guru
Registered: Nov 2004
Location: San Jose, CA
Distribution: Debian, Arch
Posts: 8,507
Rep:
I would use a more basic IPTables ruleset unless you intend to run servers. I would generally not limit any outbound connections. I would use state-based rules and open no ports. You'd only need to accept established and related inbound packets.
06-27-2007, 10:00 PM
#12
Member
Registered: Dec 2006
Posts: 606
Original Poster
Rep:
What is state-based rules ? Is it the stateful firewall ? Any problem with my iptables rules ?
06-28-2007, 12:07 AM
#13
Senior Member
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: Custom Debian Live ISO's
Posts: 1,291
Rep:
One thing as well, how are you connecting to your ISP?
Is it through a cable, ADSL modem, or dialup?.
Plus as someone has already asked, what distro are you using?
The more we know, they better we can help
06-28-2007, 10:18 PM
#14
Member
Registered: Dec 2006
Posts: 606
Original Poster
Rep:
I connect to my ISP through ADSL modem. I using Fedora 7. Thanks for your help.
All times are GMT -5. The time now is 11:45 PM .
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know .
Latest Threads
LQ News