Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
08-01-2003, 05:08 AM
|
#1
|
LQ Newbie
Registered: Aug 2003
Distribution: Debian
Posts: 6
Rep:
|
Iptables letting packets through?
Hi,
I'm running iptables on an Alpha (Debian Woody is the distro). The
version is 1.2.6a. I'm not sure if my setup is working. There are
several spammers I want to block who keep trying to send email to non-existent users on my server.
I have them dropped in my iptables active ruleset. When I run netstat they no longer have a state of ESTABLISHED but the repeatedly show up with SYN_SENT. Now I know this is the initiation of a tcp negotiation with a server that is going unanswered (hence the drop rules), however, when looking at my traffic (using ntop) there is a considerable amount of sent/received bytes (kilobytes actually) per hour. Some occassionally make it into the megabyte range.
Is this what "dropping" with iptables means? Why is there
sent/received and not just received? Below is my iptables ruleset:
# Generated by iptables-save v1.2.6a on Sun May 4 02:03:42 2003
*nat
:PREROUTING ACCEPT [21509:2476669]
:POSTROUTING ACCEPT [3392:215481]
:OUTPUT ACCEPT [3392:215481]
COMMIT
# Completed on Sun May 4 02:03:42 2003
# Generated by iptables-save v1.2.6a on Sun May 4 02:03:42 2003
*mangle
:PREROUTING ACCEPT [435:45901]
:OUTPUT ACCEPT [296:127722]
COMMIT
# Completed on Sun May 4 02:03:42 2003
# Generated by iptables-save v1.2.6a on Sun May 4 02:03:42 2003
*filter
:OUTPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
####
#### block spammers BEGIN
####
-A INPUT -s 64.74.96.130 -j DROP
-A INPUT -s 205.252.1.100 -j DROP
-A INPUT -s 209.167.139.132 -j DROP
-A INPUT -s 209.167.139.133 -j DROP
-A INPUT -s 209.167.139.134 -j DROP
-A INPUT -s 209.167.139.135 -j DROP
-A INPUT -s 69.0.219.175 -j DROP
-A INPUT -s 69.0.219.177 -j DROP
-A INPUT -s 216.93.160.3 -j DROP
-A INPUT -s 216.93.177.176 -j DROP
-A INPUT -s 216.93.177.54 -j DROP
-A INPUT -s 66.54.199.75 -j DROP
-A INPUT -s 162.42.208.238 -j DROP
-A INPUT -s 66.129.123.134 -j DROP
-A INPUT -s 66.129.123.136 -j DROP
-A INPUT -s 66.129.123.141 -j DROP
-A INPUT -s 64.247.31.88 -j DROP
-A INPUT -s 65.57.110.53 -j DROP
-A INPUT -s 65.61.155.201 -j DROP
-A INPUT -s 65.61.161.57 -j DROP
-A INPUT -s 216.93.177.176 -j DROP
-A INPUT -s 216.31.141.158 -j DROP
-A INPUT -s 66.227.96.27 -j DROP
-A INPUT -s 194.216.113.221 -j DROP
-A INPUT -s 216.12.210.210 -j DROP
-A INPUT -s 12.42.86.2 -j DROP
####
#### block spammers END
####
# Permit packets in to firewall itself that are part of existing and
related connections
-A INPUT -m state -i eth0 --state ESTABLISHED -j ACCEPT
# Allow all inputs to firewall from the local network
-A INPUT -i lo -j ACCEPT
# Deny spoofing from public eth0
-A INPUT -s myrealiphere/32 -i eth0 -j DROP
# Deny spoofing from public eth0 as local
-A INPUT -s 127.0.0.0/8 -i eth0 -j DROP
# Accept tcp packets for SMTP
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
# Accept tcp packets for SMTP TLS
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
# Accept tcp packets for HTTP
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
# Accept tcp packets for HTTPS
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
# Accept tcp packets for SSH
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# Accept tcp packets for FTP
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
# Accept tcp packets for IMAP
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
# Accept tcp packets for IMAP-SSL
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
# Accept tcp packets for POP
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
# Accept tcp packets for POP-SSL
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
# Accept tcp packets for NTOP
-A INPUT -p tcp -m tcp --dport 3000 -j ACCEPT
# Accept tcp packets for MYSQL
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
# Accept tcp packets for JABBER
-A INPUT -p tcp -m tcp --dport 5222 -j ACCEPT
# Accept tcp packets for JABBER-SSL
-A INPUT -p tcp -m tcp --dport 5223 -j ACCEPT
# Accept tcp packets for JABBER-ILE
-A INPUT -p tcp -m tcp --dport 31515 -j ACCEPT
# Webmin!
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
COMMIT
# Completed on Sun May 4 02:03:42 2003
Where is says myrealiphere I do in fact have my ip address. I just
changed it for this post. I thought there might be bugs in iptables
1.2.6a but I can't upgrade to 1.2.8 via apt-get or from source as the kernel I am using is actually from a RedHat distro (it works well with my DAC960 raid controller) and this is a production box that I don't want to take offline to do a custom kernel.
Thanks for any help,
Doug
|
|
|
08-01-2003, 08:49 AM
|
#2
|
Senior Member
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791
Rep:
|
a better way is to use spamassasin or rblsmtpd
|
|
|
08-01-2003, 10:34 AM
|
#3
|
LQ Newbie
Registered: Aug 2003
Distribution: Debian
Posts: 6
Original Poster
Rep:
|
Thanks for your reply. I'm not looking to block spam itself. Rather I'm trying to stop bandwidth usage. These spammers were sending email to a couple of accounts that had requested the spam (safelist). Suspended the two accounts as they were receiving over 16000 emails a day! So now the two accounts haven't existed on my server for over a week yet the spammers keep trying to send them email. My smtp server rejects the email as there is no account to deliver them to. And since setting up iptables to drop the packets from these spammers my smtp server is no longer "bothered" by them, but still "traffic" is being generated both send and receive. It's my understanding that when you use DROP with iptables that the packets "bounce off" like a ball thrown against a brick wall.
Thanks,
Doug
|
|
|
08-01-2003, 01:37 PM
|
#4
|
Moderator
Registered: May 2001
Posts: 29,415
|
If you want to plug the hole, you first have got to know what kind of traffic is generated. Adding a LOG target rule for inbound and outbound/related TCP/25 traffic will help.
|
|
|
08-01-2003, 10:20 PM
|
#5
|
LQ Newbie
Registered: Aug 2003
Distribution: Debian
Posts: 6
Original Poster
Rep:
|
Thanks for your help.
kern.log has several entries like so:
Aug 1 22:32:24 digital kernel: IN=eth0 OUT= MAC=00:50:ba:bc:b3:b3:00:03:32:f0:ec:00:08:00 SRC=216.93.177.176 DST=myiphere LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=0 DF PROTO=TCP SPT=25 DPT=52688 WINDOW=5792 RES=0x00 ACK SYN URGP=0
The entries are all like the one above and are only a couple seconds appart with the only differences being src ips and dst ports.
messages log is nearly identical:
Aug 1 22:27:30 digital kernel: IN=eth0 OUT= MAC=00:50:ba:bc:b3:b3:00:03:32:f0:ec:00:08:00 SRC=216.93.177.176 DST=myiphere LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=0 DF PROTO=TCP SPT=25 DPT=52674 WINDOW=5792 RES=0x00 ACK SYN URGP=0
Aug 1 22:27:32 digital kernel: IN=eth0 OUT= MAC=00:50:ba:bc:b3:b3:00:03:32:f0:ec:00:08:00 SRC=216.93.177.54 DST=myiphere LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=58785 DF PROTO=TCP SPT=36628 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
Aug 1 22:27:33 digital kernel: IN=eth0 OUT= MAC=00:50:ba:bc:b3:b3:00:03:32:f0:ec:00:08:00 SRC=216.93.177.176 DST=myiphere LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=0 DF PROTO=TCP SPT=25 DPT=52630 WINDOW=5792 RES=0x00 ACK SYN URGP=0
Sometimes an entry contains SYN and sometimes ACK SYN.
This to me looks like iptables is blocking but checking with ntop just today shows one of the "blocked" ip addresses as having sent 1.7mb and received 958kb. I don't get it? With the number of users on my system 1 average days worth of traffice is usually only 10mb or so. Today it was 77mb.
Thanks,
Doug
|
|
|
08-02-2003, 01:03 PM
|
#6
|
Senior Member
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791
Rep:
|
DROP will actually not bounce back any traffic. It will quietly discard the traffic.
If these are valid mailing-lists, though high-volume ones, you can send a mail to the mailing-list owner to stop sending messages. This way, there won't be any traffic from these servers and your filters won't be overworked.
|
|
|
08-02-2003, 08:03 PM
|
#7
|
LQ Newbie
Registered: Aug 2003
Distribution: Debian
Posts: 6
Original Poster
Rep:
|
Thanks for your reply,
Yes, bounce was a poor choice of words. But my question is, if DROP discards the traffic then how much received data would be normal (if any) from a typical discarded smtp syn packet? And, same question for sent data.
Thanks,
Doug
|
|
|
08-03-2003, 04:38 AM
|
#8
|
Senior Member
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791
Rep:
|
Well, I am not sure about the statistics, but any unnecessary traffic sapping up your bandwidth is bad.
|
|
|
08-03-2003, 05:28 PM
|
#9
|
Moderator
Registered: May 2001
Posts: 29,415
|
Both IP's you've shown are from ServePath LCC, which seems to be marked as a spam-friendly ISP.
I'm not looking to block spam itself. Rather I'm trying to stop bandwidth usage.
Wrt this case the two are inseparable. You'll want to check if you're an open relay, restrict access to your SMTP serviceby firewall or MTA and/or add RBL/Razor/Spamassassin to the MTA's configuration.
|
|
|
08-05-2003, 08:13 AM
|
#10
|
LQ Newbie
Registered: Aug 2003
Distribution: Debian
Posts: 6
Original Poster
Rep:
|
Yes, and servepath has ignored my emails to them. I'm not an open relay. I made sure of that a long time ago! Spamassissin is great, except it won't stop unwanted smtp connections for eating up bandwidth. Whether the mail gets through or not it seems that thousands of syn_sent packets does eat bandwidth regardless of DROPping them with iptables.
Thanks for all your help everyone. I'll keep plugging away at this and let you know if I find a solution.
|
|
|
All times are GMT -5. The time now is 08:50 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|