LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-01-2003, 05:08 AM   #1
mccomber
LQ Newbie
 
Registered: Aug 2003
Distribution: Debian
Posts: 6

Rep: Reputation: 0
Unhappy Iptables letting packets through?


Hi,

I'm running iptables on an Alpha (Debian Woody is the distro). The
version is 1.2.6a. I'm not sure if my setup is working. There are
several spammers I want to block who keep trying to send email to non-existent users on my server.

I have them dropped in my iptables active ruleset. When I run netstat they no longer have a state of ESTABLISHED but the repeatedly show up with SYN_SENT. Now I know this is the initiation of a tcp negotiation with a server that is going unanswered (hence the drop rules), however, when looking at my traffic (using ntop) there is a considerable amount of sent/received bytes (kilobytes actually) per hour. Some occassionally make it into the megabyte range.

Is this what "dropping" with iptables means? Why is there
sent/received and not just received? Below is my iptables ruleset:

# Generated by iptables-save v1.2.6a on Sun May 4 02:03:42 2003
*nat
:PREROUTING ACCEPT [21509:2476669]
:POSTROUTING ACCEPT [3392:215481]
:OUTPUT ACCEPT [3392:215481]
COMMIT
# Completed on Sun May 4 02:03:42 2003
# Generated by iptables-save v1.2.6a on Sun May 4 02:03:42 2003
*mangle
:PREROUTING ACCEPT [435:45901]
:OUTPUT ACCEPT [296:127722]
COMMIT
# Completed on Sun May 4 02:03:42 2003
# Generated by iptables-save v1.2.6a on Sun May 4 02:03:42 2003
*filter
:OUTPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:INPUT DROP [0:0]

####
#### block spammers BEGIN
####

-A INPUT -s 64.74.96.130 -j DROP
-A INPUT -s 205.252.1.100 -j DROP
-A INPUT -s 209.167.139.132 -j DROP
-A INPUT -s 209.167.139.133 -j DROP
-A INPUT -s 209.167.139.134 -j DROP
-A INPUT -s 209.167.139.135 -j DROP
-A INPUT -s 69.0.219.175 -j DROP
-A INPUT -s 69.0.219.177 -j DROP
-A INPUT -s 216.93.160.3 -j DROP
-A INPUT -s 216.93.177.176 -j DROP
-A INPUT -s 216.93.177.54 -j DROP
-A INPUT -s 66.54.199.75 -j DROP
-A INPUT -s 162.42.208.238 -j DROP
-A INPUT -s 66.129.123.134 -j DROP
-A INPUT -s 66.129.123.136 -j DROP
-A INPUT -s 66.129.123.141 -j DROP
-A INPUT -s 64.247.31.88 -j DROP
-A INPUT -s 65.57.110.53 -j DROP
-A INPUT -s 65.61.155.201 -j DROP
-A INPUT -s 65.61.161.57 -j DROP
-A INPUT -s 216.93.177.176 -j DROP
-A INPUT -s 216.31.141.158 -j DROP
-A INPUT -s 66.227.96.27 -j DROP
-A INPUT -s 194.216.113.221 -j DROP
-A INPUT -s 216.12.210.210 -j DROP
-A INPUT -s 12.42.86.2 -j DROP

####
#### block spammers END
####

# Permit packets in to firewall itself that are part of existing and
related connections
-A INPUT -m state -i eth0 --state ESTABLISHED -j ACCEPT
# Allow all inputs to firewall from the local network
-A INPUT -i lo -j ACCEPT
# Deny spoofing from public eth0
-A INPUT -s myrealiphere/32 -i eth0 -j DROP
# Deny spoofing from public eth0 as local
-A INPUT -s 127.0.0.0/8 -i eth0 -j DROP

# Accept tcp packets for SMTP
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
# Accept tcp packets for SMTP TLS
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
# Accept tcp packets for HTTP
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
# Accept tcp packets for HTTPS
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
# Accept tcp packets for SSH
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# Accept tcp packets for FTP
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
# Accept tcp packets for IMAP
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
# Accept tcp packets for IMAP-SSL
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
# Accept tcp packets for POP
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
# Accept tcp packets for POP-SSL
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
# Accept tcp packets for NTOP
-A INPUT -p tcp -m tcp --dport 3000 -j ACCEPT
# Accept tcp packets for MYSQL
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
# Accept tcp packets for JABBER
-A INPUT -p tcp -m tcp --dport 5222 -j ACCEPT
# Accept tcp packets for JABBER-SSL
-A INPUT -p tcp -m tcp --dport 5223 -j ACCEPT
# Accept tcp packets for JABBER-ILE
-A INPUT -p tcp -m tcp --dport 31515 -j ACCEPT
# Webmin!
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT

COMMIT
# Completed on Sun May 4 02:03:42 2003


Where is says myrealiphere I do in fact have my ip address. I just
changed it for this post. I thought there might be bugs in iptables
1.2.6a but I can't upgrade to 1.2.8 via apt-get or from source as the kernel I am using is actually from a RedHat distro (it works well with my DAC960 raid controller) and this is a production box that I don't want to take offline to do a custom kernel.

Thanks for any help,
Doug
 
Old 08-01-2003, 08:49 AM   #2
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 50
a better way is to use spamassasin or rblsmtpd
 
Old 08-01-2003, 10:34 AM   #3
mccomber
LQ Newbie
 
Registered: Aug 2003
Distribution: Debian
Posts: 6

Original Poster
Rep: Reputation: 0
Thanks for your reply. I'm not looking to block spam itself. Rather I'm trying to stop bandwidth usage. These spammers were sending email to a couple of accounts that had requested the spam (safelist). Suspended the two accounts as they were receiving over 16000 emails a day! So now the two accounts haven't existed on my server for over a week yet the spammers keep trying to send them email. My smtp server rejects the email as there is no account to deliver them to. And since setting up iptables to drop the packets from these spammers my smtp server is no longer "bothered" by them, but still "traffic" is being generated both send and receive. It's my understanding that when you use DROP with iptables that the packets "bounce off" like a ball thrown against a brick wall.

Thanks,
Doug
 
Old 08-01-2003, 01:37 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
If you want to plug the hole, you first have got to know what kind of traffic is generated. Adding a LOG target rule for inbound and outbound/related TCP/25 traffic will help.
 
Old 08-01-2003, 10:20 PM   #5
mccomber
LQ Newbie
 
Registered: Aug 2003
Distribution: Debian
Posts: 6

Original Poster
Rep: Reputation: 0
Thanks for your help.

kern.log has several entries like so:

Aug 1 22:32:24 digital kernel: IN=eth0 OUT= MAC=00:50:ba:bc:b3:b3:00:03:32:f0:ec:00:08:00 SRC=216.93.177.176 DST=myiphere LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=0 DF PROTO=TCP SPT=25 DPT=52688 WINDOW=5792 RES=0x00 ACK SYN URGP=0

The entries are all like the one above and are only a couple seconds appart with the only differences being src ips and dst ports.

messages log is nearly identical:

Aug 1 22:27:30 digital kernel: IN=eth0 OUT= MAC=00:50:ba:bc:b3:b3:00:03:32:f0:ec:00:08:00 SRC=216.93.177.176 DST=myiphere LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=0 DF PROTO=TCP SPT=25 DPT=52674 WINDOW=5792 RES=0x00 ACK SYN URGP=0
Aug 1 22:27:32 digital kernel: IN=eth0 OUT= MAC=00:50:ba:bc:b3:b3:00:03:32:f0:ec:00:08:00 SRC=216.93.177.54 DST=myiphere LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=58785 DF PROTO=TCP SPT=36628 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
Aug 1 22:27:33 digital kernel: IN=eth0 OUT= MAC=00:50:ba:bc:b3:b3:00:03:32:f0:ec:00:08:00 SRC=216.93.177.176 DST=myiphere LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=0 DF PROTO=TCP SPT=25 DPT=52630 WINDOW=5792 RES=0x00 ACK SYN URGP=0

Sometimes an entry contains SYN and sometimes ACK SYN.

This to me looks like iptables is blocking but checking with ntop just today shows one of the "blocked" ip addresses as having sent 1.7mb and received 958kb. I don't get it? With the number of users on my system 1 average days worth of traffice is usually only 10mb or so. Today it was 77mb.

Thanks,
Doug
 
Old 08-02-2003, 01:03 PM   #6
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 50
DROP will actually not bounce back any traffic. It will quietly discard the traffic.

If these are valid mailing-lists, though high-volume ones, you can send a mail to the mailing-list owner to stop sending messages. This way, there won't be any traffic from these servers and your filters won't be overworked.
 
Old 08-02-2003, 08:03 PM   #7
mccomber
LQ Newbie
 
Registered: Aug 2003
Distribution: Debian
Posts: 6

Original Poster
Rep: Reputation: 0
Thanks for your reply,

Yes, bounce was a poor choice of words. But my question is, if DROP discards the traffic then how much received data would be normal (if any) from a typical discarded smtp syn packet? And, same question for sent data.

Thanks,
Doug
 
Old 08-03-2003, 04:38 AM   #8
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 50
Well, I am not sure about the statistics, but any unnecessary traffic sapping up your bandwidth is bad.
 
Old 08-03-2003, 05:28 PM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Both IP's you've shown are from ServePath LCC, which seems to be marked as a spam-friendly ISP.

I'm not looking to block spam itself. Rather I'm trying to stop bandwidth usage.
Wrt this case the two are inseparable. You'll want to check if you're an open relay, restrict access to your SMTP serviceby firewall or MTA and/or add RBL/Razor/Spamassassin to the MTA's configuration.
 
Old 08-05-2003, 08:13 AM   #10
mccomber
LQ Newbie
 
Registered: Aug 2003
Distribution: Debian
Posts: 6

Original Poster
Rep: Reputation: 0
Yes, and servepath has ignored my emails to them. I'm not an open relay. I made sure of that a long time ago! Spamassissin is great, except it won't stop unwanted smtp connections for eating up bandwidth. Whether the mail gets through or not it seems that thousands of syn_sent packets does eat bandwidth regardless of DROPping them with iptables.

Thanks for all your help everyone. I'll keep plugging away at this and let you know if I find a solution.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTABLES: letting NFS poke through! zepplin611 Linux - Security 3 03-26-2005 11:23 PM
iptables letting sendmail work zepplin611 Linux - Security 12 07-19-2004 11:30 AM
iptables won't let packets in - check please? Simon Bridge Linux - Security 3 01-26-2004 02:49 PM
iptables won't let packets in - check please? Simon Bridge Linux - Security 1 01-23-2004 10:26 PM
iptables (Fragmented packets) qwijibow Linux - Security 2 09-02-2003 07:40 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:50 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration