iptables log understanding help
I have a couple of logs I don't quite understand
Code:
[21617.117590] netfilter:in dropped: IN=eth1 OUT= MAC=c4:17:fe:65:51:f8:00:26:44:59:a6:10:08:00 SRC=192.168.1.254 DST=192.168.1.79 LEN=352 TOS=0x00 PREC=0x00 TTL=64 ID=7198 PROTO=UDP SPT=1900 DPT=47286 LEN=332 Code:
[21896.728247] netfilter:in dropped: IN=eth1 OUT= MAC= SRC=192.168.1.79 DST=192.168.1.255 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=57621 DPT=57621 LEN=52 Lastly, for a home PC running Ubuntu 12.04 behind a router, should I have iptables rules that allow all local network address? or would this cause a problem because of spoofed/bogus packets (i.e. packets pretending to be local but coming from the internet). Is there a rule in iptables that could guard against spoofed packets yet allowing me to accept the genuine local traffic? Thanks |
Quote:
Quote:
Quote:
|
Thanks for the reply, very enlightening!
Quote:
Code:
a DROP rule matching all local addresses (except your router) and the MAC address of your router should do the trick. You would probably have to implement that as two rules; one allowing your router to communicate using its own address, and one dropping any spoofed packets coming from the router. Code:
SPOOF_IPS="0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 224.0$ I could change it by scrapping OUTPUT bit altogether perhaps and maybe having an accept rule for the INPUT from the router IP higher up in the chain? |
Quote:
If the MAC address of 192.168.1.1 is 00:11:22:33:44:55, any ethernet frame containing a packet originating from the Internet would have that MAC address in the source address field. We should NEVER see a packet from the local network in a frame with that MAC address in the source address field, except for packets coming from the router itself. The rule allowing frames with packets from the router would look something like this: Code:
iptables -A INPUT -s 192.168.1.1/32 -m mac --mac-source 00:11:22:33:44:55 -m state --state ESTABLISHED,RELATED -j ACCEPT It will however block any connections initiated by the router itself, including SNMP traps and remote logging, AND any traffic from the Internet to local hosts through forwarded ports, as they match the NEW state. Additional rules would have to be created to allow any such traffic. With this rule in place, a general rule blocking spoofed traffic can be added: Code:
iptables -A INPUT -s 192.168.1.0/24 -m mac --mac-source 00:11:22:33:44:55 -j DROP Quote:
|
Quote:
Given that my default INPUT policy is DROP do I need a third rule to actually allow the 192.168.1.0/24 packets which don't have the router mac address? i.e. just Code:
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT I also normally use Code:
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT |
Also, examing my logs I see packets like (my gateway is 192.168.1.254)
Code:
[29628.831435] netfilter:in dropped: IN=eth1 OUT= MAC=c4:17:fe:65:51:f8:00:26:44:59:a6:10:08:00 SRC=192.168.1.254 DST=192.168.1.79 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=9768 PROTO=TCP SPT=80 DPT=52239 WINDOW=4096 RES=0x00 ACK URGP=0 Code:
[22687.367153] netfilter:in dropped: IN=eth1 OUT= MAC=01:00:5e:7f:ff:fa:00:26:44:59:a6:10:08:00 SRC=192.168.1.254 DST=239.255.255.250 LEN=319 TOS=0x00 PREC=0x00 TTL=1 ID=7380 PROTO=UDP SPT=1834 DPT=1900 LEN=299 EDIT: Actually I see I realize now MAC=dest mac : src mac: payload |
Quote:
If you haven't configured your router to send SNMP traps to a trap receiver, blocking SNMP traps will have no undesired effects. Quote:
Quote:
|
Thanks again. You've been very very helpful..
I've read elsewhere the suggestion of just doing iptables -I INPUT -i eth0 -s 192.168.0.0/16 -j DROP iptables -I FORWARD -i eth0 -s 192.168.0.0/16 -j DROP aside from the obvious problems (not allowing router etc), selecting via the interface just wouldn't work right? For me eth1 is wireless card, and I think eth0 is just a wired network card....so everything is going to come through eth1 interface?? (Again I don't know if these rules are for webservers/routers or something else where one interface is outward facing and the other faces the LAN?). |
Quote:
Quote:
|
If I still wanted to keep my
Code:
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT That way all the packets with internal IP yet external (router) macs would have been dropped already ...established/related or otherwise. Or does conntrack not work in the chain like that? |
Also, how about the log
Code:
netfilter:in dropped: IN=eth1 OUT= MAC=c4:17:fe:65:51:f8:00:26:44:59:a6:10:08:00 SRC=192.168.1.254 DST=192.168.1.79 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=9768 PROTO=TCP SPT=80 DPT=52239 WINDOW=4096 RES=0x00 ACK URGP=0 My logs are clogged with such things like Code:
netfilter:in dropped: IN=eth1 OUT= MAC=c4:17:fe:65:51:f8:00:26:44:59:a6:10:08:00 SRC=108.160.162.35 DST=192.168.1.79 LEN=218 TOS=0x00 PREC=0x00 TTL=51 ID=40991 DF PROTO=TCP SPT=80 DPT=46121 WINDOW=31 RES=0x00 ACK PSH URGP=0 Finally, is there anyway I could get Skype and other things to work without using conntrack? I know for http (https replacing with 443) I could just do Code:
iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT |
All times are GMT -5. The time now is 04:31 AM. |