LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-21-2004, 08:58 PM   #1
Beauford-2
Member
 
Registered: Sep 2004
Posts: 37

Rep: Reputation: 15
iptables newbie question


Hi,

I run Slackware 10 on an old p166 and use it as my web server and some other things. It is on an internal LAN behind a Linksys router and has a static non-routable IP. I have Linksys forward web requests to Linux and all works well.

However, I have had some idiots trying to gain access and hack my server and I want to set up a firewall on Linux to filter entire IP blocks.

I have looked a zillion websites on IP chains and I can't make any sense of it at all.

All I want to do is deny several IP blocks from accessing anything on my Linux box. Even though Linksys is forwarding the packets, I want Linux to drop them if they are from certain IP blocks...

Currently I have nothing in place and would appreciate some help on how I would do this.

Thanks
 
Old 09-21-2004, 09:48 PM   #2
CroMagnon
Member
 
Registered: Sep 2004
Location: New Zealand
Distribution: Debian
Posts: 900

Rep: Reputation: 33
I think you want this:

# Use -I for insert to make sure this rule appears at the top of the chain
iptables -I INPUT 1 -s ip.block.to.ignore/mask -j DROP

Problem is, it's hard to test, as the attempts (from China, right?) will suddenly be invisible to apache, and your logs will be empty - are they attacking and being ignored, or have they gone to bed? I would test with your own network addresses first, but make sure you have easy console access - SSH should drop along with everything else.

Also, you could do this:

# Note non-intuitive reverse order, because we are inserting and not appending
iptables -I INPUT 1 -s damn.script.kiddies/24 -j DROP
iptables -I INPUT 1 -s damn.script.kiddies/24 -j LOG

which would add a syslog entry for every packet dropped. If the attempts are frequent, you may not like doing this, but you could turn off logging as soon as you saw a few successfully dropped packets.

Also, be aware that while this will make you appear to be a black hole to the bad guys, it will do the same for any attempts for your machine to contact them - if you accidentally include a few valid addresses, your web server machine won't be able to talk to them because their replies will be dropped. Since you're not using this box as a router for your network, I doubt this will cause you any problems.
 
Old 09-21-2004, 11:08 PM   #3
Beauford-2
Member
 
Registered: Sep 2004
Posts: 37

Original Poster
Rep: Reputation: 15
China, Korea, Japan, and every other Asian block country.

Let me add some more info as this is really strange.

I have two Win2k domain controllers and 'mail' has an exchage server on it. I have blocked all these IP blocks to port 25 using BlackICE.

The second DC has IIS running, but only for my internal network. SMTP is not running and port 25 is not open. Now this is where it gets strange. These same IP's are showing up in my BlackICE logs for the second DC.

My Linksys router forwards all port 25 requests to 'mail'. So how are they getting to the second DC.

Now, to tie this in with iptables. I also have an apache webserver on Linux which is open to the public and the Linksys router passes all web requests to it. I have noticed in my logs that the same IP blocks are attempting to connect to port 25 through my apache webserver. So I want to block them them there as well. I have no idea though on how these attempts to port 25 are getting to the second DC.

This is the type of messages in my apache access_log file I am getting.

218.161.17.56 - - [18/Sep/2004:04:38:54 -0400] "CONNECT 139.175.54.239:25 HTTP/1.0" 200 12594
218.161.17.56 - - [18/Sep/2004:04:39:54 -0400] "CONNECT 203.65.224.2:25 HTTP/1.0" 200 12594
218.161.17.56 - - [18/Sep/2004:04:41:06 -0400] "CONNECT 211.20.188.150:25 HTTP/1.0" 200 12594

If anyone can make any sense of this, It would really be appreciated.

Thanks
 
Old 09-25-2004, 07:39 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578
HTTP protocol method "CONNECT" means SSL/proxy attempt.
Check if you allow world to use your setup as proxy.
 
Old 09-26-2004, 04:41 AM   #5
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
Re: iptables newbie question

Quote:
Originally posted by Beauford-2
All I want to do is deny several IP blocks from accessing anything on my Linux box. Even though Linksys is forwarding the packets, I want Linux to drop them if they are from certain IP blocks...
Code:
iptables -A INPUT -s aaa.aaa.aaa.aaa/aaa -j DROP
iptables -A INPUT -s bbb.bbb.bbb.bbb/bbb -j DROP
iptables -A INPUT -s ccc.ccc.ccc.ccc/ccc -j DROP
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Newbie iptables INPUT question new@linux Linux - Security 6 03-08-2005 10:42 AM
newbie question about iptables and samba DarkSun4241 Linux - Networking 1 09-10-2004 09:44 PM
iptables newbie question TurtleBay Linux - Newbie 10 10-09-2003 02:37 PM
Newbie Question - IPTables cyberperson Linux - Networking 1 03-14-2003 10:22 PM
Iptables newbie / simple question wr3ck3d Linux - Networking 2 03-06-2003 08:08 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:15 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration