LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-20-2007, 10:33 PM   #1
Peter_APIIT
Member
 
Registered: Dec 2006
Posts: 606

Rep: Reputation: 31
Thumbs up Iptables Problem


Hello all expert Linux Security administrator,

i have a noob question about iptables rules.

How to track the three way handshake and drop any new connection ?

DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST

What does this two rules mean ?

I also want to block any unset SYS and ACK tcp-flags.

I totally a newbie in networking and Linux.

Quote:

Chain INPUT (policy DROP)
target prot opt source destination
fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST
DROP 0 -- anywhere anywhere state NEW ctstate NEW
DROP 0 -- anywhere anywhere state NEW
DROP 0 -f anywhere anywhere
DROP 0 -- anywhere anywhere ctstate INVALID
ACCEPT 0 -- anywhere anywhere ctstate RELATED,ESTABLISHED state RELATED,ESTABLISHED
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state ESTABLISHED
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp state ESTABLISHED
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT icmp -- anywhere anywhere icmp echo-reply
DROP icmp -- anywhere anywhere
RH-Firewall-1-INPUT 0 -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:31337
DROP tcp -- anywhere anywhere tcp dpt:telnet
DROP 0 -- anywhere anywhere ctstate INVALID
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh recent: SET name: SSH side: source
DROP tcp -- anywhere anywhere tcp dpt:ssh recent: UPDATE seconds: 180 hit_count: 2 name: SSH side: source

Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT 0 -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere ctstate NEW,RELATED,ESTABLISHED state NEW,RELATED,ESTABLISHED
ACCEPT 0 -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp state NEW,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp echo-request

Chain RH-Firewall-1-INPUT (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
REJECT 0 -- anywhere anywhere reject-with icmp-host-prohibited

Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN 0 -- anywhere anywhere
This is all my rule and whether these all rules are safe enough?

Thanks for your help.

Your help is greatly appreciated by me and others.
 
Old 07-22-2007, 09:29 AM   #2
catworld
Member
 
Registered: Nov 2004
Location: Horseheads, New York
Distribution: Mandriva 2010.1 / KDE 4.5.2, Slax, Knoppix, Backtrack & etc...
Posts: 198

Rep: Reputation: 36
Nothing beats really understanding the fundamentals of iptables. I found this to be about the best there is for learning the basics:

http://iptables-tutorial.frozentux.n...-tutorial.html

You'll be able to answer your own questions, with a little effort, which when it comes to iptables is well worth it.
 
Old 07-26-2007, 03:34 AM   #3
Peter_APIIT
Member
 
Registered: Dec 2006
Posts: 606

Original Poster
Rep: Reputation: 31
Hello all, latest news from Peter_APIIT.

My system has been compromised. How i know the system is been compromised.

The iptables firewall rules has changed. My etc/sysconfig/iptables-config has been deleted.

Moreover, my state share object(State library) also been deleted.

How i can block my ISP hacked during netowrk initialization because i realised my ISP always hacked during the initialization of the connection.

I just don't understand how he can remove the files and gain root access to my pc.

I have afick, Bastille, File Integrity checker and AIDE installed.


I think i should beg for any helps.

Please help me. No internet no life.
 
Old 07-26-2007, 03:35 AM   #4
Peter_APIIT
Member
 
Registered: Dec 2006
Posts: 606

Original Poster
Rep: Reputation: 31
I think i should format the pc but how can prevent this no happen next time ?

Please help.

A serious issue.
 
Old 07-26-2007, 05:00 AM   #5
Peter_APIIT
Member
 
Registered: Dec 2006
Posts: 606

Original Poster
Rep: Reputation: 31
How can i restore to previous stage without fresh reinstall ?

I ahve downloaded the mkCDrec_v0.9.7.tar.gz
but i haven't backup my system.

I will get crazy if this happen once again.

Please don't come to MaLay*. The Internet ISP(Tm***) is pretty sucks here.
 
Old 07-26-2007, 08:24 AM   #6
catworld
Member
 
Registered: Nov 2004
Location: Horseheads, New York
Distribution: Mandriva 2010.1 / KDE 4.5.2, Slax, Knoppix, Backtrack & etc...
Posts: 198

Rep: Reputation: 36
Wow. I definitely would do a fresh install, with the computer NOT connected to the internet.

And afterward I would boot the machine fully also disconnected, then connect the line and start network services. I suspect there's more than just iptables at play here. To my knowledge iptables rules are initialized before the interface. In any event get yourself a solid set of rules in place before connecting.

This recent tread (below) has a good, simple rule set. You can comment out (or delete) the rules that deal with services you do not use:

http://www.linuxquestions.org/questi...d.php?t=569202

(the last post has a well refined rule set)

BTW how do you connect? Dial up? DSL? And what distribution are you using? Most distributions allow you to select which partitions will be formatted during install, you can leave the /home directory intact and not lose much of your personalizations. (and all your documents should be in /home)

That tutorial I posted above really nailed the concepts for me. It's a lot of work, but well worth the peace of mind.

I have to admit I'm rather spoiled here, my home was one of the first
on the planet to have residential broadband. We were randomly selected as a test market many years ago. But I do sympathize with your plight, no doubt government has their hands in this business where you are at. (they pretty much do everywhere, but in different ways) Governments, for those who haven't been paying attention, are getting increasingly paranoid these days. They probably want to know what everybody is up to. I'd be interested to seeing the forensics of your "hacked" machine, deleting things from your machine is pretty extreme, a crime in my neck of the woods.

Anyway, best of luck, and be well,

cat
 
Old 07-26-2007, 09:27 PM   #7
Peter_APIIT
Member
 
Registered: Dec 2006
Posts: 606

Original Poster
Rep: Reputation: 31
This is the output of tcpdump 06:23:41.294388 IP ns1.tm.net.my.domain > 192.168.1.34.32784: 13838- 0/13/0 (266)
where my ISP already enter to my pc.
 
Old 07-26-2007, 09:30 PM   #8
Peter_APIIT
Member
 
Registered: Dec 2006
Posts: 606

Original Poster
Rep: Reputation: 31
My connection type is DSL. I using Fedora 7.

What difference between module conntrack and state. I have both rules but still cannot block them.

Thanks for your help.
 
Old 07-27-2007, 12:37 AM   #9
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Quote:
Originally Posted by Peter_APIIT
This is the output of tcpdump 06:23:41.294388 IP ns1.tm.net.my.domain > 192.168.1.34.32784: 13838- 0/13/0 (266)
where my ISP already enter to my pc.
Given the hostname of that server (ns1.tm...) that's very likely to be a nameserver for DNS resolution (you can check using nslookup or dig). In the future, if you see strange traffic like that, you can see what application/PID is involved using netstat -pantu and look for that corresponding port.

Could you explain further why you think your system has been hacked? I haven't seen anything you've posted so far that is conclusive evidence. It is normal for there to be traffic between your network and your ISP. Things like DNS resolution and DHCP are fairly commonly seen packets. Regarding the iptables-config modification, I believe Mandriva still uses msec which (depending on your security level) does a regular system check that will make modifications to various system files, in particular it will rollback modifications it believes are insecure and it will reload the iptables ruleset from a preset config file.

Last edited by Capt_Caveman; 07-27-2007 at 12:38 AM.
 
Old 07-27-2007, 12:47 AM   #10
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Quote:
Originally Posted by Peter_APIIT
My connection type is DSL. I using Fedora 7.

What difference between module conntrack and state. I have both rules but still cannot block them.

Thanks for your help.
Could you explain how you are trying to block them? If the traffic is indeed DNS hostname resolution, then it's likely going to be in the RELATED state. You're requesting a webpage or whatever and the system needs to resolve the hostname, hence it makes a DNS request and the reply from your ISP would be RELATED.
 
Old 07-27-2007, 04:26 AM   #11
Peter_APIIT
Member
 
Registered: Dec 2006
Posts: 606

Original Poster
Rep: Reputation: 31
The rules is in the post 1.

This website only accept ESTABLISHED, whereby i accept both RELATED,ESTABLISHED.

http://www.sns.ias.edu/~jns/wp/2006/...-it-work/?p=17

Which one is true.

My ISP always hacked during the initial connection.


Thanks for your help.

A billion thanks again.
 
Old 07-27-2007, 04:53 AM   #12
Peter_APIIT
Member
 
Registered: Dec 2006
Posts: 606

Original Poster
Rep: Reputation: 31
This is my latest iptables rules but this still hacked by ISP. DO i need to remove the related.

As i know stateful firewall only applied to tcp protocol.

Quote:
Table: filter
Chain INPUT (policy DROP)
num target prot opt source destination
1 DROP 0 -f 0.0.0.0/0 0.0.0.0/0
2 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02
3 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04
4 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW state INVALID,NEW
5 DROP udp -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW state INVALID,NEW
6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED state RELATED,ESTABLISHED
7 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED state RELATED,ESTABLISHED
8 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:21 ctstate ESTABLISHED state ESTABLISHED
9 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED state RELATED,ESTABLISHED
10 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
11 DROP icmp -- 0.0.0.0/0 0.0.0.0/0
12 RH-Firewall-1-INPUT 0 -- 0.0.0.0/0 0.0.0.0/0
13 REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
14 REJECT udp -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
15 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:31337 dpt:31337
16 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:23

Chain FORWARD (policy DROP)
num target prot opt source destination
1 REJECT 0 -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED state NEW,RELATED,ESTABLISHED
2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED state NEW,RELATED,ESTABLISHED
3 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 ctstate NEW,ESTABLISHED state NEW,ESTABLISHED
4 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED
5 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8

Chain RH-Firewall-1-INPUT (1 references)
num target prot opt source destination
1 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
2 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353
5 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631
6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631
7 ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
8 REJECT 0 -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

 
Old 07-27-2007, 07:03 PM   #13
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Quote:
Originally Posted by Peter_APIIT
The rules is in the post 1.
My ISP always hacked during the initial connection.
Please explain what you mean by this. It is very unlikely that your ISP is trying to break into your system.
 
Old 07-27-2007, 07:49 PM   #14
catworld
Member
 
Registered: Nov 2004
Location: Horseheads, New York
Distribution: Mandriva 2010.1 / KDE 4.5.2, Slax, Knoppix, Backtrack & etc...
Posts: 198

Rep: Reputation: 36
message deleted

Last edited by catworld; 07-29-2007 at 01:01 AM.
 
Old 07-28-2007, 01:23 AM   #15
Peter_APIIT
Member
 
Registered: Dec 2006
Posts: 606

Original Poster
Rep: Reputation: 31
They have deleted all my rules before. That why i post this thread for help. I won;t simple saying that my iSP is ahcked me.

All /etc/sysconfig/iptables is deleted.

Do i need to remove the realted ?

A billion thank to you all.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
problem with IPtables? MrSako Linux - Security 1 08-06-2006 08:25 PM
iptables v1.2.9: Unknown arg `/sbin/iptables' Try `iptables -h' or 'iptables --help' Niceman2005 Linux - Security 4 12-29-2005 08:20 PM
iptables problem , please help John Micheal Linux - Security 4 05-22-2004 03:01 AM
iptables problem poison Slackware 9 01-14-2004 07:43 PM
Problem with IPTABLES jfall Linux - Networking 3 11-04-2002 03:10 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:50 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration