LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-24-2011, 09:20 AM   #1
Sum1
Member
 
Registered: Jul 2007
Distribution: Fedora, CentOS, and would like to get back to Gentoo
Posts: 332

Rep: Reputation: 30
iptables: rejecting/dropping port range 1000-65535 problem


I've been noticing that users leave their computers on and browsers open overnight. I have no control of this.

Traffic monitoring using tcpdump shows the open browsers on websites like marketwatch.com and the there's a constant stream of advert. traffic between client machine on the LAN and outside webservers like the site listed above.

I thought I would squelch this traffic by simply not forwarding ports on the observed range -- 1000-6000.

I tried it briefly <<items in ( ) = clarification>>:

iptables -t filter -A FORWARD -i (lan_nic) -p tcp -s (local_SUBNET) --dport 1000:6000 --syn -m state --state NEW -j REJECT
iptables -t filter -A FORWARD -i (lan_nic) -p tcp -s (local_SUBNET) --sport 1000:6000 --syn -m state --state NEW -j REJECT

and

iptables -t filter -A FORWARD -i (lan_nic) -o (internet_nic) -p tcp --dport 1000:6000 --syn -m state --state NEW -j REJECT
iptables -t filter -A FORWARD -i (lan_nic) -o (internet_nic) -p tcp --sport 1000:6000 --syn -m state --state NEW -j REJECT

I was surprised to find that this made all connections from LAN client machines to the internet non-functional. I could not access any website: google.com, imap webmail service, lxer.com, etc., nothing.

I must need to update my training and understanding. :-)
I thought calling up google.com would use port 80, which I have open on the firewall.
I thought logging into an ssl-enabled webmail service would use ports 443, 143, and/or 993, which I have open on the firewall.

Why is so much web traffic traversing ports beyond 1024?
What can I do to re-route and re-assign such traffic so that I can better control it in/out of the LAN?
I appreciate your guidance and suggestions.
 
Old 01-24-2011, 04:51 PM   #2
Sum1
Member
 
Registered: Jul 2007
Distribution: Fedora, CentOS, and would like to get back to Gentoo
Posts: 332

Original Poster
Rep: Reputation: 30
I consulted with a few folks on the iptables irc channel and received some valuable education.
Essentially, the operating system (Win XP) of the LAN clients may be choosing a wide range of ports to broadcast address/data requests out on the net; thus, there's nothing to be alarmed about regarding the actual ports I see traffic on.

The second issue that I am concerned about controlling -- open attack vectors by way of unattended computers left with browsers open on websites pushing javascript and ever-calling cookies, etc; it appears a proxy server is a more appropriate tool to address the problem.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables rejecting my configuration mmiikkee12 Linux - Networking 1 07-21-2007 01:12 PM
65535 problem svar Slackware 1 01-04-2006 02:32 PM
65535 problem with cp svar Linux - General 0 01-03-2006 01:22 PM
iptables - dropping an ip *range* chibi Linux - Security 6 12-17-2005 08:22 PM
shorewall dropping/rejecting wanted connections (squid/webmin) win32sux Linux - Networking 2 08-01-2003 02:57 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:44 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration