LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-10-2005, 10:46 AM   #1
aronnok
Member
 
Registered: Oct 2004
Location: Dhaka, Bangladesh
Distribution: Redhat Linux 7.2,Redhat Linux 8.0,Redhat Linux 9.0
Posts: 36

Rep: Reputation: 15
Angry Not able to block Network Broadcast using IPTABLES !


Hi all,
I am using RH linux 9.0. Recently my office network is being flooded through windows workstations Network Broadcasts. I have tried all possible ways ( as far i know ) to block this kinda Network Broadcast traffic. I'm not even able to block the 1025 tcp port ( Network Blackjack ).

these are my rules used to block those nasty traffic.

$IPTABLES -I INPUT -p udp -s 0/0 --dport 137 -j DROP
$IPTABLES -I INPUT -p udp -s 0/0 --sport 137 -j DROP
$IPTABLES -I INPUT -p tcp -s 0/0 --dport 137 -j DROP
$IPTABLES -I INPUT -p tcp -s 0/0 --sport 137 -j DROP

$IPTABLES -I INPUT -p udp -s 0/0 --dport 138 -j DROP
$IPTABLES -I INPUT -p udp -s 0/0 --sport 138 -j DROP
$IPTABLES -I INPUT -p tcp -s 0/0 --dport 138 -j DROP
$IPTABLES -I INPUT -p tcp -s 0/0 --sport 138 -j DROP

$IPTABLES -I INPUT -p udp -s 0/0 --dport 139 -j DROP
$IPTABLES -I INPUT -p udp -s 0/0 --sport 139 -j DROP
$IPTABLES -I INPUT -p tcp -s 0/0 --dport 139 -j DROP
$IPTABLES -I INPUT -p tcp -s 0/0 --sport 139 -j DROP


$IPTABLES -I INPUT -p udp -s 0/0 --dport 1025 -j DROP

But before this configuration, i have used the following ( summarized )......
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F


Can anybody help me? i'm really in deep trouble.....
Thanx in advance.
 
Old 01-10-2005, 11:24 AM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Could you explain what you're trying to block in a bit more detail? Specifically, are you trying to block the netbios traffic from reaching the linux box itself or is the linux box acting as a gatweway/router and you want to filter it from passing in and out of the LAN. Also where is the NetBIOS traffic originating, on the LAN or remotely?

It also might help if you posted your entire script (remove any public IP addresses first), so that we can see all the rules in context.
 
Old 01-10-2005, 11:28 AM   #3
deoren
Member
 
Registered: Oct 2003
Location: USA
Distribution: Ubuntu
Posts: 216

Rep: Reputation: 30
If your system is a standalone system...

Here is one of my rules to only log traffic that is not sent directly to the ip address of the system, along with limiting the rate of such logging.

Code:
    # Log packets directed directly at the external interface ip address only.
    # Otherwise the logs are flooded with broadcasts
    iptables -t filter -A INPUT  -i $EXTERNAL_INTERFACE \
             -d $EXTERNAL_INTERFACE_ADDRESS \
             -m limit --limit $LOGGING_LIMIT --limit-burst $LOGGING_LIMIT_BURST \
             -j ULOG --ulog-prefix "filter-EXT-IF_INPUT_$FILTER_INPUT_POLICY:"
Modified to suit your needs, it will look like this (drop rules instead of log rule):

Code:
# Drop NetBIOS packets - tcp
    iptables -t filter -A INPUT  -i $NETWORK_INTERFACE -p tcp \
             -d 0/0  \
             -m multiport --dports 135,137,139,445\
             -j DROP
Code:
# Drop NetBIOS packets - udp
    iptables -t filter -A INPUT  -i $NETWORK_INTERFACE -p udp \
             -d 0/0  \
             -m multiport --dports 135,137,138,445\
             -j DROP
I got the port numbers and whether they were UDP or TCP from: http://www.javvin.com/protocolTCPUDPport.html

I learned how to write the rules from: http://www.linux-firewall-tools.com/linux/book/

The book is well worth buying, and can be found at Half.com or Amazon.com MarketPlace for good values. It's well worth reading.

P.S.

Replace $NETWORK_INTERFACE with your interface. i.e., eth0 or whatever your ethernet interface is.
 
Old 01-10-2005, 11:35 AM   #4
deoren
Member
 
Registered: Oct 2003
Location: USA
Distribution: Ubuntu
Posts: 216

Rep: Reputation: 30
Those rules I listed will block ALL NetBIOS traffic to your system. If you only want to block BROADCAST traffic, replace
Quote:
-d 0/0
with
Quote:
-d $NETWORK_BROADCAST_MASK
where -d $NETWORK_BROADCAST_MASK is your network broadcast mask.

Example:
for 192.168.1.0 network with no subnets: 192.168.1.255
for 172.16.0.0 network with no subnets: 172.16.255.255
 
Old 01-10-2005, 11:52 PM   #5
aronnok
Member
 
Registered: Oct 2004
Location: Dhaka, Bangladesh
Distribution: Redhat Linux 7.2,Redhat Linux 8.0,Redhat Linux 9.0
Posts: 36

Original Poster
Rep: Reputation: 15
Thanx all for reply.

Quote:
are you trying to block the netbios traffic from reaching the linux box itself or is the linux box acting as
a gatweway/router and you want to filter it from passing in and out of the LAN. Also where is the NetBIOS traffic
originating, on the LAN or remotely?
Acctually i am trying to block them on both way. if its possible to block them before reaching my server switch,
it would be better. but for more assurance, i want to filter and reject the NetBIOS and broadcast data from my
gateway.
Acctually my office is an ISP. i have an internal LAN. it originates a huge Broadcast traffic. and this LAN switch
is connected with my ISP's main radio switch. so, when a lot of Network broadcast comes from my LAN, it simply
jamm my ISP network.
And the Sensitive fact is, most of my clients are Bank. they are to sensitive to be disconnected for a moment. they
uses a software named REUTER. when my lan become a jamm one, they usually get disconnected from that
software.

here is my script :


#!/bin/sh
#
# rc.firewall-2.4
FWVER=0.73
echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"
IPTABLES=/sbin/iptables
DEPMOD=/sbin/depmod
INSMOD=/sbin/insmod

EXTIF="eth0"
INTIF1="eth1"
INTIF2="eth2"
echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF1"
echo " Second Internal Interface: $INTIF2"

echo -en " loading modules: "

$DEPMOD -a

echo "----------------------------------------------------------------------"

echo -en "ip_tables, "
$INSMOD ip_tables

echo -en "ip_conntrack, "
$INSMOD ip_conntrack

echo -en "ip_conntrack_ftp, "
$INSMOD ip_conntrack_ftp

echo -en "ip_conntrack_irc, "
$INSMOD ip_conntrack_irc

echo -en "iptable_nat, "
$INSMOD iptable_nat

echo -en "ip_nat_ftp, "
$INSMOD ip_nat_ftp

echo -e "ip_nat_irc"
$INSMOD ip_nat_irc

echo "----------------------------------------------------------------------"
echo -e " Done loading modules.\n"

echo " Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward

echo " Clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

echo " FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF1 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF2 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF -j ACCEPT


################
#
#MICROSOFT DS BLOCKING RULES
#
###############

echo " blocking MICROSOFT DS ..... "

$IPTABLES -I FORWARD -i $EXTIF -p tcp -m tcp --dport 135:139 -j DROP
$IPTABLES -I FORWARD -i $EXTIF -p udp -m udp --dport 135:139 -j DROP
$IPTABLES -I FORWARD -i $INTIF1 -p tcp -m tcp --dport 135:139 -j DROP
$IPTABLES -I FORWARD -i $INTIF1 -p udp -m udp --dport 135:139 -j DROP
$IPTABLES -I FORWARD -i $INTIF2 -p tcp -m tcp --dport 135:139 -j DROP
$IPTABLES -I FORWARD -i $INTIF2 -p udp -m udp --dport 135:139 -j DROP
$IPTABLES -I FORWARD -i $EXTIF -p tcp -m tcp --dport 445 -j DROP
$IPTABLES -I FORWARD -i $EXTIF -p udp -m udp --dport 445 -j DROP
$IPTABLES -I FORWARD -i $INTIF1 -p tcp -m tcp --dport 445 -j DROP
$IPTABLES -I FORWARD -i $INTIF1 -p udp -m udp --dport 445 -j DROP
$IPTABLES -I FORWARD -i $INTIF2 -p tcp -m tcp --dport 445 -j DROP
$IPTABLES -I FORWARD -i $INTIF2 -p udp -m udp --dport 445 -j DROP


$IPTABLES -I INPUT -i $EXTIF -p tcp -m tcp --dport 135:139 -j DROP
$IPTABLES -I INPUT -i $EXTIF -p udp -m udp --dport 135:139 -j DROP
$IPTABLES -I INPUT -i $INTIF1 -p tcp -m tcp --dport 135:139 -j DROP
$IPTABLES -I INPUT -i $INTIF1 -p udp -m udp --dport 135:139 -j DROP
$IPTABLES -I INPUT -i $INTIF2 -p tcp -m tcp --dport 135:139 -j DROP
$IPTABLES -I INPUT -i $INTIF2 -p udp -m udp --dport 135:139 -j DROP

$IPTABLES -I INPUT -i $EXTIF -p tcp -m tcp --dport 445 -j DROP
$IPTABLES -I INPUT -i $EXTIF -p udp -m udp --dport 445 -j DROP
$IPTABLES -I INPUT -i $INTIF1 -p tcp -m tcp --dport 445 -j DROP
$IPTABLES -I INPUT -i $INTIF1 -p udp -m udp --dport 445 -j DROP
$IPTABLES -I INPUT -i $INTIF2 -p tcp -m tcp --dport 445 -j DROP
$IPTABLES -I INPUT -i $INTIF2 -p udp -m udp --dport 445 -j DROP

$IPTABLES -I INPUT -i $EXTIF -p tcp -m tcp --dport 1025 -j DROP
$IPTABLES -I INPUT -i $EXTIF -p udp -m udp --dport 1025 -j DROP
$IPTABLES -I INPUT -i $INTIF1 -p tcp -m tcp --dport 1025 -j DROP
$IPTABLES -I INPUT -i $INTIF1 -p udp -m udp --dport 1025 -j DROP
$IPTABLES -I INPUT -i $INTIF2 -p tcp -m tcp --dport 1025 -j DROP
$IPTABLES -I INPUT -i $INTIF2 -p udp -m udp --dport 1025 -j DROP



#$IPTABLES -I OUTPUT -i $EXTIF -p tcp -m tcp --dport 135:139 -j DROP
#$IPTABLES -I OUTPUT -i $EXTIF -p udp -m udp --dport 135:139 -j DROP
#$IPTABLES -I OUTPUT -i $INTIF1 -p tcp -m tcp --dport 135:139 -j DROP
#$IPTABLES -I OUTPUT -i $INTIF1 -p udp -m udp --dport 135:139 -j DROP
#$IPTABLES -I OUTPUT -i $INTIF2 -p tcp -m tcp --dport 135:139 -j DROP
#$IPTABLES -I OUTPUT -i $INTIF2 -p udp -m udp --dport 135:139 -j DROP
#$IPTABLES -I OUTPUT -i $EXTIF -p tcp -m tcp --dport 445 -j DROP
#$IPTABLES -I OUTPUT -i $EXTIF -p udp -m udp --dport 445 -j DROP
#$IPTABLES -I OUTPUT -i $INTIF1 -p tcp -m tcp --dport 445 -j DROP
#$IPTABLES -I OUTPUT -i $INTIF1 -p udp -m udp --dport 445 -j DROP
#$IPTABLES -I OUTPUT -i $INTIF2 -p tcp -m tcp --dport 445 -j DROP
#$IPTABLES -I OUTPUT -i $INTIF2 -p udp -m udp --dport 445 -j DROP
echo " Done blocking MICROSOFT DS ..... "

echo " .............loading dataedge modules"
$IPTABLES -A INPUT --protocol tcp --dport 10000 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 19638 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 443 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 110 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 25 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 8080 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 113 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 1080 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 21 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 6667 -j ACCEPT

echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A PREROUTING -i $EXTIF -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to xx.xx.xx.xx

echo -e "\nrc.firewall-2.4 v$FWVER done.\n"

thanx again for the reply.
 
Old 01-11-2005, 09:28 AM   #6
deoren
Member
 
Registered: Oct 2003
Location: USA
Distribution: Ubuntu
Posts: 216

Rep: Reputation: 30
Simplify your rules some ...

It looks like you have a lot of redundant rules.

This for instance:

Quote:
$IPTABLES -I FORWARD -i $EXTIF -p tcp -m tcp --dport 135:139 -j DROP
$IPTABLES -I FORWARD -i $EXTIF -p udp -m udp --dport 135:139 -j DROP
$IPTABLES -I FORWARD -i $INTIF1 -p tcp -m tcp --dport 135:139 -j DROP
$IPTABLES -I FORWARD -i $INTIF1 -p udp -m udp --dport 135:139 -j DROP
$IPTABLES -I FORWARD -i $INTIF2 -p tcp -m tcp --dport 135:139 -j DROP
$IPTABLES -I FORWARD -i $INTIF2 -p udp -m udp --dport 135:139 -j DROP
Could be rewritten as:

Quote:
$IPTABLES -I FORWARD -p tcp -m tcp --dport 135:139 -j DROP
$IPTABLES -I FORWARD -p udp -m udp --dport 135:139 -j DROP
By not specifying an interface, it will not allow the forwarding of any of those ports across ANY interface. Those rules are not entirely correct however, as port 138 is udp only and port 139 is tcp only.

But they'll suffice if you want to do it the way you're doing it.

This is also redundant:
Quote:
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF1 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF2 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF -j ACCEPT
Something like this would suffice just as well:
Quote:
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

If you want to keep state in all directions, then you could do this:
Quote:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
By not specifying one of those rules for each interface it cuts down on the time it takes to match packets, and will speed up "the pipe" on busy networks. With state matching however, your router/firewall will need to have enough free memory to deal with matching state. I haven't had a problem yet, but the sources of information I've read have had that warning and I'm just passing it on.

I also notice you're matching interfaces on many of your rules, which leads to redundant rules. For port forwarding you'll want to specify interfaces to enhance security, but for dropping all of a certain type of packet, specify direction and not interface to match on all interfaces.

This also can be simplified (by writing it as one rule):
Quote:
$IPTABLES -A INPUT --protocol tcp --dport 10000 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 19638 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 443 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 110 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 25 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 8080 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 113 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 1080 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 21 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 6667 -j ACCEPT
Here is the compacted version:
Quote:
iptables -t filter -A FORWARD -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE -p tcp \
-s $INTERNAL_NETWORK --sport $UNPRIVPORTS \
-d 0/0 -m multiport --dports 80,443,21,25,10000,19638,110,8080,113,1080,6667\
-m state --state NEW \
-j ACCEPT
Good luck with your rules.

Last edited by deoren; 01-11-2005 at 09:32 AM.
 
Old 01-13-2005, 03:27 AM   #7
aronnok
Member
 
Registered: Oct 2004
Location: Dhaka, Bangladesh
Distribution: Redhat Linux 7.2,Redhat Linux 8.0,Redhat Linux 9.0
Posts: 36

Original Poster
Rep: Reputation: 15
thanx to everybody.
its helping me now. i have modified my firewall script. but the prob is, my core noc network is accessing web and everything. my corporate office is like one of my client. for office purpose, i use MDaemon. this MDaemon Server has a private ip : 192.168.1.100. this server is behind my core noc network. so, everyone from my noc is able to access the mail. but on the other hand, my corporate office isn't able to access MDaemon mail.

for noc LAN, i have a small linux gateway. 2 NICs
eth0 : 192.168.1.169
eth1 : 192.168.1.253

NOC is connected with eth1. eth0 is connected with RADIO switch. and our corporate office terminated on the same RADIO switch. both office uses same blocks IP 192.168.1.0....

wht to be done??
thanx
 
Old 01-14-2005, 03:51 PM   #8
stakhous
Member
 
Registered: May 2003
Location: PA
Posts: 82

Rep: Reputation: 15
I'm trying to block all broadcast traffic, like you noted above, but I can not get it to work. This is what I have....

---cut from my iptable script---

iptables -t filter -A INPUT -i eth0 -p tcp \
-d 192.168.1.255 -j DROP

iptables -t filter -A INPUT -i eth0 -p udp \
-d 192.168.1.255 -j DROP

---the log from the iptable script---

Jan 13 00:22:46 localhost kernel: Spoofed packet: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:06:25:c4:4a:cb:08:00 SRC=192.168.1.1 DST=192.168.1.255 LEN=139 TOS=0x00 PREC=0x00 TTL=150 ID=0 PROTO=UDP SPT=16231 DPT=162 LEN=119

Jan 13 00:23:06 localhost kernel: Spoofed packet: IN=eth0 OUT= MAC= SRC=192.168.1.107 DST=192.168.1.255 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=520 DPT=520 LEN=32

Jan 13 00:23:27 localhost kernel: Spoofed packet: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:06:25:c4:4a:cb:08:00 SRC=192.168.1.1 DST=192.168.1.255 LEN=145 TOS=0x00 PREC=0x00 TTL=150 ID=0 PROTO=UDP SPT=16530 DPT=162 LEN=125

Jan 13 00:23:46 localhost kernel: Spoofed packet: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:06:25:c4:4a:cb:08:00 SRC=192.168.1.1 DST=192.168.1.255 LEN=145 TOS=0x00 PREC=0x00 TTL=150 ID=0 PROTO=UDP SPT=16703 DPT=162 LEN=125

Jan 13 00:24:06 localhost kernel: Spoofed packet: IN=eth0 OUT= MAC= SRC=192.168.1.107 DST=192.168.1.255 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=520 DPT=520 LEN=32

and on and on and on.....


Any ideas???


Thanks, any helpful ideas would be greatly appreciated.
 
Old 01-14-2005, 09:58 PM   #9
deoren
Member
 
Registered: Oct 2003
Location: USA
Distribution: Ubuntu
Posts: 216

Rep: Reputation: 30
Quote:
Originally posted by stakhous
I'm trying to block all broadcast traffic, like you noted above, but I can not get it to work. This is what I have....

---cut from my iptable script---

iptables -t filter -A INPUT -i eth0 -p tcp \
-d 192.168.1.255 -j DROP

iptables -t filter -A INPUT -i eth0 -p udp \
-d 192.168.1.255 -j DROP

---the log from the iptable script---

Jan 13 00:22:46 localhost kernel: Spoofed packet: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:06:25:c4:4a:cb:08:00 SRC=192.168.1.1 DST=192.168.1.255 LEN=139 TOS=0x00 PREC=0x00 TTL=150 ID=0 PROTO=UDP SPT=16231 DPT=162 LEN=119

Jan 13 00:23:06 localhost kernel: Spoofed packet: IN=eth0 OUT= MAC= SRC=192.168.1.107 DST=192.168.1.255 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=520 DPT=520 LEN=32

Jan 13 00:23:27 localhost kernel: Spoofed packet: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:06:25:c4:4a:cb:08:00 SRC=192.168.1.1 DST=192.168.1.255 LEN=145 TOS=0x00 PREC=0x00 TTL=150 ID=0 PROTO=UDP SPT=16530 DPT=162 LEN=125

Jan 13 00:23:46 localhost kernel: Spoofed packet: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:06:25:c4:4a:cb:08:00 SRC=192.168.1.1 DST=192.168.1.255 LEN=145 TOS=0x00 PREC=0x00 TTL=150 ID=0 PROTO=UDP SPT=16703 DPT=162 LEN=125

Jan 13 00:24:06 localhost kernel: Spoofed packet: IN=eth0 OUT= MAC= SRC=192.168.1.107 DST=192.168.1.255 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=520 DPT=520 LEN=32

and on and on and on.....


Any ideas???


Thanks, any helpful ideas would be greatly appreciated.
Just taking a guess, but perhaps you have a rule earlier than that which is logging packets before those rules tell netfilter to drop the packets.

Give some of the rules before and after the rules you mention.

I also am unfamiliar with
Quote:
kernel: Spoofed packet:
entries. Perhaps you could show what kernel options your script is enabling/disabling.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
broadcast computer name on network? vdemuth Linux - Networking 5 11-10-2005 04:39 PM
IPTables and PPTPD :S (to block or not to block) thewonka Linux - Networking 0 03-24-2005 07:58 PM
blocking Network Broadcast using IPtables ! stakhous Linux - Security 3 01-18-2005 03:16 PM
/etc/network/interfaces broadcast problem nafai_anlashok Linux - Networking 2 04-26-2004 09:32 PM
how to broadcast tv over an ip network? andrewlkho Linux - General 5 08-10-2003 10:46 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:36 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration