Not able to block Network Broadcast using IPTABLES !

aronnok · 01-10-2005, 09:46 AM

Hi all,
I am using RH linux 9.0. Recently my office network is being flooded through windows workstations Network Broadcasts. I have tried all possible ways ( as far i know

) to block this kinda Network Broadcast traffic. I'm not even able to block the 1025 tcp port ( Network Blackjack ).

these are my rules used to block those nasty traffic.

$IPTABLES -I INPUT -p udp -s 0/0 --dport 137 -j DROP
$IPTABLES -I INPUT -p udp -s 0/0 --sport 137 -j DROP
$IPTABLES -I INPUT -p tcp -s 0/0 --dport 137 -j DROP
$IPTABLES -I INPUT -p tcp -s 0/0 --sport 137 -j DROP

$IPTABLES -I INPUT -p udp -s 0/0 --dport 138 -j DROP
$IPTABLES -I INPUT -p udp -s 0/0 --sport 138 -j DROP
$IPTABLES -I INPUT -p tcp -s 0/0 --dport 138 -j DROP
$IPTABLES -I INPUT -p tcp -s 0/0 --sport 138 -j DROP

$IPTABLES -I INPUT -p udp -s 0/0 --dport 139 -j DROP
$IPTABLES -I INPUT -p udp -s 0/0 --sport 139 -j DROP
$IPTABLES -I INPUT -p tcp -s 0/0 --dport 139 -j DROP
$IPTABLES -I INPUT -p tcp -s 0/0 --sport 139 -j DROP

$IPTABLES -I INPUT -p udp -s 0/0 --dport 1025 -j DROP

But before this configuration, i have used the following ( summarized )......
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

Can anybody help me? i'm really in deep trouble.....
Thanx in advance.

Capt_Caveman · 01-10-2005, 10:24 AM

Could you explain what you're trying to block in a bit more detail? Specifically, are you trying to block the netbios traffic from reaching the linux box itself or is the linux box acting as a gatweway/router and you want to filter it from passing in and out of the LAN. Also where is the NetBIOS traffic originating, on the LAN or remotely?

It also might help if you posted your entire script (remove any public IP addresses first), so that we can see all the rules in context.

deoren · 01-10-2005, 10:28 AM

Here is one of my rules to only log traffic that is not sent directly to the ip address of the system, along with limiting the rate of such logging.

Code:

    # Log packets directed directly at the external interface ip address only.
    # Otherwise the logs are flooded with broadcasts
    iptables -t filter -A INPUT  -i $EXTERNAL_INTERFACE \
             -d $EXTERNAL_INTERFACE_ADDRESS \
             -m limit --limit $LOGGING_LIMIT --limit-burst $LOGGING_LIMIT_BURST \
             -j ULOG --ulog-prefix "filter-EXT-IF_INPUT_$FILTER_INPUT_POLICY:"

Modified to suit your needs, it will look like this (drop rules instead of log rule):

Code:

# Drop NetBIOS packets - tcp
    iptables -t filter -A INPUT  -i $NETWORK_INTERFACE -p tcp \
             -d 0/0  \
             -m multiport --dports 135,137,139,445\
             -j DROP

Code:

# Drop NetBIOS packets - udp
    iptables -t filter -A INPUT  -i $NETWORK_INTERFACE -p udp \
             -d 0/0  \
             -m multiport --dports 135,137,138,445\
             -j DROP

I got the port numbers and whether they were UDP or TCP from: http://www.javvin.com/protocolTCPUDPport.html

I learned how to write the rules from: http://www.linux-firewall-tools.com/linux/book/

The book is well worth buying, and can be found at Half.com or Amazon.com MarketPlace for good values. It's well worth reading.

P.S.

Replace $NETWORK_INTERFACE with your interface. i.e., eth0 or whatever your ethernet interface is.

deoren · 01-10-2005, 10:35 AM

Those rules I listed will block ALL NetBIOS traffic to your system. If you only want to block BROADCAST traffic, replace

Quote:

-d 0/0

with

Quote:

-d $NETWORK_BROADCAST_MASK

where -d $NETWORK_BROADCAST_MASK is your network broadcast mask.

Example:
for 192.168.1.0 network with no subnets: 192.168.1.255
for 172.16.0.0 network with no subnets: 172.16.255.255

aronnok · 01-10-2005, 10:52 PM

Thanx all for reply.

Quote:

are you trying to block the netbios traffic from reaching the linux box itself or is the linux box acting as
a gatweway/router and you want to filter it from passing in and out of the LAN. Also where is the NetBIOS traffic
originating, on the LAN or remotely?

Acctually i am trying to block them on both way. if its possible to block them before reaching my server switch,
it would be better. but for more assurance, i want to filter and reject the NetBIOS and broadcast data from my
gateway.
Acctually my office is an ISP. i have an internal LAN. it originates a huge Broadcast traffic. and this LAN switch
is connected with my ISP's main radio switch. so, when a lot of Network broadcast comes from my LAN, it simply
jamm my ISP network.
And the Sensitive fact is, most of my clients are Bank. they are to sensitive to be disconnected for a moment. they
uses a software named REUTER. when my lan become a jamm one, they usually get disconnected from that
software.

here is my script :

#!/bin/sh
#
# rc.firewall-2.4
FWVER=0.73
echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"
IPTABLES=/sbin/iptables
DEPMOD=/sbin/depmod
INSMOD=/sbin/insmod

EXTIF="eth0"
INTIF1="eth1"
INTIF2="eth2"
echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF1"
echo " Second Internal Interface: $INTIF2"

echo -en " loading modules: "

$DEPMOD -a

echo "----------------------------------------------------------------------"

echo -en "ip_tables, "
$INSMOD ip_tables

echo -en "ip_conntrack, "
$INSMOD ip_conntrack

echo -en "ip_conntrack_ftp, "
$INSMOD ip_conntrack_ftp

echo -en "ip_conntrack_irc, "
$INSMOD ip_conntrack_irc

echo -en "iptable_nat, "
$INSMOD iptable_nat

echo -en "ip_nat_ftp, "
$INSMOD ip_nat_ftp

echo -e "ip_nat_irc"
$INSMOD ip_nat_irc

echo "----------------------------------------------------------------------"
echo -e " Done loading modules.\n"

echo " Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward

echo " Clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

echo " FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF1 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF2 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF -j ACCEPT

################
#
#MICROSOFT DS BLOCKING RULES
#
###############

echo " blocking MICROSOFT DS ..... "

$IPTABLES -I FORWARD -i $EXTIF -p tcp -m tcp --dport 135:139 -j DROP
$IPTABLES -I FORWARD -i $EXTIF -p udp -m udp --dport 135:139 -j DROP
$IPTABLES -I FORWARD -i $INTIF1 -p tcp -m tcp --dport 135:139 -j DROP
$IPTABLES -I FORWARD -i $INTIF1 -p udp -m udp --dport 135:139 -j DROP
$IPTABLES -I FORWARD -i $INTIF2 -p tcp -m tcp --dport 135:139 -j DROP
$IPTABLES -I FORWARD -i $INTIF2 -p udp -m udp --dport 135:139 -j DROP
$IPTABLES -I FORWARD -i $EXTIF -p tcp -m tcp --dport 445 -j DROP
$IPTABLES -I FORWARD -i $EXTIF -p udp -m udp --dport 445 -j DROP
$IPTABLES -I FORWARD -i $INTIF1 -p tcp -m tcp --dport 445 -j DROP
$IPTABLES -I FORWARD -i $INTIF1 -p udp -m udp --dport 445 -j DROP
$IPTABLES -I FORWARD -i $INTIF2 -p tcp -m tcp --dport 445 -j DROP
$IPTABLES -I FORWARD -i $INTIF2 -p udp -m udp --dport 445 -j DROP

$IPTABLES -I INPUT -i $EXTIF -p tcp -m tcp --dport 135:139 -j DROP
$IPTABLES -I INPUT -i $EXTIF -p udp -m udp --dport 135:139 -j DROP
$IPTABLES -I INPUT -i $INTIF1 -p tcp -m tcp --dport 135:139 -j DROP
$IPTABLES -I INPUT -i $INTIF1 -p udp -m udp --dport 135:139 -j DROP
$IPTABLES -I INPUT -i $INTIF2 -p tcp -m tcp --dport 135:139 -j DROP
$IPTABLES -I INPUT -i $INTIF2 -p udp -m udp --dport 135:139 -j DROP

$IPTABLES -I INPUT -i $EXTIF -p tcp -m tcp --dport 445 -j DROP
$IPTABLES -I INPUT -i $EXTIF -p udp -m udp --dport 445 -j DROP
$IPTABLES -I INPUT -i $INTIF1 -p tcp -m tcp --dport 445 -j DROP
$IPTABLES -I INPUT -i $INTIF1 -p udp -m udp --dport 445 -j DROP
$IPTABLES -I INPUT -i $INTIF2 -p tcp -m tcp --dport 445 -j DROP
$IPTABLES -I INPUT -i $INTIF2 -p udp -m udp --dport 445 -j DROP

$IPTABLES -I INPUT -i $EXTIF -p tcp -m tcp --dport 1025 -j DROP
$IPTABLES -I INPUT -i $EXTIF -p udp -m udp --dport 1025 -j DROP
$IPTABLES -I INPUT -i $INTIF1 -p tcp -m tcp --dport 1025 -j DROP
$IPTABLES -I INPUT -i $INTIF1 -p udp -m udp --dport 1025 -j DROP
$IPTABLES -I INPUT -i $INTIF2 -p tcp -m tcp --dport 1025 -j DROP
$IPTABLES -I INPUT -i $INTIF2 -p udp -m udp --dport 1025 -j DROP

#$IPTABLES -I OUTPUT -i $EXTIF -p tcp -m tcp --dport 135:139 -j DROP
#$IPTABLES -I OUTPUT -i $EXTIF -p udp -m udp --dport 135:139 -j DROP
#$IPTABLES -I OUTPUT -i $INTIF1 -p tcp -m tcp --dport 135:139 -j DROP
#$IPTABLES -I OUTPUT -i $INTIF1 -p udp -m udp --dport 135:139 -j DROP
#$IPTABLES -I OUTPUT -i $INTIF2 -p tcp -m tcp --dport 135:139 -j DROP
#$IPTABLES -I OUTPUT -i $INTIF2 -p udp -m udp --dport 135:139 -j DROP
#$IPTABLES -I OUTPUT -i $EXTIF -p tcp -m tcp --dport 445 -j DROP
#$IPTABLES -I OUTPUT -i $EXTIF -p udp -m udp --dport 445 -j DROP
#$IPTABLES -I OUTPUT -i $INTIF1 -p tcp -m tcp --dport 445 -j DROP
#$IPTABLES -I OUTPUT -i $INTIF1 -p udp -m udp --dport 445 -j DROP
#$IPTABLES -I OUTPUT -i $INTIF2 -p tcp -m tcp --dport 445 -j DROP
#$IPTABLES -I OUTPUT -i $INTIF2 -p udp -m udp --dport 445 -j DROP
echo " Done blocking MICROSOFT DS ..... "

echo " .............loading dataedge modules"
$IPTABLES -A INPUT --protocol tcp --dport 10000 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 19638 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 443 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 110 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 25 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 8080 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 113 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 1080 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 21 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 6667 -j ACCEPT

echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A PREROUTING -i $EXTIF -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to xx.xx.xx.xx

echo -e "\nrc.firewall-2.4 v$FWVER done.\n"

thanx again for the reply.

deoren · 01-11-2005, 08:28 AM

It looks like you have a lot of redundant rules.

This for instance:

Quote:

$IPTABLES -I FORWARD -i $EXTIF -p tcp -m tcp --dport 135:139 -j DROP
$IPTABLES -I FORWARD -i $EXTIF -p udp -m udp --dport 135:139 -j DROP
$IPTABLES -I FORWARD -i $INTIF1 -p tcp -m tcp --dport 135:139 -j DROP
$IPTABLES -I FORWARD -i $INTIF1 -p udp -m udp --dport 135:139 -j DROP
$IPTABLES -I FORWARD -i $INTIF2 -p tcp -m tcp --dport 135:139 -j DROP
$IPTABLES -I FORWARD -i $INTIF2 -p udp -m udp --dport 135:139 -j DROP

Could be rewritten as:

Quote:

$IPTABLES -I FORWARD -p tcp -m tcp --dport 135:139 -j DROP
$IPTABLES -I FORWARD -p udp -m udp --dport 135:139 -j DROP

By not specifying an interface, it will not allow the forwarding of any of those ports across ANY interface. Those rules are not entirely correct however, as port 138 is udp only and port 139 is tcp only.

But they'll suffice if you want to do it the way you're doing it.

This is also redundant:

Quote:

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF1 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF2 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF -j ACCEPT

Something like this would suffice just as well:

Quote:

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

If you want to keep state in all directions, then you could do this:

Quote:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

By not specifying one of those rules for each interface it cuts down on the time it takes to match packets, and will speed up "the pipe" on busy networks. With state matching however, your router/firewall will need to have enough free memory to deal with matching state. I haven't had a problem yet, but the sources of information I've read have had that warning and I'm just passing it on.

I also notice you're matching interfaces on many of your rules, which leads to redundant rules. For port forwarding you'll want to specify interfaces to enhance security, but for dropping all of a certain type of packet, specify direction and not interface to match on all interfaces.

This also can be simplified (by writing it as one rule):

Quote:

$IPTABLES -A INPUT --protocol tcp --dport 10000 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 19638 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 443 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 110 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 25 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 8080 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 113 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 1080 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 21 -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --dport 6667 -j ACCEPT

Here is the compacted version:

Quote:

iptables -t filter -A FORWARD -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE -p tcp \
-s $INTERNAL_NETWORK --sport $UNPRIVPORTS \
-d 0/0 -m multiport --dports 80,443,21,25,10000,19638,110,8080,113,1080,6667\
-m state --state NEW \
-j ACCEPT

Good luck with your rules.

aronnok · 01-13-2005, 02:27 AM

thanx to everybody.
its helping me now. i have modified my firewall script. but the prob is, my core noc network is accessing web and everything. my corporate office is like one of my client. for office purpose, i use MDaemon. this MDaemon Server has a private ip : 192.168.1.100. this server is behind my core noc network. so, everyone from my noc is able to access the mail. but on the other hand, my corporate office isn't able to access MDaemon mail.

for noc LAN, i have a small linux gateway. 2 NICs
eth0 : 192.168.1.169
eth1 : 192.168.1.253

NOC is connected with eth1. eth0 is connected with RADIO switch. and our corporate office terminated on the same RADIO switch. both office uses same blocks IP 192.168.1.0....

wht to be done??
thanx

stakhous · 01-14-2005, 02:51 PM

I'm trying to block all broadcast traffic, like you noted above, but I can not get it to work. This is what I have....

---cut from my iptable script---

iptables -t filter -A INPUT -i eth0 -p tcp \
-d 192.168.1.255 -j DROP

iptables -t filter -A INPUT -i eth0 -p udp \
-d 192.168.1.255 -j DROP

---the log from the iptable script---

Jan 13 00:22:46 localhost kernel: Spoofed packet: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:06:25:c4:4a:cb:08:00 SRC=192.168.1.1 DST=192.168.1.255 LEN=139 TOS=0x00 PREC=0x00 TTL=150 ID=0 PROTO=UDP SPT=16231 DPT=162 LEN=119

Jan 13 00:23:06 localhost kernel: Spoofed packet: IN=eth0 OUT= MAC= SRC=192.168.1.107 DST=192.168.1.255 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=520 DPT=520 LEN=32

Jan 13 00:23:27 localhost kernel: Spoofed packet: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:06:25:c4:4a:cb:08:00 SRC=192.168.1.1 DST=192.168.1.255 LEN=145 TOS=0x00 PREC=0x00 TTL=150 ID=0 PROTO=UDP SPT=16530 DPT=162 LEN=125

Jan 13 00:23:46 localhost kernel: Spoofed packet: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:06:25:c4:4a:cb:08:00 SRC=192.168.1.1 DST=192.168.1.255 LEN=145 TOS=0x00 PREC=0x00 TTL=150 ID=0 PROTO=UDP SPT=16703 DPT=162 LEN=125

Jan 13 00:24:06 localhost kernel: Spoofed packet: IN=eth0 OUT= MAC= SRC=192.168.1.107 DST=192.168.1.255 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=520 DPT=520 LEN=32

and on and on and on.....

Any ideas???

Thanks, any helpful ideas would be greatly appreciated.

deoren · 01-14-2005, 08:58 PM

Quote:

Originally posted by stakhous
I'm trying to block all broadcast traffic, like you noted above, but I can not get it to work. This is what I have....

---cut from my iptable script---

iptables -t filter -A INPUT -i eth0 -p tcp \
-d 192.168.1.255 -j DROP

iptables -t filter -A INPUT -i eth0 -p udp \
-d 192.168.1.255 -j DROP

---the log from the iptable script---

Jan 13 00:22:46 localhost kernel: Spoofed packet: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:06:25:c4:4a:cb:08:00 SRC=192.168.1.1 DST=192.168.1.255 LEN=139 TOS=0x00 PREC=0x00 TTL=150 ID=0 PROTO=UDP SPT=16231 DPT=162 LEN=119

Jan 13 00:23:06 localhost kernel: Spoofed packet: IN=eth0 OUT= MAC= SRC=192.168.1.107 DST=192.168.1.255 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=520 DPT=520 LEN=32

Jan 13 00:23:27 localhost kernel: Spoofed packet: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:06:25:c4:4a:cb:08:00 SRC=192.168.1.1 DST=192.168.1.255 LEN=145 TOS=0x00 PREC=0x00 TTL=150 ID=0 PROTO=UDP SPT=16530 DPT=162 LEN=125

Jan 13 00:23:46 localhost kernel: Spoofed packet: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:06:25:c4:4a:cb:08:00 SRC=192.168.1.1 DST=192.168.1.255 LEN=145 TOS=0x00 PREC=0x00 TTL=150 ID=0 PROTO=UDP SPT=16703 DPT=162 LEN=125

Jan 13 00:24:06 localhost kernel: Spoofed packet: IN=eth0 OUT= MAC= SRC=192.168.1.107 DST=192.168.1.255 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=520 DPT=520 LEN=32

and on and on and on.....

Any ideas???

Thanks, any helpful ideas would be greatly appreciated.

Just taking a guess, but perhaps you have a rule earlier than that which is logging packets before those rules tell netfilter to drop the packets.

Give some of the rules before and after the rules you mention.

I also am unfamiliar with

Quote:

kernel: Spoofed packet:

entries. Perhaps you could show what kernel options your script is enabling/disabling.