What does this line in iptables do?

rickh · 01-08-2006, 10:55 PM

I use Firestarter, and want to block communications from specific ips to specific ports. In Firestarter there doesn't seem to be a way to block inputs, but you can block outputs by IP. Seemed to me that should work just as well. I told Firestarter to deny service to a specific ip on ports 6696-6699. Iptables wound up looking (partially) like this:

Code:

...
Chain LSO (18 references)
target     prot opt source               destination
LOG_FILTER  all  --  0.0.0.0/0            0.0.0.0/0
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Outbound '
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable

Chain OUTBOUND (1 references)
target     prot opt source               destination
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
LSO        tcp  --  68.209.140.97        0.0.0.0/0           tcp dpts:6696:6699
LSO        udp  --  68.209.140.97        0.0.0.0/0           udp dpts:6696:6699
...

Unfortunately ip 68.209.140.97 here is still able to connect via the identified ports. Exactly what is 'LSO' supposed to be doing?

scuzzman · 01-08-2006, 11:43 PM

I don't think LSO is a valid action... It's probably defined higher in the file.

rickh · 01-09-2006, 01:12 AM

The only definition I can see is the CHAIN statement at the top of my quoted code. Looks to me like it should be REJECTing everything, but it's not. Only thing I can figure out is that perhaps since I can't block the original INPUT communication the link has become ESTABLISHED, but that doesn't really make sense either, else why does Firestarter give me the option to block outgoing communication by IP address. ... Or is that only outgoing communications initialized locally.

fotoguy · 01-09-2006, 02:34 AM

LSO looks like it is a user-created chain, probably created by the firestarter program, i would need to see the whole script that firstarter creates to be certain.

rickh · 01-09-2006, 04:09 AM

By 'whole script' Do you mean the entire output of iptables -L -n?

Code:

debian:~# iptables -L -n
Chain INBOUND (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpts:6696:6699
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpts:6696:6699
LSI        all  --  0.0.0.0/0            0.0.0.0/0

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  68.87.85.98          0.0.0.0/0           tcp flags:!0x17/0x02
ACCEPT     udp  --  68.87.85.98          0.0.0.0/0
ACCEPT     tcp  --  68.87.69.146         0.0.0.0/0           tcp flags:!0x17/0x02
ACCEPT     udp  --  68.87.69.146         0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           limit: avg 10/sec burst 5
DROP       all  --  0.0.0.0/0            255.255.255.255
DROP       all  --  0.0.0.0/0            192.168.123.255
DROP       all  --  224.0.0.0/8          0.0.0.0/0
DROP       all  --  0.0.0.0/0            224.0.0.0/8
DROP       all  --  255.255.255.255      0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0
DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID
LSI        all  -f  0.0.0.0/0            0.0.0.0/0           limit: avg 10/min burst 5
INBOUND    all  --  0.0.0.0/0            0.0.0.0/0
LOG_FILTER  all  --  0.0.0.0/0            0.0.0.0/0
LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Unknown Input'

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           limit: avg 10/sec burst 5
LOG_FILTER  all  --  0.0.0.0/0            0.0.0.0/0
LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Unknown Forward'

Chain LOG_FILTER (5 references)
target     prot opt source               destination
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:1026
DROP       udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:1026
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:1027
DROP       udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:1027
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:1025
DROP       udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:1025

Chain LSI (2 references)
target     prot opt source               destination
LOG_FILTER  all  --  0.0.0.0/0            0.0.0.0/0
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x04 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x04
LOG        icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
DROP       icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain LSO (18 references)
target     prot opt source               destination
LOG_FILTER  all  --  0.0.0.0/0            0.0.0.0/0
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Outbound '
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable

Chain OUTBOUND (1 references)
target     prot opt source               destination
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
LSO        tcp  --  68.209.140.97        0.0.0.0/0           tcp dpts:6696:6699
LSO        udp  --  68.209.140.97        0.0.0.0/0           udp dpts:6696:6699
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  192.168.123.151      68.87.85.98         tcp dpt:53
ACCEPT     udp  --  192.168.123.151      68.87.85.98         udp dpt:53
ACCEPT     tcp  --  192.168.123.151      68.87.69.146        tcp dpt:53
ACCEPT     udp  --  192.168.123.151      68.87.69.146        udp dpt:53
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  224.0.0.0/8          0.0.0.0/0
DROP       all  --  0.0.0.0/0            224.0.0.0/8
DROP       all  --  255.255.255.255      0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0
DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID
OUTBOUND   all  --  0.0.0.0/0            0.0.0.0/0
LOG_FILTER  all  --  0.0.0.0/0            0.0.0.0/0
LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Unknown Output'
debian:~#

fotoguy · 01-09-2006, 05:04 AM

The script will be a text file, but I don't use debian or firestarter so I don't know where it would reside. Most distros will have
it usually it will be /etc/rc.d/rc.firewall, but a lot of distro are now moving the scripts around and changing their names. By the looks you also have a LSI as well as LSO, i would say that LSI would be INPUT and LSO would be OUTPUT chain perhaps, but it does look like a chain created by firestarter.

rickh · 01-09-2006, 07:01 PM

Quote:

The script will be a text file, ...

By the time I studied enough to figureout where that script was, I got a couple ideas about different ways to handle this situation thru the gui, but it still looks to me like denying service on the output side should stop the connection. It doesn't though. Anyway, I'll try my new ideas tonight.

I didn't include the entire script here. It's pretty long, but here is the definition of LSI & LSO:

Code:

# Create a new log and stop input (LSI) chain.
$IPT -N LSI 2> /dev/null
$IPT -F LSI
$IPT -A LSI -j LOG_FILTER
if [ "$log_supported" ]; then
        # Syn-flood protection
        $IPT -A LSI -p tcp --syn -m limit --limit 1/s -j LOG --log-level=$LOG_LEVEL --log-prefix "Inbound "
        $IPT -A LSI -p tcp --syn -j $STOP_TARGET
        # Rapid portscan protection
        $IPT -A LSI -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j LOG --log-level=$LOG_LEVEL --log-prefix "Inbound "
        $IPT -A LSI -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j $STOP_TARGET
        # Ping of death protection
        $IPT -A LSI -p icmp --icmp-type echo-request -m limit --limit 1/s -j LOG --log-level=$LOG_LEVEL --log-prefix "Inbound "
        $IPT -A LSI -p icmp --icmp-type echo-request -j $STOP_TARGET
        # Log everything
        $IPT -A LSI -m limit --limit 5/s -j LOG --log-level=$LOG_LEVEL --log-prefix "Inbound "
fi
$IPT -A LSI -j $STOP_TARGET # Terminate evaluation

# Create a new log and stop output (LSO) chain.
$IPT -N LSO 2> /dev/null
$IPT -F LSO
$IPT -A LSO -j LOG_FILTER
if [ "$log_supported" ]; then
        # Log everything
        $IPT -A LSO -m limit --limit 5/s -j LOG --log-level=$LOG_LEVEL --log-prefix "Outbound "
fi
$IPT -A LSO -j REJECT # Terminate evaluation

Capt_Caveman · 01-09-2006, 07:27 PM

Looking at the rules you posted, you have ports 6696:6699 accepted by the INBOUND chain here:

Code:

Chain INBOUND (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpts:6696:6699
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpts:6696:6699
LSI        all  --  0.0.0.0/0            0.0.0.0/0

And you're blocking outgoing traffic to that IP:

Code:

 
Chain OUTBOUND (1 references)
target     prot opt source               destination
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
LSO        tcp  --  68.209.140.97        0.0.0.0/0           tcp dpts:6696:6699
LSO        udp  --  68.209.140.97        0.0.0.0/0           udp dpts:6696:6699
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Which sends them to LSO where the packets get rejected. Though this would get trumped by the the ESTABLISHED,RELATED rule if they initiate the connection. So you're allowing incoming connections but blocking outgoing ones. It sounds like you have this backwards...

rickh · 01-09-2006, 07:35 PM

I think you're right. The problem is that Firestarter's gui does not have such a blocking option for incoming packets. I want most people to have access to those ports, but NOT specific IP-s. The gui does have an option, also on the outgoing rules screen, to deny ANY connections to a given host IP. That's what I'm going to test later tonight.