Iptables - attack - please help

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

I have a linux firewall(iptables) protecting a winwos network. My
network was slow so tried to look at the netstats of my firewall

unix  3      [ ]         STREAM     CONNECTED     4580
unix  3      [ ]         STREAM     CONNECTED     4578
unix  3      [ ]         STREAM     CONNECTED     4577
unix  3      [ ]         STREAM     CONNECTED     4574
unix  3      [ ]         STREAM     CONNECTED     4573
unix  3      [ ]         STREAM     CONNECTED     4566
unix  3      [ ]         STREAM     CONNECTED     4565
unix  3      [ ]         STREAM     CONNECTED     4560   /tmp/.X11-.
unix  3      [ ]         STREAM     CONNECTED     3772
unix  4      [ ]         STREAM     CONNECTED     3778

    26266 total packets received
    16277 forwarded
    0 incoming packets discarded
    9776 incoming packets delivered
    22408 requests sent out
    0 ICMP messages received
    0 input ICMP message failed.
    ICMP input histogram:
    2 ICMP messages sent
    0 ICMP messages failed
    ICMP output histogram:
        destination unreachable: 2
    36 active connections openings
    11 passive connection openings
    0 failed connection attempts
    0 connection resets received
    1 connections established
    8806 segments received
    6026 segments send out
    4 segments retransmited
    0 bad segments received.
    4 resets sent
    103 packets received
    0 packets to unknown port received.
    0 packet receive errors
    103 packets sent

these connections keep increasing the longer my firewall is up. Last
time i checked the anount of data going out of my network was more than
than coming in.

These are some of the rules I am using.

echo 'specific rule set'
iptables -N specific-rule-set

#Syn-flood protection. RETURN returns control to previous rule chain
iptables -N syn-flood
iptables -A syn-flood -p tcp --syn -m limit --limit 1/s --limit-burst 4
iptables -A syn-flood -j DROP
#Furtive port scanner
iptables -N port-scan
iptables -A port-scan -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit
--limit 1/s -j RETURN
iptables -A port-scan -j DROP
#attach timeouts above to rule-set
iptables -A specific-rule-set -p tcp --syn -j syn-flood
iptables -A specific-rule-set -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j

#AUTH Server Reject ident probes with a tcp reset. Some mail-servers
#won't accept mail if an ident probe is dropped instead of rejected
iptables -A specific-rule-set -i $external -p tcp --dport 113 -j REJECT
--reject-with tcp-reset
iptables -A specific-rule-set -i $external -p tcp --dport smtp -j DROP
iptables -A specific-rule-set -i $external -p udp --dport smtp -j DROP
iptables -A specific-rule-set -i $external -p tcp --dport ssh -j ACCEPT
iptables -A specific-rule-set -i $external -p udp --dport ssh -j ACCEPT
iptables -A specific-rule-set -i $external -p tcp --dport www -j DROP
iptables -A specific-rule-set -i $external -p udp --dport www -j DROP
iptables -A specific-rule-set -i $external -p tcp --dport imap -j DROP
iptables -A specific-rule-set -i $external -p udp --dport imap -j DROP
iptables -A specific-rule-set -i $external -p tcp --dport pop3 -j DROP
iptables -A specific-rule-set -i $external -p udp --dport pop3 -j DROP
#iptables -A specific-rule-set -i $external -p tcp --dport imaps -j
iptables -A specific-rule-set -i $internal -p udp --dport 4396 -j DROP
iptables -A specific-rule-set -i $internal -p tcp --dport 4396 -j DROP
iptables -A specific-rule-set -o $external -p udp --dport 4396 -j DROP
iptables -A specific-rule-set -o $external -p tcp --dport 4396 -j DROP

iptables -A specific-rule-set -i $internal -p udp --dport 1024:65535 -j
iptables -A specific-rule-set -i $internal -p tcp --dport 1024:65535 -j
iptables -A specific-rule-set -o $external -p udp --dport 1024:65535 -j
iptables -A specific-rule-set -o $external -p tcp --dport 1024:65535 -j

I am scanning my computer with f-prot viruus scan. I am a newbie Please


Re: Iptables - attack - please help


Quoted text here. Click to load it
These are connections your firewall is making to its-self but in a manner
that is far more efficient than TCP/UDP.  Ignore them, its harmless...

Quoted text here. Click to load it
Could be a trojan/worm scanning which is then killing your network due to
your bizarre firewall rules...

Quoted text here. Click to load it
'Some'?  Why not _all_, really makes our lives easier to look for the problem
if we have all the information :(

Quoted text here. Click to load it
erm....you know the moment you network is infected with a trojan/worm your
firewall will not protect you and it wipes out the Internet connection for
everyone else.  Its easy to come across port scanning algorithms that go at
400 hosts per second, if you are limiting to one a second, the trojan will
soak up all the available 'syn's and no-one gets any service.

You need to dump/scrap/burn your firewall ruleset I am afraid.  Two reasons,
one you are one of those ghastly evil people who insist on using the 'DROP'
action rather than the 'REJECT' one[1]; you might think it makes you more
secure but it does not and when it comes to diagnostics[2] it makes your life

You need to flip the rules on their head and start off with a firewall (this
is afterall the first golden rule of firewall administration) a 100% blocked
network, nothing is to go through.  Then as people complain that things do
not work you then poke holes in your firewall for.  If you want to make use
of a 'limit' rule you _only_ apply it to the *valid* traffic otherwise if
some macilious software fires up then you want it contained without affecting
anyone else.

When it comes to whitelisting be brutal and unforgiving.  If some needs SMTP
permission do *not* whitelist port 25, whitelist port 25 to a particular IP
and no where else.  A lot of trojans/viruses will mail directly to the
destination without using the local SMTP server; this is a way to stop them
dead in their tracks and also a vector to get your firewall to email you to
tell you some is infected on your network.

I have uploaded to my website[3] a copy of the firewall ruleset I configured
for my families Internet connection back at home which has to be
gaming/younger brother safe so it should be a good starting point for you.  
Hopefully its good, when my friends have used it as a template they have
found themselves poking more holes in it rather than closing them up so it
should be safe, but if anyone finds a problem I would like to hear :

Today would be a good day to start learning how to use ethereal/tcpdump[4] to
munch on packets directly so you can see what is going through your Internet
connection and also what a random application does to try to use the Internet
if you are forced to unblock an app with no information available online
about it.



[1] http://support.metronet.co.uk/security/dubious-firewall-techniques.xhtml1
[2] even in your example, all you the client machines are seeing probably is
    a stalled Internet connection with no error messages other than
    'timed out'.  If you used REJECT then the machines would be saying
    connection refused which if occured when trying to access, say
    google.com, then you know its your firewall at fault.
[3] http://www.digriz.org.uk/active to be used with iptables-restore
[4] http://www.ethereal.com /

Quoted text here. Click to load it

Re: Iptables - attack - please help

Alexander Clouter wrote:

Quoted text here. Click to load it

The netfilter group recommend against using hostnames in rules.  They
suggest using only IP addresses.

Site Timeline