Iptables Block Netbios Broadcasts UDP 137-138

Iptables Block Netbios Broadcasts UDP 137-138

[Real Cucumber]

I cannot block LAN netbios broadcasts on a fedora core
2 Iptables box being used as an IDS.

It is therefore being 99% flooded with broadcasts.

I've tried:

iptables -A INPUT -p UDP --dport 137 -j DROP
iptables -A INPUT -p UDP --dport 137 -s 0/0 -j DROP
iptables -A INPUT -p UDP --dport 137 -s 192.168.0.0/24
-j DROP

Nothing prevents them from getting through.

Is there anyway to do this?

If possible can someone email me direct at
realcucumber@hotmail.com

Thanks for any help in advance.



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: Iptables Block Netbios Broadcasts UDP 137-138

[Aleksandar Milivojevic]

Real Cucumber wrote:
> I cannot block LAN netbios broadcasts on a fedora core
> 2 Iptables box being used as an IDS.

If your IDS is reading directly from network interface (like network 
sniffers such as tcpdump or ethereal do), than it bypasses the firewall. 
  You'd need to configure your IDS software to ignore whatever you 
consider "normal" traffic on your network.  But be warn, the more you 
ignore, the less you see.

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

Re: Iptables Block Netbios Broadcasts UDP 137-138

[Jason Opperisano]

On Tue, Nov 23, 2004 at 12:51:38PM -0800, Real Cucumber wrote:
> I cannot block LAN netbios broadcasts on a fedora core
> 2 Iptables box being used as an IDS.
> 
> It is therefore being 99% flooded with broadcasts.
> 
> I've tried:
> 
> iptables -A INPUT -p UDP --dport 137 -j DROP
> iptables -A INPUT -p UDP --dport 137 -s 0/0 -j DROP
> iptables -A INPUT -p UDP --dport 137 -s 192.168.0.0/24
> -j DROP
> 
> Nothing prevents them from getting through.
> 
> Is there anyway to do this?
> 
> If possible can someone email me direct at
> realcucumber@hotmail.com
> 
> Thanks for any help in advance.

i actually like using:

  iptables -I INPUT -m pkttype --pkt-type broadcast -j DROP

IDS software (like snort, for example) operates at the BPF layer, which
is below where netfilter hooks into the stack.

so it's unclear what your really asking--if your asking, "i installed
these iptables filter rules to block netbios, but my snort logs are still
full of netbios traffic" the answer is, no--netfilter can't stop that.
a BPF appended to the end of your snort command can filter them out
though:

  snort $SNORT_CMD_OPTS not udp port '(137 or 138)'

or, more generically:

  snort $SNORT_CMD_OPTS not dst host '(255.255.255.255 or 192.168.0.255)'

if instead--you are actually asking how to block these packets at layer
3--i would suppose you might have a rule before your rules above that
allow the packets.

-j

--
"Dear Baby, Welcome to Dumpsville. Population: You"
        --The Simpsons

RE: Iptables Block Netbios Broadcasts UDP 137-138

[Hudson Delbert J Contr 61 CS/SCBN]

[-- Attachment #1: Type: text/plain, Size: 105 bytes --]


	all

	fyi/cya/etc...,

	70.0.0.0/8 is no longer in IPv4 bogon address space.

	!piranha!suspicious!org