* SYN, ACK, ACK PSH packets getting dropped (?)
@ 2011-07-08 21:42 Sam Gandhi
2011-07-10 21:22 ` Andrew Beverley
0 siblings, 1 reply; 2+ messages in thread
From: Sam Gandhi @ 2011-07-08 21:42 UTC (permalink / raw)
To: netfilter
Hello,
I am trying to configure small industrial device that has one ethernet
interface ("internal") and another WLAN interface.
I have attached below shell function I am using configure the iptables
rule below. I have include a rule $IPT -A OUTPUT -j LOG
--log-prefix "OU " at the bottom to log any packets that fall through
the OUTPUT chain and log them. And I see following output, should be
worried about this? How do I go about fixing this? If anyone wants
please do provide any suggestion on improving this iptable rule
further. Basically what I want to do is accept DNS, NTP, COPS traffic
over wlan0 interface and also allow NFS booting device over eth0.
OU IN= OUT=wlan0 SRC=10.50.3.108 DST=10.12.0.120 LEN=60 TOS=0x00
PREC=0x00 TTL=64 ID=45948 DF PROTO=TCP SPT=42537 DPT=3288 WINDOW=5440
RES=0x00 SYN URGP=0
OU IN= OUT=wlan0 SRC=10.50.3.108 DST=10.30.5.10 LEN=60 TOS=0x00
PREC=0x00 TTL=64 ID=19425 DF PROTO=TCP SPT=44375 DPT=3183 WINDOW=5440
RES=0x00 SYN URGP=0
OU IN= OUT=wlan0 SRC=10.50.3.108 DST=10.30.5.10 LEN=52 TOS=0x00
PREC=0x00 TTL=64 ID=19426 DF PROTO=TCP SPT=44375 DPT=3183 WINDOW=2720
RES=0x00 ACK URGP=0
OU IN= OUT=wlan0 SRC=10.50.3.108 DST=10.30.5.10 LEN=76 TOS=0x00
PREC=0x00 TTL=64 ID=19427 DF PROTO=TCP SPT=44375 DPT=3183 WINDOW=2720
RES=0x00 ACK PSH URGP=0
OU IN= OUT=wlan0 SRC=10.50.3.108 DST=10.30.5.10 LEN=52 TOS=0x00
PREC=0x00 TTL=64 ID=19428 DF PROTO=TCP SPT=44375 DPT=3183 WINDOW=2720
RES=0x00 ACK URGP=0
OU IN= OUT=wlan0 SRC=10.50.3.108 DST=10.30.5.10 LEN=52 TOS=0x00
PREC=0x00 TTL=64 ID=19429 DF PROTO=TCP SPT=44375 DPT=3183 WINDOW=2720
RES=0x00 ACK FIN URGP=0
IPT=/usr/sbin/firewall
#Function to echo 1 to a file
enable ()
{
for file in $@; do echo 1 > $file; done
}
#Function to echo 0 to a file
disable ()
{
for file in $@; do echo 0 > $file; done
}
firewall_start()
{
disable /proc/sys/net/ipv4/ip_forward # disable
Packet forwarning between interfaces
enable /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # ignore
all ICMP ECHO and TIMESTAMP requests sent to it via
broadcast/multicast
enable /proc/sys/net/ipv4/conf/all/log_martians # log
packets with impossible addresses to kernel log
enable /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses #
disable logging of bogus responses to broadcast frames
enable /proc/sys/net/ipv4/conf/all/rp_filter # do source
validation by reversed path
disable /proc/sys/net/ipv4/conf/all/send_redirects # don't
send redirects
disable /proc/sys/net/ipv4/conf/all/accept_source_route # don't
accept packets with SRR option
disable /proc/sys/net/ipv4/conf/*/accept_source_route #
Disable source routed packets
enable /proc/sys/net/ipv4/conf/*/rp_filter # we don't allow pkt
coming from one interface going out other interface
$IPT -F
$IPT -X
$IPT -P OUTPUT ACCEPT
if [ $NFS_BOOT -eq 1 ]; then
#portmapper
$IPT -P INPUT ACCEPT
$IPT -A INPUT -i eth0 -p tcp --sport 111 -j ACCEPT
$IPT -A INPUT -i eth0 -p udp --sport 111 -j ACCEPT
# NFS daemon ports
$IPT -A INPUT -i eth0 -p tcp --sport 2049 -j ACCEPT
$IPT -A INPUT -i eth0 -p udp --sport 2049 -j ACCEPT
$IPT -A OUTPUT -o eth0 -p tcp --dport 2049 -j ACCEPT
$IPT -A OUTPUT -o eth0 -p udp --dport 2049 -j ACCEPT
# NFS mountd ports
$IPT -A INPUT -i eth0 -p udp --sport 36371 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --sport 38103 -j ACCEPT
# NFS status ports
$IPT -A INPUT -i eth0 -p udp --sport 41291 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --sport 55364 -j ACCEPT
# NFS lock manager ports
$IPT -A INPUT -i eth0 -p udp --sport 50707 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --sport 59349 -j ACCEPT
fi
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
#ACCEPT everything on loopback
$IPT -A INPUT --in-interface lo -j ACCEPT
$IPT -A OUTPUT --out-interface lo -j ACCEPT
#Drop spoofed packets, packets with local source IP address coming
from outside.
$IPT -A INPUT -i eth0 -s 192.168.137.1 -m recent --set -j DROP
#Limit ping responses for brute force attack.
$IPT -A INPUT -p icmp -m limit --limit 10/second -j ACCEPT
$IPT -A INPUT -p icmp -j DROP
#dictionary attacks on the SSH server port
#Allow 3 connetions from same source IP in 60 seconds.
$IPT -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set
$IPT -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent
--update --seconds 60 --hitcount 4 -j DROP
#Allow ssh connection on port 22
$IPT -A INPUT -p tcp --dport 22 -j ACCEPT
#protection on telnet
$IPT -A INPUT -p tcp -m tcp --dport 23 -m state --state NEW -m recent --set
$IPT -A INPUT -p tcp -m tcp --dport 23 -m state --state NEW -m recent
--update --seconds 60 --hitcount 4 -j DROP
#allow telnet connection
$IPT -A INPUT -p tcp --dport 23 -j ACCEPT
#DNS rules we should probably tighten this bit more to specific DNS server.
$IPT -I INPUT -p udp --sport 53 --dport 1024:65535 -j ACCEPT
$IPT -I OUTPUT -p udp --dport 53 --sport 1024:64435 -j ACCEPT
$IPT -I OUTPUT -p udp --sport 53 --dport 1024:65535 -j ACCEPT
#NTP client service let it run only over wan interface not eth*
#$IPT -A OUTPUT --out-interface wlan0 --p udp --dport 123 -j LOG
--log-prefix "NTP output:"
$IPT -A OUTPUT --out-interface wlan0 -p udp --dport 123 -j ACCEPT
#$IPT -A INPUT --in-interface wlan0 -p udp --sport 123 -j LOG
--log-prefix "NTP input: "
$IPT -A INPUT --in-interface wlan0 -p udp --sport 123 -j ACCEPT
#COPS ports 3183 COPS/TLS 3288 COPS
$IPT -A INPUT -p tcp --sport 3183 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p tcp --sport 3288 -m state --state NEW -j ACCEPT
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# log all the rest before dropping just for debugging
# Drop inbound NETBIOS packet and accept output syslog
$IPT -A INPUT --in-interface=eth0 -p udp --sport 138 -j DROP
$IPT -A INPUT -j LOG --log-prefix "IN "
$IPT -A OUTPUT --out-interface=eth0 -p udp --dport 514 -j ACCEPT
$IPT -A OUTPUT -j LOG --log-prefix "OU "
$IPT -A FORWARD -j LOG --log-prefix "FW "
}
Regards,
-Sam
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: SYN, ACK, ACK PSH packets getting dropped (?)
2011-07-08 21:42 SYN, ACK, ACK PSH packets getting dropped (?) Sam Gandhi
@ 2011-07-10 21:22 ` Andrew Beverley
0 siblings, 0 replies; 2+ messages in thread
From: Andrew Beverley @ 2011-07-10 21:22 UTC (permalink / raw)
To: Sam Gandhi; +Cc: netfilter
On Fri, 2011-07-08 at 14:42 -0700, Sam Gandhi wrote:
> Hello,
>
> I am trying to configure small industrial device that has one ethernet
> interface ("internal") and another WLAN interface.
>
> I have attached below shell function I am using configure the iptables
> rule below. I have include a rule $IPT -A OUTPUT -j LOG
> --log-prefix "OU " at the bottom to log any packets that fall through
> the OUTPUT chain and log them. And I see following output, should be
> worried about this?
I suspect that they are packets related to NFS, in which case the answer
is yes, once you start dropping them.
> How do I go about fixing this? If anyone wants
> please do provide any suggestion on improving this iptable rule
> further. Basically what I want to do is accept DNS, NTP, COPS traffic
> over wlan0 interface and also allow NFS booting device over eth0.
NFS is a complicated protocol, and I personally have never been able to
get it properly filtered by iptables. So, unless you are paranoid about
your users on the internal network, I would just accept all INPUT
packets on eth0, and concentrate your filtering on the WLAN interface
(presumably the public facing side?)
You might also want to check this out to help with NFS:
http://www.cyberciti.biz/faq/centos-fedora-rhel-iptables-open-nfs-server-ports/
Andy
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2011-07-10 21:22 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-07-08 21:42 SYN, ACK, ACK PSH packets getting dropped (?) Sam Gandhi
2011-07-10 21:22 ` Andrew Beverley
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox