simply confusing

simply confusing

[Ralph Churchill]

I work at a large company and was having some fellow
employees regularly scanning my box... so I put up a
little firewall. Here's my one and only rule:

iptables -A INPUT --source 192.168.0.0/16 -j DROP

Now, shouldn't that block any and ALL traffic from any
computer on the 192.168.*.* subnet? Do I need to be
more explicit? I also have snort running and I see
some stuff getting through... Thanks.

RMC

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

Re: simply confusing

[Michael P. Soulier]

On 23/01/03 Ralph Churchill did say:

> I work at a large company and was having some fellow
> employees regularly scanning my box... so I put up a
> little firewall. Here's my one and only rule:
> 
> iptables -A INPUT --source 192.168.0.0/16 -j DROP
> 
> Now, shouldn't that block any and ALL traffic from any
> computer on the 192.168.*.* subnet? Do I need to be
> more explicit? I also have snort running and I see
> some stuff getting through... Thanks.

    You'll see it with a sniffer regardless. That's a good thing. If you
want to see what it's dropping, jump to a chain that logs it, and then
drops it. 

    Mike

-- 
Michael P. Soulier <michael_soulier@mitel.com>, 613-592-2122 x2522
SME Solutions, Mitel Networks Corporation
"...the word HACK is used as a verb to indicate a massive amount
of nerd-like effort."  -Harley Hahn, A Student's Guide to Unix

Re: simply confusing

[Maciej Soltysiak]

> iptables -A INPUT --source 192.168.0.0/16 -j DROP
>
> Now, shouldn't that block any and ALL traffic from any
> computer on the 192.168.*.* subnet?
well that is enough to block all packets from that subnet,
however, maybe you have other rules that accept traffic before
this rule.
try -I INPUT to put it at the begining of the chain.

Regards,
Maciej Soltysiak

Re: simply confusing

[Ralph Churchill]

Well, I added a logging rule before that:

iptables -A INPUT --source 10.11.0.0/16 \
  -j LOG --log-level info --log-prefix "iptables "

But when ever something gets through, it isn't being
logged either... If I do "iptables -L -v", then I see
that both rules (first the LOG, then the DROP) have
the same packet count.

I can try using "-I" instead, but I'd also like to
log, so how would I do that? Am I missing something
fundamental?

RMC


--- Maciej Soltysiak <solt@dns.toxicfilms.tv> wrote:
> > iptables -A INPUT --source 192.168.0.0/16 -j DROP
> >
> > Now, shouldn't that block any and ALL traffic from
> any
> > computer on the 192.168.*.* subnet?
> well that is enough to block all packets from that
> subnet,
> however, maybe you have other rules that accept
> traffic before
> this rule.
> try -I INPUT to put it at the begining of the chain.
> 
> Regards,
> Maciej Soltysiak
> 


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

RE: simply confusing

[Rob Sterenborg]

> Well, I added a logging rule before that:
> 
> iptables -A INPUT --source 10.11.0.0/16 \
>   -j LOG --log-level info --log-prefix "iptables "
> 
> But when ever something gets through, it isn't being
> logged either... If I do "iptables -L -v", then I see
> that both rules (first the LOG, then the DROP) have
> the same packet count.
> 
> I can try using "-I" instead, but I'd also like to
> log, so how would I do that? Am I missing something fundamental?

iptables -N log_drop
iptables -A log_drop -j LOG --log-level info --log-prefix "ipt:log_drop
"
iptables -A log_drop -j DROP

iptables -I INPUT 1 -s 10.11.0.0/16 -j log_drop

What about this ?


Rob

RE: simply confusing

[Aldo S. Lagana]

that is a bit vague...for instance if the clients' gateways are other
boxes/routers/firewalls, and your attacked client is on the same LAN as
the attackers, then your little firewall will do little to filter those
packets.   What's your infrastructure?  In other words, does your
'attacked' client reside on a separate NIC off the little firewall and
you are forwarding to it?  if so, you need to filter on the FORWARD
chain, etc.

to make a sound and viable isolated network off of a firewall, it should
reside on it's own NIC and the firewall will filter packets as they get
passed from NIC to NIC or Network to Network.

check out the Iptables tutorial for more info:
http://iptables-tutorial.haringstad.com/iptables-tutorial.html

> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org 
> [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of 
> Ralph Churchill
> Sent: Thursday, January 23, 2003 3:03 PM
> To: netfilter@lists.netfilter.org
> Subject: simply confusing
> 
> 
> I work at a large company and was having some fellow
> employees regularly scanning my box... so I put up a
> little firewall. Here's my one and only rule:
> 
> iptables -A INPUT --source 192.168.0.0/16 -j DROP
> 
> Now, shouldn't that block any and ALL traffic from any
> computer on the 192.168.*.* subnet? Do I need to be
> more explicit? I also have snort running and I see
> some stuff getting through... Thanks.
> 
> RMC
> 
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now. 
http://mailplus.yahoo.com