security question

Linux Netfilter discussions
 help / color / mirror / Atom feed

* security question
@ 2004-06-02 12:58 Andreas Westendörpf
  2004-07-29 12:14 ` Blocking IP david
  0 siblings, 1 reply; 15+ messages in thread
From: Andreas Westendörpf @ 2004-06-02 12:58 UTC (permalink / raw)
  To: netfilter

Hi *!

I have the following setup. Please tell me if I have some security
issues here.

A linux box with two ethernet interfaces to work as a masquerading
router. One of them (eth0) is connected to a dsl-modem, the other is a
wlan card (eth1). All client systems get this box a default gateway
via dhcp.

My goal is to drop everything coming from the wlan by default. I do
this with:

# iptables -t nat -P PREROUTING  DROP

I want the all www-requests of the client systems to be redirected to
the local Apache on the box. I do this with:

# iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth1 - REDIRECT

As I need DNS for these www-requests I have to let DNS be accepted:

# iptables -t nat -A PREROUTING -p udp --dport 53 -i eth1 -j ACCEPT

Then, in the POSTROUTING chain I need all the packets that made it
here to be masqueraded:

# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

If I want to allow a specific wlan client to get outside connections I
use:

# iptables -t nat -I PREROUTING -m mac --mac-source XX:XX:XX:XX:XX:XX
-i the1 -j ACCEPT

to let him through.

Beside of MAC-spoofing, is this setup safe? Can someone get though the
PREROUTING chain, without being "MAC-inserted".

What can I do to block incoming connection attempts? I only want to
allow ssh from outside (internet) to the box.

Any help would be appreciated!

THX,
Andreas Westendörpf

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Blocking IP
  2004-06-02 12:58 security question Andreas Westendörpf
@ 2004-07-29 12:14 ` david
  2004-07-29 12:10   ` Victor Julien
                     ` (5 more replies)
  0 siblings, 6 replies; 15+ messages in thread
From: david @ 2004-07-29 12:14 UTC (permalink / raw)
  To: netfilter

Dear all,

My mail server received so many virus mails from ip 202.145.10.147 and after
i look at gateway (linux) and i using iptraf i see so many traffic from
202.145.10.147.
After that i try to block all traffic from 202.145.10.147 with command :
#iptables -A INPUT -s 202.145.10.146 -j DROP

but i still receiveall traffic from 202.145.10.146......
Can anybody help me ........... that ip send virus in to mail server more
then 20 mails per minute.......

Regards,
David Kandou

Help me ... iam so confused

FYI :
Iam using RedHat 9
eth0 --> ippublic
eth1 --> local ip
mail server --> local ip

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: Blocking IP
  2004-07-29 12:14 ` Blocking IP david
@ 2004-07-29 12:10   ` Victor Julien
  2004-07-29 12:40     ` david
  2004-07-29 12:18   ` Alejandro Flores
                     ` (4 subsequent siblings)
  5 siblings, 1 reply; 15+ messages in thread
From: Victor Julien @ 2004-07-29 12:10 UTC (permalink / raw)
  To: netfilter; +Cc: david

Try #iptables -I INPUT 1 -s 202.145.10.146 -j DROP

It will insert the rule on the top of the ruleset, so it matches first.

Regards,
Victor

On Thursday 29 July 2004 14:14, david wrote:
> Dear all,
>
> My mail server received so many virus mails from ip 202.145.10.147 and
> after i look at gateway (linux) and i using iptraf i see so many traffic
> from 202.145.10.147.
> After that i try to block all traffic from 202.145.10.147 with command :
> #iptables -A INPUT -s 202.145.10.146 -j DROP
>
> but i still receiveall traffic from 202.145.10.146......
> Can anybody help me ........... that ip send virus in to mail server more
> then 20 mails per minute.......
>
>
> Regards,
> David Kandou
>
> Help me ... iam so confused
>
> FYI :
> Iam using RedHat 9
> eth0 --> ippublic
> eth1 --> local ip
> mail server --> local ip


^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: Blocking IP
  2004-07-29 12:10   ` Victor Julien
@ 2004-07-29 12:40     ` david
  2004-07-29 13:29       ` Victor Julien
  2004-07-29 13:42       ` Les Mikesell
  0 siblings, 2 replies; 15+ messages in thread
From: david @ 2004-07-29 12:40 UTC (permalink / raw)
  To: netfilter

Dear Victor,

I still receive traffic from that ip.......


IPTABLES Rules
#iptables -I INPUT 1 -s 202.145.10.147 -j DROP

IPTRAF Monitoring
??202.145.10.147:1668                                                    =
31           19815     DONE       eth0       ?
??202.46.146.164:25                                                      =
33            1485     CLOSED     eth0       ?
??206.190.39.164:8

I try :
#iptables -I INPUT 1 -s 202.145.10.147 -j LOG
after that ip show again :
#iptables -L -nvx

Chain INPUT (policy ACCEPT 1532113 packets, 168017560 bytes)
    pkts      bytes target     prot opt in     out     source
destination
       0        0 LOG        all  --  *      *       202.145.10.174
0.0.0.0/0          LOG flags 0 level 4
       0        0 DROP       all  --  *      *       202.145.10.174
0.0.0.0/0

Chain FORWARD (policy ACCEPT 8470318 packets, 3950493169 bytes)
    pkts      bytes target     prot opt in     out     source
destination

Chain OUTPUT (policy ACCEPT 2106115 packets, 361037890 bytes)
    pkts      bytes target     prot opt in     out     source
destination

Chain RH-Lokkit-0-50-INPUT (0 references)
    pkts      bytes target     prot opt in     out     source
destination


Thank's
David



----- Original Message ----- 
From: "Victor Julien" <victor@nk.nl>
To: <netfilter@lists.netfilter.org>
Cc: "david" <david@suarapembaruan.co.id>
Sent: Thursday, July 29, 2004 7:10 PM
Subject: Re: Blocking IP


> Try #iptables -I INPUT 1 -s 202.145.10.146 -j DROP
>
> It will insert the rule on the top of the ruleset, so it matches first.
>
> Regards,
> Victor
>
> On Thursday 29 July 2004 14:14, david wrote:
> > Dear all,
> >
> > My mail server received so many virus mails from ip 202.145.10.147 and
> > after i look at gateway (linux) and i using iptraf i see so many traffic
> > from 202.145.10.147.
> > After that i try to block all traffic from 202.145.10.147 with command :
> > #iptables -A INPUT -s 202.145.10.146 -j DROP
> >
> > but i still receiveall traffic from 202.145.10.146......
> > Can anybody help me ........... that ip send virus in to mail server
more
> > then 20 mails per minute.......
> >
> >
> > Regards,
> > David Kandou
> >
> > Help me ... iam so confused
> >
> > FYI :
> > Iam using RedHat 9
> > eth0 --> ippublic
> > eth1 --> local ip
> > mail server --> local ip
>
>



^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: Blocking IP
  2004-07-29 12:40     ` david
@ 2004-07-29 13:29       ` Victor Julien
  2004-07-29 13:42       ` Les Mikesell
  1 sibling, 0 replies; 15+ messages in thread
From: Victor Julien @ 2004-07-29 13:29 UTC (permalink / raw)
  To: netfilter

On Thursday 29 July 2004 14:40, david wrote:
> Dear Victor,
>
> I still receive traffic from that ip.......
>
>
> IPTABLES Rules
> #iptables -I INPUT 1 -s 202.145.10.147 -j DROP
>

Maybe you should place the rule in the FORWARD chain.

#iptables -I FORWARD 1 -s 202.145.10.147 -j DROP

Regards,
Victor

> IPTRAF Monitoring
> ??202.145.10.147:1668                                                    =
> 31           19815     DONE       eth0       ?
> ??202.46.146.164:25                                                      =
> 33            1485     CLOSED     eth0       ?
> ??206.190.39.164:8
>
> I try :
> #iptables -I INPUT 1 -s 202.145.10.147 -j LOG
> after that ip show again :
> #iptables -L -nvx
>
> Chain INPUT (policy ACCEPT 1532113 packets, 168017560 bytes)
>     pkts      bytes target     prot opt in     out     source
> destination
>        0        0 LOG        all  --  *      *       202.145.10.174
> 0.0.0.0/0          LOG flags 0 level 4
>        0        0 DROP       all  --  *      *       202.145.10.174
> 0.0.0.0/0
>
> Chain FORWARD (policy ACCEPT 8470318 packets, 3950493169 bytes)
>     pkts      bytes target     prot opt in     out     source
> destination
>
> Chain OUTPUT (policy ACCEPT 2106115 packets, 361037890 bytes)
>     pkts      bytes target     prot opt in     out     source
> destination
>
> Chain RH-Lokkit-0-50-INPUT (0 references)
>     pkts      bytes target     prot opt in     out     source
> destination
>
>
> Thank's
> David
>
>
>
> ----- Original Message -----
> From: "Victor Julien" <victor@nk.nl>
> To: <netfilter@lists.netfilter.org>
> Cc: "david" <david@suarapembaruan.co.id>
> Sent: Thursday, July 29, 2004 7:10 PM
> Subject: Re: Blocking IP
>
> > Try #iptables -I INPUT 1 -s 202.145.10.146 -j DROP
> >
> > It will insert the rule on the top of the ruleset, so it matches first.
> >
> > Regards,
> > Victor
> >
> > On Thursday 29 July 2004 14:14, david wrote:
> > > Dear all,
> > >
> > > My mail server received so many virus mails from ip 202.145.10.147 and
> > > after i look at gateway (linux) and i using iptraf i see so many
> > > traffic from 202.145.10.147.
> > > After that i try to block all traffic from 202.145.10.147 with command
> > > : #iptables -A INPUT -s 202.145.10.146 -j DROP
> > >
> > > but i still receiveall traffic from 202.145.10.146......
> > > Can anybody help me ........... that ip send virus in to mail server
>
> more
>
> > > then 20 mails per minute.......
> > >
> > >
> > > Regards,
> > > David Kandou
> > >
> > > Help me ... iam so confused
> > >
> > > FYI :
> > > Iam using RedHat 9
> > > eth0 --> ippublic
> > > eth1 --> local ip
> > > mail server --> local ip


^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: Blocking IP
  2004-07-29 12:40     ` david
  2004-07-29 13:29       ` Victor Julien
@ 2004-07-29 13:42       ` Les Mikesell
  1 sibling, 0 replies; 15+ messages in thread
From: Les Mikesell @ 2004-07-29 13:42 UTC (permalink / raw)
  To: david; +Cc: netfilter

On Thu, 2004-07-29 at 07:40, david wrote:
> Dear Victor,
> 
> I still receive traffic from that ip.......

Tcpdump/iptraf will still show blocked packets even though
they are not passed to applications.  Is sendmail still
logging connectons from there?

---
  Les Mikesell
    les@futuresource.com




^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: Blocking IP
  2004-07-29 12:14 ` Blocking IP david
  2004-07-29 12:10   ` Victor Julien
@ 2004-07-29 12:18   ` Alejandro Flores
  2004-07-29 14:15     ` Aleksandar Milivojevic
  2004-07-29 12:25   ` Dhananjoy Chowdhury
                     ` (3 subsequent siblings)
  5 siblings, 1 reply; 15+ messages in thread
From: Alejandro Flores @ 2004-07-29 12:18 UTC (permalink / raw)
  To: david; +Cc: netfilter

	Hello David,

	If you have some firewall rules yet, the rule you mention could never
hit. Use the option -I instead of -A.

	-I will insert your rule at the first position in the chain, unless you
specify the number where you want it.

iptables -I INPUT -i public_interface -s 202.154.10.146/32 -j REJECT

	But, if you're using sendmail, maybe the best to do is to tell sendmail
to reject the traffic from this particular host.
	Go to /etc/mail, edit the file called 'access' and append a line like
this:
202.154.10.146	REJECT "You're sending too much viruses!"
	Then save, type 'make' and restart sendmail.

Regards,
Alejandro Flores


> Dear all,
> 
> My mail server received so many virus mails from ip 202.145.10.147 and after
> i look at gateway (linux) and i using iptraf i see so many traffic from
> 202.145.10.147.
> After that i try to block all traffic from 202.145.10.147 with command :
> #iptables -A INPUT -s 202.145.10.146 -j DROP
> 
> but i still receiveall traffic from 202.145.10.146......
> Can anybody help me ........... that ip send virus in to mail server more
> then 20 mails per minute.......
> 
> 
> Regards,
> David Kandou
> 
> Help me ... iam so confused
> 
> FYI :
> Iam using RedHat 9
> eth0 --> ippublic
> eth1 --> local ip
> mail server --> local ip
> 
> 


^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: Blocking IP
  2004-07-29 12:18   ` Alejandro Flores
@ 2004-07-29 14:15     ` Aleksandar Milivojevic
  2004-07-29 16:57       ` Alejandro Flores
  0 siblings, 1 reply; 15+ messages in thread
From: Aleksandar Milivojevic @ 2004-07-29 14:15 UTC (permalink / raw)
  To: netfilter

Alejandro Flores wrote:
> 	But, if you're using sendmail, maybe the best to do is to tell sendmail
> to reject the traffic from this particular host.
> 	Go to /etc/mail, edit the file called 'access' and append a line like
> this:
> 202.154.10.146	REJECT "You're sending too much viruses!"
> 	Then save, type 'make' and restart sendmail.

Access.db is a map.  You don't need to restart sendmail after you update 
/etc/mail/access file and rebuild access.db map (either using supplied 
Makefile if present, or by running "makemap hash access.db < access", I 
prefer later over former).  Same for all other maps.  You only need to 
restart sendmail when sendmail.cf is changed, and any of the files 
referenced by F lines in sendmail.cf (those are read once at startup).

Although solution with sendmail is cleaner and more polite (the offender 
gets the error why he/she is refused, and you are blocking only email), 
I don't think that somebody who is not noticing that he/she is spitting 
out viruses in such a high rate is going to notice and/or care about it.

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: Blocking IP
  2004-07-29 14:15     ` Aleksandar Milivojevic
@ 2004-07-29 16:57       ` Alejandro Flores
  0 siblings, 0 replies; 15+ messages in thread
From: Alejandro Flores @ 2004-07-29 16:57 UTC (permalink / raw)
  To: Aleksandar Milivojevic; +Cc: netfilter

	Hello,

> Although solution with sendmail is cleaner and more polite (the offender 
> gets the error why he/she is refused, and you are blocking only email), 
> I don't think that somebody who is not noticing that he/she is spitting 
> out viruses in such a high rate is going to notice and/or care about it.

	Well, you can just drop their packets or you can reject and tell them
why. The decision is yours! :-)

Regards,
Alejandro Flores


^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: Blocking IP
  2004-07-29 12:14 ` Blocking IP david
  2004-07-29 12:10   ` Victor Julien
  2004-07-29 12:18   ` Alejandro Flores
@ 2004-07-29 12:25   ` Dhananjoy Chowdhury
  2004-07-29 12:28   ` Les Mikesell
                     ` (2 subsequent siblings)
  5 siblings, 0 replies; 15+ messages in thread
From: Dhananjoy Chowdhury @ 2004-07-29 12:25 UTC (permalink / raw)
  To: david; +Cc: netfilter

Remove the rule #iptables -A INPUT -s 202.145.10.146 -j DROP
and apply #iptables -A FORWARD -s 202.145.10.146 -j DROP

This is because all traffic coming from 202.145.10.146 through the
gateway (LINUX box) to your local LAN will be passing through the
Forward chain of the gateway and not the Input chain.

Regards,
dhananjoy


On Thu, 2004-07-29 at 17:44, david wrote:
> Dear all,
> 
> My mail server received so many virus mails from ip 202.145.10.147 and after
> i look at gateway (linux) and i using iptraf i see so many traffic from
> 202.145.10.147.
> After that i try to block all traffic from 202.145.10.147 with command :
> #iptables -A INPUT -s 202.145.10.146 -j DROP
> 
> but i still receiveall traffic from 202.145.10.146......
> Can anybody help me ........... that ip send virus in to mail server more
> then 20 mails per minute.......
> 
> 
> Regards,
> David Kandou
> 
> Help me ... iam so confused
> 
> FYI :
> Iam using RedHat 9
> eth0 --> ippublic
> eth1 --> local ip
> mail server --> local ip
> 
> 



^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: Blocking IP
  2004-07-29 12:14 ` Blocking IP david
                     ` (2 preceding siblings ...)
  2004-07-29 12:25   ` Dhananjoy Chowdhury
@ 2004-07-29 12:28   ` Les Mikesell
  2004-07-29 12:48     ` david
  2004-07-29 12:31   ` David Cannings
  2004-07-29 14:04   ` Aleksandar Milivojevic
  5 siblings, 1 reply; 15+ messages in thread
From: Les Mikesell @ 2004-07-29 12:28 UTC (permalink / raw)
  To: david; +Cc: netfilter

On Thu, 2004-07-29 at 07:14, david wrote:
> Dear all,
> 
> My mail server received so many virus mails from ip 202.145.10.147 and after
> i look at gateway (linux) and i using iptraf i see so many traffic from
> 202.145.10.147.
> After that i try to block all traffic from 202.145.10.147 with command :
> #iptables -A INPUT -s 202.145.10.146 -j DROP
> 
> but i still receiveall traffic from 202.145.10.146......

It might be as easy to block traffic with route as iptables:
route add -host 202.145.10.146 reject
should stop it (actually it stops your ability to respond
but for tcp that's enough).

---
  Les Mikesell
   les@futuresource.com



^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: Blocking IP
  2004-07-29 12:28   ` Les Mikesell
@ 2004-07-29 12:48     ` david
  0 siblings, 0 replies; 15+ messages in thread
From: david @ 2004-07-29 12:48 UTC (permalink / raw)
  To: netfilter

Dear all,

Thank's for your information, now all trafic from that ip already drop.

Thank you.
:)
David Kandou



----- Original Message ----- 
From: "Les Mikesell" <les@futuresource.com>
To: "david" <david@suarapembaruan.co.id>
Cc: <netfilter@lists.netfilter.org>
Sent: Thursday, July 29, 2004 7:28 PM
Subject: Re: Blocking IP


> On Thu, 2004-07-29 at 07:14, david wrote:
> > Dear all,
> >
> > My mail server received so many virus mails from ip 202.145.10.147 and
after
> > i look at gateway (linux) and i using iptraf i see so many traffic from
> > 202.145.10.147.
> > After that i try to block all traffic from 202.145.10.147 with command :
> > #iptables -A INPUT -s 202.145.10.146 -j DROP
> >
> > but i still receiveall traffic from 202.145.10.146......
>
> It might be as easy to block traffic with route as iptables:
> route add -host 202.145.10.146 reject
> should stop it (actually it stops your ability to respond
> but for tcp that's enough).
>
> ---
>   Les Mikesell
>    les@futuresource.com
>
>



^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: Blocking IP
  2004-07-29 12:14 ` Blocking IP david
                     ` (3 preceding siblings ...)
  2004-07-29 12:28   ` Les Mikesell
@ 2004-07-29 12:31   ` David Cannings
  2004-07-29 14:04   ` Aleksandar Milivojevic
  5 siblings, 0 replies; 15+ messages in thread
From: David Cannings @ 2004-07-29 12:31 UTC (permalink / raw)
  To: netfilter

On Thursday 29 July 2004 13:14, david wrote:
> My mail server received so many virus mails from ip 202.145.10.147 and
> after i look at gateway (linux) and i using iptraf i see so many
> traffic from 202.145.10.147.
> After that i try to block all traffic from 202.145.10.147 with command
> : #iptables -A INPUT -s 202.145.10.146 -j DROP

Two suggestions:

- You might like to also put that in your FORWARD chain:
  # iptables -I FORWARD -s 202.145.10.146 -j DROP
- Use -I instead of -A, this will INSERT at the top of the list instead of 
APPENDING to the bottom.

Check the output of `iptables -L -vxn` (which you could paste relevant 
bits of into your email, if necessary) and see if there are any other 
ACCEPT rules in your INPUT chain that would allow packets from that IP 
before your rule that denies them.

David


^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: Blocking IP
  2004-07-29 12:14 ` Blocking IP david
                     ` (4 preceding siblings ...)
  2004-07-29 12:31   ` David Cannings
@ 2004-07-29 14:04   ` Aleksandar Milivojevic
  5 siblings, 0 replies; 15+ messages in thread
From: Aleksandar Milivojevic @ 2004-07-29 14:04 UTC (permalink / raw)
  Cc: netfilter

david wrote:
> Dear all,
> 
> My mail server received so many virus mails from ip 202.145.10.147 and after
> i look at gateway (linux) and i using iptraf i see so many traffic from
> 202.145.10.147.
> After that i try to block all traffic from 202.145.10.147 with command :
> #iptables -A INPUT -s 202.145.10.146 -j DROP
> 
> but i still receiveall traffic from 202.145.10.146......
> Can anybody help me ........... that ip send virus in to mail server more
> then 20 mails per minute.......

Are the mail server and gateway two separate hosts?  If yes, you need to 
add the rule to the FORWARD chain.  Packet will go through INPUT chain 
of filter table only if its destination is local host (the gateway in 
your case).  If packet is to be forwarded to another host, it will go 
only through FORWARD chain of filter table.  In no circumstance are you 
going to see packet going through both INPUT and FORWARD chains of 
filter table.

If the mail server is running on the gateway host, check the order of 
your rules.  Are there any rules before the one you just added that 
would accept the packets from "bad host"?

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Blocking ip
@ 2003-12-25 13:13 -
  0 siblings, 0 replies; 15+ messages in thread
From: - @ 2003-12-25 13:13 UTC (permalink / raw)
  To: netfilter

I would like to block a specific IP adress from the internet using an 
iptables rule (for all ports) - How does it looks like ? (iptables v 1.2.6)

^ permalink raw reply	[flat|nested] 15+ messages in thread

end of thread, other threads:[~2004-07-29 16:57 UTC | newest]

Thread overview: 15+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-06-02 12:58 security question Andreas Westendörpf
2004-07-29 12:14 ` Blocking IP david
2004-07-29 12:10   ` Victor Julien
2004-07-29 12:40     ` david
2004-07-29 13:29       ` Victor Julien
2004-07-29 13:42       ` Les Mikesell
2004-07-29 12:18   ` Alejandro Flores
2004-07-29 14:15     ` Aleksandar Milivojevic
2004-07-29 16:57       ` Alejandro Flores
2004-07-29 12:25   ` Dhananjoy Chowdhury
2004-07-29 12:28   ` Les Mikesell
2004-07-29 12:48     ` david
2004-07-29 12:31   ` David Cannings
2004-07-29 14:04   ` Aleksandar Milivojevic
  -- strict thread matches above, loose matches on Subject: below --
2003-12-25 13:13 Blocking ip -

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox