Re: Some oddities while setting up outbound filtering on a web server

netfilter.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Mart Frauenlob <mart.frauenlob@chello.at>
To: Anthony Taylor <ataylor@fallsgeek.com>
Cc: netfilter@vger.kernel.org
Subject: Re: Some oddities while setting up outbound filtering on a web server
Date: Sat, 22 Feb 2014 11:37:52 +0100	[thread overview]
Message-ID: <53087E00.2000205@chello.at> (raw)
In-Reply-To: <CA+5v4QDMy8_aHARhn1r2s7nF6rTfUjFBZq7B6OH9eC0NdTFpjw@mail.gmail.com>

On 21.02.2014 23:36, Anthony Taylor wrote:
> I'm attempting to set up outbound filtering on a server to satisfy
> PCI requirements.  Here is what I have so far:
>
> iptables -L OUTPUT -n --line-numbers Chain OUTPUT (policy ACCEPT)

policy of ACCEPT??? where's the filtering?
only ACCEPT rules below, you want logging only?

use output of iptables -S .... -N is bad formatting for mail. also it
needs -v to be complete like for rule #1 (guess that's for the lo iface)...

> num  target     prot opt source               destination 1    ACCEPT
> all  --  0.0.0.0/0            0.0.0.0/0 2    ACCEPT     all  --
> 0.0.0.0/0            0.0.0.0/0 state RELATED,ESTABLISHED 3    ACCEPT
> icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 0 4
> ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp
> type 8 # DNS 5    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0
> tcp dpt:53 6    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0
> udp dpt:53 # WHOIS 7    ACCEPT     tcp  --  0.0.0.0/0
> 0.0.0.0/0           tcp dpt:43 # SMTP 8    ACCEPT     tcp  --
> 0.0.0.0/0            0.0.0.0/0           tcp dpt:25 #
> feeds.feedburner.com 9               tcp  --  0.0.0.0/0
> 74.125.0.0/16       tcp dpt:80 # akismet 10   ACCEPT     tcp  --
> 0.0.0.0/0            66.135.58.62        tcp dpt:80 11   ACCEPT
> tcp  --  0.0.0.0/0            192.0.80.244        tcp dpt:80 12
> ACCEPT     tcp  --  0.0.0.0/0            66.135.58.61        tcp
> dpt:80 13   ACCEPT     tcp  --  0.0.0.0/0            192.0.80.246
> tcp dpt:80 # ubuntu updates 14   ACCEPT     tcp  --  0.0.0.0/0
> 91.189.92.201       tcp dpt:80 15   ACCEPT     tcp  --  0.0.0.0/0
> 91.189.88.149       tcp dpt:80 16   ACCEPT     tcp  --  0.0.0.0/0
> 91.189.91.13        tcp dpt:80 17   ACCEPT     tcp  --  0.0.0.0/0
> 91.189.92.200       tcp dpt:80 18   ACCEPT     tcp  --  0.0.0.0/0
> 91.189.91.14        tcp dpt:80 19   ACCEPT     tcp  --  0.0.0.0/0
> 91.189.91.15        tcp dpt:80 20   LOG        all  --  0.0.0.0/0
> 0.0.0.0/0           LOG flags 0 level 4 prefix `fw-outbound: '
>
> My problem is I'm seeing some traffic that I'm not sure I should be
> seeing.  I get periodically some traffic from source port 80.  It's
> my understanding that rule 2 above would filter these out.  When I
> try to access the webserver I don't get anything to show up in logs.
> Yet still I'm getting entries like these:
>
> [12989577.380311] fw-outbound: IN= OUT=venet0 SRC=205.186.153.230
> DST=201.170.158.23 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP
> SPT=80 DPT=59799 WINDOW=0 RES=0x00 RST URGP=0 [12990368.808237]
> fw-outbound: IN= OUT=venet0 SRC=205.186.153.230 DST=24.153.148.198
> LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=55919
> WINDOW=31 RES=0x00 ACK URGP=0
>
> These usually happen in batches with a few of them for the same
> destination IP happening at once.

-m state --state INVALID -j DROP
look if they still come up...
also this might have influence:

nf_conntrack_tcp_be_liberal - BOOLEAN
         0 - disabled (default)
         not 0 - enabled

         Be conservative in what you do, be liberal in what you accept
from others.
         If it's non-zero, we mark only out of window RST segments as
INVALID.

see:
Documentation/networking/nf_conntrack-sysctl.txt

[...]

I'd suggest to use ipset for all the IPs, ie:

ipset create webservers hash:ip
ipset add webservers 91.189.92.201
and so on

iptables -A OUTPUT -m set --match-set webservers dst -p tcp --dport 80 
-m state --state NEW -j ACCEPT

Best regards

Mart

next prev parent reply	other threads:[~2014-02-22 10:37 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-02-21 22:36 Some oddities while setting up outbound filtering on a web server Anthony Taylor
2014-02-22 10:37 ` Mart Frauenlob [this message]
  -- strict thread matches above, loose matches on Subject: below --
2014-03-04 16:52 Anthony Taylor
2014-03-06 18:26 ` Mart Frauenlob
2014-03-06 23:39   ` Anthony Taylor
2014-03-07  4:46     ` Mart Frauenlob
2014-03-07  5:01       ` Neal Murphy
2014-03-08  2:05         ` Anthony Taylor
2014-03-08  5:20           ` Neal Murphy

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=53087E00.2000205@chello.at \
    --to=mart.frauenlob@chello.at \
    --cc=ataylor@fallsgeek.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).