Rule for PROTO=139?

Rule for PROTO=139?

[Walter H.]

Hello,

does anybody know with which rule I can catch these entries:

[317607.438061] IN=br0 OUT= MAC=ff:ff:ff:ff:ff:ff:4c:72:b9:56:16:3e:08:00
SRC=0.0.0.0 DST=255.255.255.255 LEN=72 TOS=0x00 PREC=0x00 TTL=255 ID=1624
PROTO=139

Thanks,
Walter

Re: Rule for PROTO=139?

[Rob Sterenborg (lists)]

On 2016-09-06 12:58, Walter H. wrote:
> Hello,
>
> does anybody know with which rule I can catch these entries:
>
> [317607.438061] IN=br0 OUT= MAC=ff:ff:ff:ff:ff:ff:4c:72:b9:56:16:3e:08:00
> SRC=0.0.0.0 DST=255.255.255.255 LEN=72 TOS=0x00 PREC=0x00 TTL=255 ID=1624
> PROTO=139

According to my /etc/protocols, protocol 139 is called 'hip' (Host 
Identity Protocol). So, something like

     iptables -A INPUT -i br0 -p 139 -j DROP

or

     iptables -A INPUT -i br0 -p hip -j DROP

See also: man iptables


--
Rob

Re: Rule for PROTO=139?

[Andreas Hainke]

[-- Attachment #1.1: Type: text/plain, Size: 790 bytes --]

Hi Walter,

as far as I know you can use the -p <protocol_number> parameter using
iptables.

iptables -A FORWARD -i br0 -p 139 -j DROP

If you are using nftables

nft add rule <table> <chain> ip protocol 139 drop

should work.

Regards,
Andreas


Am 06.09.2016 um 12:58 schrieb Walter H.:
> Hello,
>
> does anybody know with which rule I can catch these entries:
>
> [317607.438061] IN=br0 OUT= MAC=ff:ff:ff:ff:ff:ff:4c:72:b9:56:16:3e:08:00
> SRC=0.0.0.0 DST=255.255.255.255 LEN=72 TOS=0x00 PREC=0x00 TTL=255 ID=1624
> PROTO=139
>
> Thanks,
> Walter
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

RE: Rule for PROTO=139?

[Walter H.]

Hello,

On Tue, September 6, 2016 13:51, André Paulsberg-Csibi (IBM Consultant)
wrote:
> I will only add to the answers that this is not so widely used ,
> that fact that you see this these packets would suggest that
> one unit in your network with MAC 4c:72:b9:56:16:3e is using the HIP
> protocol
> to try to identify hosts within your LAYER 2 BROADCAST domain .

I see;

> You could block it and ignore it , but maybe you would like to find that
> MAC owner and check why it is using HIP .

yes this is my computer and the line came from my router;

> If it is some unit you manage , maybe you can "remove" it at the source
> and save your L2-BC from this traffic all together :-)

yes, of course, but where can I find the piece of software that is doing
this on my computer running WinXP Prof. x64 Ed.;

Thanks,
Walter

> -----Original Message-----
> From: netfilter-owner@vger.kernel.org
> [mailto:netfilter-owner@vger.kernel.org] On Behalf Of Walter H.
> Sent: 6. september 2016 12:59
> To: netfilter@vger.kernel.org
> Subject: Rule for PROTO=139?
>
> Hello,
>
> does anybody know with which rule I can catch these entries:
>
> [317607.438061] IN=br0 OUT= MAC=ff:ff:ff:ff:ff:ff:4c:72:b9:56:16:3e:08:00
> SRC=0.0.0.0 DST=255.255.255.255 LEN=72 TOS=0x00 PREC=0x00 TTL=255 ID=1624
> PROTO=139
>
> Thanks,
> Walter

Re: Rule for PROTO=139?

[Walter H.]

[-- Attachment #1: Type: text/plain, Size: 1304 bytes --]

On 06.09.2016 14:18, André Paulsberg-Csibi (IBM Consultant) wrote:
> It is long time since I used WinXP , and Win7 - Win8 has passed and now WinX is the only thing
> and most of their "garbage" packages was removed using the parameter in DHCP :
> option netbios-node-type 0x2;
> option wpad code 252 = text;
> option wpad "\n\000";
>
> ( I cannot stop all their garbage , because they need it for their "sharing" tools )
> But DHCP INFORM and HIP and other excessive BC I have not seen in my home for quite some time so I am pretty sure most is gone ...
>
> IF that does not stop it - try to google it , if it is not possible you may just have to live with blocking it ...
>
>
ok due to this at the beginning of iptables

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]


and this  at the end of iptables

-A INPUT -j LOG --log-prefix "IP[IN]: " --log-level 7
-A FORWARD -j LOG  --log-prefix "IP[FWD]: " --log-level 7
-A OUTPUT -j LOG  --log-prefix "IP[OUT]: " --log-level 7

COMMIT

these pakets are already dropped but they are also logged and fill the 
log not neccessarily;

so somewhere between this rule

# Block HIP (Host Identity Protocol): prevent from logging
-A INPUT -i br0 -p hip -j REJECT

keeps from logging

Thanks,
Walter




[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 3827 bytes --]