How to block this sort of request

Taking care of your Linux box.
shakirz1
Battalion Quarter Master Havaldaar
Posts: 207
Joined: Sat Aug 09, 2003 5:00 pm
Location: Karachi
Contact:

How to block this sort of request

Postby shakirz1 » Wed Oct 04, 2006 12:56 am

I apply this rule in iptables but can not block this sort of request in my network.

IPTABLES="/sbin/iptables "
$IPTABLES -t mangle -I PREROUTING -p tcp -s 0/0 --dport 667 -j DROP
$IPTABLES -t mangle -I PREROUTING -p tcp -s 0/0 --dport 445 -j DROP
$IPTABLES -t mangle -I PREROUTING -p tcp -s 0/0 --dport 139 -j DROP
$IPTABLES -t mangle -I PREROUTING -p tcp -s 0/0 --dport 113 -j DROP
$IPTABLES -t mangle -I PREROUTING -p tcp -s 0/0 --dport 135 -j DROP
$IPTABLES -t mangle -I PREROUTING -p udp -s 0/0 --dport 137:139 -j DROP

[root@testingserver ~]# tcpdump -i eth2 src 10.0.2.222
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 96 bytes
00:34:51.977271 IP 10.0.2.222.3654 > 208.184.36.33.available.above.net.http: . ack 4286902941 win 63526
00:34:51.991275 IP 10.0.2.222.3654 > 208.184.36.33.available.above.net.http: F 0:0(0) ack 1 win 63526
00:34:52.025459 IP 10.0.2.222.3069 > 10.0.112.41.microsoft-ds: S 27569580:27569580(0) win 64240 <mss 1460,nop,nop,sackOK>
00:34:52.025517 IP 10.0.2.222.3074 > 10.0.239.70.microsoft-ds: S 27606087:27606087(0) win 64240 <mss 1460,nop,nop,sackOK>
00:34:52.025587 IP 10.0.2.222.3076 > 10.0.87.23.microsoft-ds: S 27649984:27649984(0) win 64240 <mss 1460,nop,nop,sackOK>
00:34:52.025665 IP 10.0.2.222.3077 > 10.0.181.80.135: S 27711068:27711068(0) win 64240 <mss 1460,nop,nop,sackOK>
00:34:52.025725 IP 10.0.2.222.3078 > 10.0.139.130.135: S 27753285:27753285(0) win 64240 <mss 1460,nop,nop,sackOK>
00:34:52.025792 IP 10.0.2.222.3079 > 10.0.102.210.microsoft-ds: S 27816295:27816295(0) win 64240 <mss 1460,nop,nop,sackOK>
00:34:52.025859 IP 10.0.2.222.3080 > 10.0.186.90.135: S 27851829:27851829(0) win 64240 <mss 1460,nop,nop,sackOK>
00:34:52.025930 IP 10.0.2.222.3081 > 10.0.228.55.135: S 27905820:27905820(0) win 64240 <mss 1460,nop,nop,sackOK>
00:34:52.026085 IP 10.0.2.222.3083 > 10.0.190.61.135: S 27954728:27954728(0) win 64240 <mss 1460,nop,nop,sackOK>
00:34:52.026155 IP 10.0.2.222.3085 > 10.0.194.226.microsoft-ds: S 28020129:28020129(0) win 64240 <mss 1460,nop,nop,sackOK>
00:34:52.026248 IP 10.0.2.222.3086 > 10.0.182.89.135: S 28061928:28061928(0) win 64240 <mss 1460,nop,nop,sackOK>
00:34:52.026319 IP 10.0.2.222.3087 > 10.0.155.117.microsoft-ds: S 28098765:28098765(0) win 64240 <mss 1460,nop,nop,sackOK>
00:34:52.026386 IP 10.0.2.222.3094 > 10.0.249.106.135: S 28162612:28162612(0) win 64240 <mss 1460,nop,nop,sackOK>
00:34:52.026519 IP 10.0.2.222.3095 > 10.0.223.83.microsoft-ds: S 28213036:28213036(0) win 64240 <mss 1460,nop,nop,sackOK>
00:34:52.026587 IP 10.0.2.222.3097 > 10.0.130.98.microsoft-ds: S 28253125:28253125(0) win 64240 <mss 1460,nop,nop,sackOK>
00:34:52.026669 IP 10.0.2.222.3099 > 10.0.235.195.135: S 28290327:28290327(0) win 64240 <mss 1460,nop,nop,sackOK>
00:34:52.086378 IP 10.0.2.222.3676 > 208.184.36.33.available.above.net.http: S 54725662:54725662(0) win 64240 <mss 1460,nop,nop,sackOK>
00:34:52.125549 IP 10.0.2.222.3100 > 10.0.174.202.microsoft-ds: S 28375529:28375529(0) win 64240 <mss 1460,nop,nop,sackOK>
00:34:52.125600 IP 10.0.2.222.3101 > 10.0.172.132.135: S 28421664:28421664(0) win 64240 <mss 1460,nop,nop,sackOK>
00:34:52.125680 IP 10.0.2.222.3102 > 10.0.26.18.microsoft-ds: S 28456535:28456535(0) win 64240 <mss 1460,nop,nop,sackOK>
00:34:52.125749 IP 10.0.2.222.3103 > 10.0.166.251.microsoft-ds: S 28495762:28495762(0) win 64240 <mss 1460,nop,nop,sackOK>
00:34:52.125817 IP 10.0.2.222.3104 > 10.0.156.245.135: S 28542775:28542775(0) win 64240 <mss 1460,nop,nop,sackOK>
00:34:52.125887 IP 10.0.2.222.3108 > 10.0.235.82.135: S 28581646:28581646(0) win 64240 <mss 1460,nop,nop,sackOK>

kbukhari
Major General
Posts: 1222
Joined: Sat Dec 31, 2005 12:29 am
Location: Lahore
Contact:

Postby kbukhari » Wed Oct 04, 2006 8:13 am

drop them in nat table
--
Syed Kashif Ali Bukhari
+92-345-8444420
http://sysadminsline.com
http://kashifbukhari.com

shakirz1
Battalion Quarter Master Havaldaar
Posts: 207
Joined: Sat Aug 09, 2003 5:00 pm
Location: Karachi
Contact:

Postby shakirz1 » Wed Oct 04, 2006 6:15 pm

In INPUT,OUTPUT,FORWARD,NAT, in every chain I try to DROP that request but still can not block them.

here is script :

WORM_PORTS="69 113 135 137 138 139 153 445 667 4444"
IPTABLES="/sbin/iptables "
for WPTD in $WORM_PORTS; do
$IPTABLES -A INPUT -s 0/0 -p tcp --sport $WPTD -j DROP
$IPTABLES -A INPUT -s 0/0 -p tcp --dport $WPTD -j DROP
$IPTABLES -A INPUT -s 0/0 -p tcp --sport $WPTD -j DROP
$IPTABLES -A INPUT -s 0/0 -p tcp --dport $WPTD -j DROP
$IPTABLES -A INPUT -p udp -s 0/0 -d 0/0 --sport $WPTD -j DROP
$IPTABLES -A INPUT -p udp -s 0/0 -d 0/0 --dport $WPTD -j DROP
$IPTABLES -t nat -A POSTROUTING -s 0/0 -p tcp --sport $WPTD -j DROP
$IPTABLES -t nat -A POSTROUTING -s 0/0 -p tcp --dport $WPTD -j DROP
$IPTABLES -t nat -A POSTROUTING -s 0/0 -p udp --sport $WPTD -j DROP
$IPTABLES -t nat -A POSTROUTING -s 0/0 -p udp --dport $WPTD -j DROP
$IPTABLES -t nat -A PREROUTING -s 0/0 -d 0/0 -p tcp --dport $WPTD -j DROP
$IPTABLES -t nat -A PREROUTING -s 0/0 -d 0/0 -p tcp --sport $WPTD -j DROP
$IPTABLES -t nat -A PREROUTING -s 0/0 -d 0/0 -p udp --dport $WPTD -j DROP
$IPTABLES -t nat -A PREROUTING -s 0/0 -d 0/0 -p udp --sport $WPTD -j DROP
$IPTABLES -A OUTPUT -s 0/0 -p tcp --sport $WPTD -j DROP
$IPTABLES -A OUTPUT -s 0/0 -p tcp --dport $WPTD -j DROP
$IPTABLES -A OUTPUT -s 0/0 -p udp --sport $WPTD -j DROP
$IPTABLES -A OUTPUT -s 0/0 -p udp --dport $WPTD -j DROP
$IPTABLES -A FORWARD -s 0/0 -p tcp --sport $WPTD -j DROP
$IPTABLES -A FORWARD -s 0/0 -p tcp --dport $WPTD -j DROP
$IPTABLES -A FORWARD -s 0/0 -p udp --sport $WPTD -j DROP
$IPTABLES -A FORWARD -s 0/0 -p udp --dport $WPTD -j DROP
done

newbie
Company Havaldaar Major
Posts: 156
Joined: Thu Aug 08, 2002 4:18 am
Location: lahore
Contact:

Postby newbie » Thu Oct 05, 2006 2:00 am

even if a packet is dropped, tcpdump still shows it.

use

iptables -t mangle -vnL
iptables -t nat -vnL
iptables -vnL

to verify either packets hitting the rules or not.

abakali
Naik
Posts: 91
Joined: Wed Jun 01, 2005 5:38 pm

try out this

Postby abakali » Sat Oct 14, 2006 2:13 pm

IPT="/sbin/iptables "
INTDEV="eth0"

$IPT -A INPUT -p tcp -i $INTDEV --dport 445 -s 0/0 -j DROP
$IPT -A INPUT -p tcp -i $INTDEV --dport 139 -s 0/0 -j DROP
$IPT -A INPUT -p tcp -i $INTDEV --dport 113 -s 0/0 -j DROP
$IPT -A INPUT -p tcp -i $INTDEV --dport 135 -s 0/0 -j DROP
$IPT -A INPUT -p udp -i $INTDEV --dport 137:139 -s 0/0 -j DROP
$IPT -A FORWARD -p tcp -i $INTDEV --dport 445 -s 0/0 -j DROP
$IPT -A FORWARD -p tcp -i $INTDEV --dport 139 -s 0/0 -j DROP
$IPT -A FORWARD -p tcp -i $INTDEV --dport 113 -s 0/0 -j DROP
$IPT -A FORWARD -p tcp -i $INTDEV --dport 135 -s 0/0 -j DROP
$IPT -A FORWARD -p udp -i $INTDEV --dport 137:139 -s 0/0 -j DROP
$IPT -t mangle -A FORWARD -p tcp -i $INTDEV --dport 445 -s 0/0 -j DROP
$IPT -t mangle -A FORWARD -p tcp -i $INTDEV --dport 139 -s 0/0 -j DROP
$IPT -t mangle -A FORWARD -p tcp -i $INTDEV --dport 113 -s 0/0 -j DROP
$IPT -t mangle -A FORWARD -p tcp -i $INTDEV --dport 135 -s 0/0 -j DROP
$IPT -t mangle -A FORWARD -p udp -i $INTDEV --dport 137:139 -s 0/0 -j DROP
Asif Bakali !
Feel free to contact me (flames about my english and the useless of this driver will be redirected to /dev/null, oh no, it's full...).


Return to “Administration”

Who is online

Users browsing this forum: No registered users and 3 guests