Security Basics mailing list archives
Strange iptables log entries
From: Ambrosy Vybegallo <vybegallo () gmail com>
Date: Fri, 11 Feb 2005 12:33:32 -0600
Hi, Not sure if this is a correct forum to post to. Please let me know if you think that trere is a better one. I am running a web server farm on linux boxes. They are behind a firewall that I do not administer. In addition I am also trying to lock the servers themselves with iptables. Almost every day I get 1-2 log entries like the ones below in my logs. They look to me like normal responces to a SYN to a closed port. The only problem is, I believe I do not allow anything to connect to these ports in the first place, so at worst, even if our firewall did allow original SYN packets to go through, I should have dropped and logged the original SYN packet instead of responce. The source and destination ports seem to be random high ports, external IPs are random as well. Am I right in thinking that these are responces to SYNs? If so, how did they get through my rules? Any other reason these packets could have been generated? Thanks a lot!! Relevant information: Log enries: Feb 10 11:02:48 www7 kernel: FIREWALL_OUT IN= OUT=eth0 SRC=192.168.6.57 DST=216.161.248.225 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=18547 DF PROTO=TCP SPT=46388 DPT=37628 WINDOW=6930 RES=0x00 ACK RST URGP=0 Feb 10 11:11:32 www7 kernel: FIREWALL_OUT IN= OUT=eth0 SRC=192.168.6.57 DST=145.254.250.120 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=22239 DF PROTO=TCP SPT=48804 DPT=45819 WINDOW=14600 RES=0x00 ACK RST URGP=0 My iptables script. I have removed some comments and changed variable names to protect the innocent :-) #!/bin/sh PATH="/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin:/usr/local/bin" ACTIVE_IFACE="eth0" INTERNAL_NETS="192.168.0.0/16 10.0.0.0/8" LOOP="127.0.0.1" HIGH_PORTS="1024:65535" DEBIAN_HOSTS="194.109.137.218 208.185.25.35" #need for apt-get NASDAQ="208.249.116.71" #our servers get quotes from there OTHER_SERVERS="192.168.3.201" MS_BOXES="192.168.6.80" LOCAL_BCAST="192.168.6.255" # There gotta be a better way.. MY_IP=`ifconfig $ACTIVE_IFACE | sed -e '/^[^ ]\+/N' -e 's|\n||g' | \ grep $ACTIVE_IFACE | sed -e 's|^.*addr:\([^ ]\+\).*$|\1|g'` Service1=1314 Service2=1316 Service3=1313 Service4=1414 Service1_HOSTS="192.168.3.240" Service234_HOSTS="192.168.3.244" # Tweak the conntrack module modprobe ip_conntrack hashsize=32768 # Flush all the rules from filter table and nat table: iptables -F iptables -t nat -F iptables -X # We have ip forwarding disabled (see /etc/sysctl.conf) # but just for a good measure... iptables -P FORWARD DROP case "$1" in start) # Discard all traffic by default iptables -P INPUT DROP iptables -P OUTPUT DROP # First, allow established connections iptables -A INPUT -i $ACTIVE_IFACE -d $MY_IP -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $ACTIVE_IFACE -s $MY_IP -m state --state ESTABLISHED -j ACCEPT # HTTP(s) traffic iptables -A INPUT -i $ACTIVE_IFACE -p tcp --sport $HIGH_PORTS -d $MY_IP --dport 80 -m state --state NEW -j ACCEPT iptables -A INPUT -i $ACTIVE_IFACE -p tcp --sport $HIGH_PORTS -d $MY_IP --dport 443 -m state --state NEW -j ACCEPT # Allow all traffic on loopback interface. iptables -A INPUT -i lo -s $LOOP -d $LOOP -j ACCEPT iptables -A OUTPUT -o lo -s $LOOP -d $LOOP -j ACCEPT #MSSQL and JDBC traffic. FIXME remove JDBC after guys are finished migrating iptables -A OUTPUT -o $ACTIVE_IFACE -p tcp -s $MY_IP --sport $HIGH_PORTS --dport 1150 -m state --state NEW -j ACCEPT iptables -A OUTPUT -o $ACTIVE_IFACE -p tcp -s $MY_IP --sport $HIGH_PORTS --dport 1433 -m state --state NEW -j ACCEPT for IP in $Service1_HOSTS; do iptables -A OUTPUT -o $ACTIVE_IFACE -p tcp -s $MY_IP --sport $HIGH_PORTS -d $IP --dport $Service3 -m state --state NEW -j ACCEPT done # Allow traffic to stuff for IP in $Service234_HOSTS; do iptables -A OUTPUT -o $ACTIVE_IFACE -p tcp -s $MY_IP --sport $HIGH_PORTS -d $IP --dport $Service1 -m state --state NEW -j ACCEPT iptables -A OUTPUT -o $ACTIVE_IFACE -p tcp -s $MY_IP --sport $HIGH_PORTS -d $IP --dport $Service2 -m state --state NEW -j ACCEPT iptables -A OUTPUT -o $ACTIVE_IFACE -p tcp -s $MY_IP --sport $HIGH_PORTS -d $IP --dport $Service4 -m state --state NEW -j ACCEPT done # Allow this box to query NTP servers iptables -A OUTPUT -o $ACTIVE_IFACE -p udp -s $MY_IP --sport 123 --dport 123 -m state --state NEW -j ACCEPT # Allow SMPT traffic from this box iptables -A OUTPUT -o $ACTIVE_IFACE -p tcp -s $MY_IP --sport $HIGH_PORTS --dport 25 -m state --state NEW -j ACCEPT # Allow DNS queries from this box iptables -A OUTPUT -o $ACTIVE_IFACE -p udp -s $MY_IP --dport 53 -m state --state NEW -j ACCEPT #Allow LDAP queries from this box iptables -A OUTPUT -o $ACTIVE_IFACE -p tcp -s $MY_IP --sport $HIGH_PORTS --dport 389 -m state --state NEW -j ACCEPT # Allow ssh to this box from internal and DMZ networks for IP in $INTERNAL_NETS; do iptables -A INPUT -i $ACTIVE_IFACE -p tcp -s $IP --sport $HIGH_PORTS -d $MY_IP --dport 22 -m state --state NEW -j ACCEPT done # Allow pwdgen queries from this box iptables -A OUTPUT -o $ACTIVE_IFACE -p tcp -s $MY_IP --sport $HIGH_PORTS --dport 129 -m state --state NEW -j ACCEPT # Allow "good" ICMP messages iptables -A INPUT -i $ACTIVE_IFACE -d $MY_IP -p icmp --icmp-type destination-unreachable -j ACCEPT iptables -A INPUT -i $ACTIVE_IFACE -d $MY_IP -p icmp --icmp-type time-exceeded -j ACCEPT iptables -A INPUT -i $ACTIVE_IFACE -d $MY_IP -p icmp --icmp-type parameter-problem -j ACCEPT for IP in $OTHER_SERVERS; do iptables -A OUTPUT -o $ACTIVE_IFACE -p tcp -s $MY_IP --sport $HIGH_PORTS -d $IP --dport 443 -m state --state NEW -j ACCEPT done # Getting quotes for IP in $NASDAQ; do iptables -A OUTPUT -o $ACTIVE_IFACE -p tcp -s $MY_IP --sport $HIGH_PORTS -d $IP --dport 80 -m state --state NEW -j ACCEPT done # Allow apt-get to work for IP in $DEBIAN_HOSTS; do iptables -A OUTPUT -o $ACTIVE_IFACE -p tcp -s $MY_IP --sport $HIGH_PORTS -d $IP --dport 80 -m state --state NEW -j ACCEPT done # Logging iptables -N LOGDROP >/dev/null 2>&1 iptables -F LOGDROP # Don't care for NETBIOS bcasts from MS boxes for IP in $MS_BOXES; do iptables -A LOGDROP -i $ACTIVE_IFACE -p udp -s $IP --sport 137:138 -d $LOCAL_BCAST --dport 137:138 -j DROP done iptables -A LOGDROP -o $ACTIVE_IFACE -m limit --limit 15/minute -j LOG --log-prefix "FIREWALL_OUT " iptables -A LOGDROP -i $ACTIVE_IFACE -m limit --limit 15/minute -j LOG --log-prefix "FIREWALL_IN " # I have seen real eth0 IP talking to loop before. Just in case I need something. # FIXME remove this when I am convinced there is nothing going on ... iptables -A LOGDROP -i lo -m limit --limit 15/minute -j LOG --log-prefix "LOOP_IN " iptables -A LOGDROP -o lo -m limit --limit 15/minute -j LOG --log-prefix "LOOP_OUT " # INPUT/OUTPUT Policy is good but better be safe than sorry. iptables -A LOGDROP -j DROP # Add logging in the end of INPUT, OUTPUT and FPRWARD chains iptables -A INPUT -j LOGDROP iptables -A OUTPUT -j LOGDROP iptables -A FORWARD -j LOGDROP ;; stop) # Open everything up.... # We have flushed all tables already # We probably never need to forward anyway so FORWARD is not here... iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT # If there is a LOGDROP table, delete it... iptables -F LOGDROP >/dev/null 2>&1 iptables -X LOGDROP >/dev/null 2>&1 ;; restart) $0 stop $0 start ;; *) echo "Try some sane argument" ;; esac
Current thread:
- Strange iptables log entries Ambrosy Vybegallo (Feb 11)