| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
Daniel Iliev wrote: |
| 5 |
> James wrote: |
| 6 |
>>> Daniel Iliev <danny <at> ilievnet.com> writes: |
| 7 |
>>> |
| 8 |
>> |
| 9 |
>> My iptables based firewall seem to be working, However, I keep getting triplets |
| 10 |
>> of this activity: |
| 11 |
>> |
| 12 |
>> curious.ip www.me.com tcp 2286 > netbios-ssn Seq=0 Len=0 MSS=1460 |
| 13 |
>> www.me.com curious.ip tcp netbios-ssn > 2286 [RST, ACK] Seq=0 Ack=1 |
| 14 |
>> Win=0 Len=0 |
| 15 |
>> |
| 16 |
>> similar problem (2469 > microsoft-ds) |
| 17 |
>> Other problems are (info section is only difference) epmap > 3081 |
| 18 |
>> |
| 19 |
>> |
| 20 |
>> |
| 21 |
>> |
| 22 |
>>> "iptables -A INPUT -p tcp --dport microsoft-ds -j DROP" ( < the packets |
| 23 |
>>> have destination the FW itself) |
| 24 |
>>> "iptables -A FORWARD -d *target-PC* -p tcp --dport microsoft-ds -j DROP" |
| 25 |
>>> ( < the packets have destination the "target-PC". ) |
| 26 |
>>> |
| 27 |
>> |
| 28 |
>> Your advice is working, beautiful |
| 29 |
>> |
| 30 |
>> Much Thanks! |
| 31 |
>> |
| 32 |
>> |
| 33 |
>> James |
| 34 |
>> |
| 35 |
>> |
| 36 |
>> |
| 37 |
>> |
| 38 |
> I'm not sure if get this message right, but if it is a question how to |
| 39 |
> deal with packets like these: |
| 40 |
> |
| 41 |
>> curious.ip www.me.com tcp 2286 > netbios-ssn Seq=0 Len=0 MSS=1460 |
| 42 |
>> www.me.com curious.ip tcp netbios-ssn > 2286 [RST, ACK] Seq=0 Ack=1 |
| 43 |
> |
| 44 |
> the answer is: Add the same rules, but replace "microsoft-ds" with "netbios-ssn" or the corresponding number from /etc/services. Those rules would look like: |
| 45 |
> "iptables -A INPUT -p tcp --dport netbios-ssn -j DROP" |
| 46 |
> it's the same as: |
| 47 |
> "iptables -A INPUT -p tcp --dport 139 -j DROP" |
| 48 |
> |
| 49 |
> And if the target is not the FW: |
| 50 |
> iptables -A FORWARD -d *target-PC* -p tcp --dport netbios-ssn -j DROP |
| 51 |
> or |
| 52 |
> iptables -A FORWARD -d *target-PC* -p tcp --dport 139 -j DROP |
| 53 |
> |
| 54 |
> |
| 55 |
> It seems that you want to stop the ms netbios activity. The ports used |
| 56 |
> for this service are 137,138,139 and 445 so the rule-set could be |
| 57 |
> something like this: |
| 58 |
> |
| 59 |
> iptables -A FORWARD -d *target-PC* -p tcp --dport 445 -j DROP |
| 60 |
> iptables -A FORWARD -d *target-PC* -p tcp --dport 137:139 -j DROP |
| 61 |
> |
| 62 |
> or |
| 63 |
> |
| 64 |
> iptables -A INPUT -p tcp --dport 445 -j DROP |
| 65 |
> iptables -A INPUT -p tcp --dport 137:139 -j DROP |
| 66 |
> |
| 67 |
> |
| 68 |
|
| 69 |
Actually, some of those ports are UDP. /etc/services says the same for |
| 70 |
both TCP and UDP. So if -p is required for --dport, you would have to |
| 71 |
add rules for UDP as well. |
| 72 |
|
| 73 |
iptables -A FORWARD -d *target-PC* -p udp --dport 137:139 -j DROP |
| 74 |
iptables -A INPUT -p udp --dport 137:139 -j DROP |
| 75 |
|
| 76 |
- -- |
| 77 |
gentux |
| 78 |
echo "hfouvyyAhnbjm/dpn" | perl -pe 's/(.)/chr(ord($1)-1)/ge' |
| 79 |
|
| 80 |
gentux's gpg fingerprint ==> 5495 0388 67FF 0B89 1239 D840 4CF0 39E2 |
| 81 |
18D3 4A9E |
| 82 |
-----BEGIN PGP SIGNATURE----- |
| 83 |
Version: GnuPG v1.4.5 (GNU/Linux) |
| 84 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org |
| 85 |
|
| 86 |
iD8DBQFE7MyxTPA54hjTSp4RAhjGAKCUmxCgS62ZjCKhGsUW28M25UfnVgCfeHer |
| 87 |
R9eOM9mQA999cNZ43ICRqAQ= |
| 88 |
=SX5D |
| 89 |
-----END PGP SIGNATURE----- |
| 90 |
-- |
| 91 |
gentoo-user@g.o mailing list |
Archives