1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
Daniel Iliev wrote: |
5 |
> James wrote: |
6 |
>>> Daniel Iliev <danny <at> ilievnet.com> writes: |
7 |
>>> |
8 |
>> |
9 |
>> My iptables based firewall seem to be working, However, I keep getting triplets |
10 |
>> of this activity: |
11 |
>> |
12 |
>> curious.ip www.me.com tcp 2286 > netbios-ssn Seq=0 Len=0 MSS=1460 |
13 |
>> www.me.com curious.ip tcp netbios-ssn > 2286 [RST, ACK] Seq=0 Ack=1 |
14 |
>> Win=0 Len=0 |
15 |
>> |
16 |
>> similar problem (2469 > microsoft-ds) |
17 |
>> Other problems are (info section is only difference) epmap > 3081 |
18 |
>> |
19 |
>> |
20 |
>> |
21 |
>> |
22 |
>>> "iptables -A INPUT -p tcp --dport microsoft-ds -j DROP" ( < the packets |
23 |
>>> have destination the FW itself) |
24 |
>>> "iptables -A FORWARD -d *target-PC* -p tcp --dport microsoft-ds -j DROP" |
25 |
>>> ( < the packets have destination the "target-PC". ) |
26 |
>>> |
27 |
>> |
28 |
>> Your advice is working, beautiful |
29 |
>> |
30 |
>> Much Thanks! |
31 |
>> |
32 |
>> |
33 |
>> James |
34 |
>> |
35 |
>> |
36 |
>> |
37 |
>> |
38 |
> I'm not sure if get this message right, but if it is a question how to |
39 |
> deal with packets like these: |
40 |
> |
41 |
>> curious.ip www.me.com tcp 2286 > netbios-ssn Seq=0 Len=0 MSS=1460 |
42 |
>> www.me.com curious.ip tcp netbios-ssn > 2286 [RST, ACK] Seq=0 Ack=1 |
43 |
> |
44 |
> the answer is: Add the same rules, but replace "microsoft-ds" with "netbios-ssn" or the corresponding number from /etc/services. Those rules would look like: |
45 |
> "iptables -A INPUT -p tcp --dport netbios-ssn -j DROP" |
46 |
> it's the same as: |
47 |
> "iptables -A INPUT -p tcp --dport 139 -j DROP" |
48 |
> |
49 |
> And if the target is not the FW: |
50 |
> iptables -A FORWARD -d *target-PC* -p tcp --dport netbios-ssn -j DROP |
51 |
> or |
52 |
> iptables -A FORWARD -d *target-PC* -p tcp --dport 139 -j DROP |
53 |
> |
54 |
> |
55 |
> It seems that you want to stop the ms netbios activity. The ports used |
56 |
> for this service are 137,138,139 and 445 so the rule-set could be |
57 |
> something like this: |
58 |
> |
59 |
> iptables -A FORWARD -d *target-PC* -p tcp --dport 445 -j DROP |
60 |
> iptables -A FORWARD -d *target-PC* -p tcp --dport 137:139 -j DROP |
61 |
> |
62 |
> or |
63 |
> |
64 |
> iptables -A INPUT -p tcp --dport 445 -j DROP |
65 |
> iptables -A INPUT -p tcp --dport 137:139 -j DROP |
66 |
> |
67 |
> |
68 |
|
69 |
Actually, some of those ports are UDP. /etc/services says the same for |
70 |
both TCP and UDP. So if -p is required for --dport, you would have to |
71 |
add rules for UDP as well. |
72 |
|
73 |
iptables -A FORWARD -d *target-PC* -p udp --dport 137:139 -j DROP |
74 |
iptables -A INPUT -p udp --dport 137:139 -j DROP |
75 |
|
76 |
- -- |
77 |
gentux |
78 |
echo "hfouvyyAhnbjm/dpn" | perl -pe 's/(.)/chr(ord($1)-1)/ge' |
79 |
|
80 |
gentux's gpg fingerprint ==> 5495 0388 67FF 0B89 1239 D840 4CF0 39E2 |
81 |
18D3 4A9E |
82 |
-----BEGIN PGP SIGNATURE----- |
83 |
Version: GnuPG v1.4.5 (GNU/Linux) |
84 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org |
85 |
|
86 |
iD8DBQFE7MyxTPA54hjTSp4RAhjGAKCUmxCgS62ZjCKhGsUW28M25UfnVgCfeHer |
87 |
R9eOM9mQA999cNZ43ICRqAQ= |
88 |
=SX5D |
89 |
-----END PGP SIGNATURE----- |
90 |
-- |
91 |
gentoo-user@g.o mailing list |