| 1 |
James wrote: |
| 2 |
> Hello, |
| 3 |
> |
| 4 |
> My iptables based firewall seem to be working, However, I keep getting |
| 5 |
> triplets of this activity: |
| 6 |
> |
| 7 |
> Problem (2286 > netbios-ssn) |
| 8 |
> source dest. proto info |
| 9 |
> curious.ip www.me.com tcp 2286 > netbios-ssn Seq=0 Len=0 MSS=1460 |
| 10 |
> www.me.com curious.ip tcp netbios-ssn > 2286 [RST, ACK] Seq=0 Ack=1 |
| 11 |
> Win=0 Len=0 |
| 12 |
> |
| 13 |
> Any ideas on a rule to drop these requests to my web server? |
| 14 |
> |
| 15 |
> similarly I see the same thing except the info section is slightly |
| 16 |
> different: |
| 17 |
> similar problem (2469 > microsoft-ds) |
| 18 |
> rouge.ip www.me.com tcp 2469 > microsoft-ds Seq=0 Len=0 MSS=1460 |
| 19 |
> |
| 20 |
> and the response from my firewall is simialr |
| 21 |
> www.me.com rouge.ip tcp microsoft-ds > 2469 [RST, ACK] Seq=0 Ack=1 |
| 22 |
> Win=0 Len=0 |
| 23 |
> |
| 24 |
> Other problems are (info section is only difference) epmap > 3081 |
| 25 |
> 3081 > epmap |
| 26 |
> |
| 27 |
> Each of these appear in tripplets... and seem useless. Are they |
| 28 |
> part of something stupidly done by microsoft? I think not |
| 29 |
> because they occur quite frequently, almost systematcially, |
| 30 |
> leading me to suspect they are part of nefarious activities? |
| 31 |
> |
| 32 |
> The only change is the port numbers (2286; 2469; 3081) and the |
| 33 |
> source IP address change after each triplet of queries. |
| 34 |
> |
| 35 |
> Any ideas, information and iptables rules to silently drop these |
| 36 |
> queries are most welcome. I see them all day long. |
| 37 |
> |
| 38 |
> |
| 39 |
> James |
| 40 |
> |
| 41 |
> |
| 42 |
> |
| 43 |
> |
| 44 |
> |
| 45 |
Depending on which PC these packets are targeted to you should use |
| 46 |
"INPUT" or "FORWARD" chains. If the target is a PC behind the firewall |
| 47 |
("FW" from now on) use "FORWARD". If the target is the FW itself use |
| 48 |
"INPUT". The rules should look like this: |
| 49 |
|
| 50 |
"iptables -A INPUT -p tcp --dport microsoft-ds -j DROP" ( < the packets |
| 51 |
have destination the FW itself) |
| 52 |
"iptables -A FORWARD -d *target-PC* -p tcp --dport microsoft-ds -j DROP" |
| 53 |
( < the packets have destination the "target-PC". ) |
| 54 |
|
| 55 |
If you omit "-d target-PC" from the second rule your FW will drop every |
| 56 |
packet with destination port="microsoft-ds" and IP address different |
| 57 |
from the IP address of the FW itself. Keep in mind that these rules may |
| 58 |
not be matched if the packets match other rules you have added previously. |
| 59 |
|
| 60 |
-- |
| 61 |
Best regards, |
| 62 |
Daniel |
| 63 |
|
| 64 |
|
| 65 |
-- |
| 66 |
gentoo-user@g.o mailing list |
Archives