1 |
James wrote: |
2 |
> Hello, |
3 |
> |
4 |
> My iptables based firewall seem to be working, However, I keep getting |
5 |
> triplets of this activity: |
6 |
> |
7 |
> Problem (2286 > netbios-ssn) |
8 |
> source dest. proto info |
9 |
> curious.ip www.me.com tcp 2286 > netbios-ssn Seq=0 Len=0 MSS=1460 |
10 |
> www.me.com curious.ip tcp netbios-ssn > 2286 [RST, ACK] Seq=0 Ack=1 |
11 |
> Win=0 Len=0 |
12 |
> |
13 |
> Any ideas on a rule to drop these requests to my web server? |
14 |
> |
15 |
> similarly I see the same thing except the info section is slightly |
16 |
> different: |
17 |
> similar problem (2469 > microsoft-ds) |
18 |
> rouge.ip www.me.com tcp 2469 > microsoft-ds Seq=0 Len=0 MSS=1460 |
19 |
> |
20 |
> and the response from my firewall is simialr |
21 |
> www.me.com rouge.ip tcp microsoft-ds > 2469 [RST, ACK] Seq=0 Ack=1 |
22 |
> Win=0 Len=0 |
23 |
> |
24 |
> Other problems are (info section is only difference) epmap > 3081 |
25 |
> 3081 > epmap |
26 |
> |
27 |
> Each of these appear in tripplets... and seem useless. Are they |
28 |
> part of something stupidly done by microsoft? I think not |
29 |
> because they occur quite frequently, almost systematcially, |
30 |
> leading me to suspect they are part of nefarious activities? |
31 |
> |
32 |
> The only change is the port numbers (2286; 2469; 3081) and the |
33 |
> source IP address change after each triplet of queries. |
34 |
> |
35 |
> Any ideas, information and iptables rules to silently drop these |
36 |
> queries are most welcome. I see them all day long. |
37 |
> |
38 |
> |
39 |
> James |
40 |
> |
41 |
> |
42 |
> |
43 |
> |
44 |
> |
45 |
Depending on which PC these packets are targeted to you should use |
46 |
"INPUT" or "FORWARD" chains. If the target is a PC behind the firewall |
47 |
("FW" from now on) use "FORWARD". If the target is the FW itself use |
48 |
"INPUT". The rules should look like this: |
49 |
|
50 |
"iptables -A INPUT -p tcp --dport microsoft-ds -j DROP" ( < the packets |
51 |
have destination the FW itself) |
52 |
"iptables -A FORWARD -d *target-PC* -p tcp --dport microsoft-ds -j DROP" |
53 |
( < the packets have destination the "target-PC". ) |
54 |
|
55 |
If you omit "-d target-PC" from the second rule your FW will drop every |
56 |
packet with destination port="microsoft-ds" and IP address different |
57 |
from the IP address of the FW itself. Keep in mind that these rules may |
58 |
not be matched if the packets match other rules you have added previously. |
59 |
|
60 |
-- |
61 |
Best regards, |
62 |
Daniel |
63 |
|
64 |
|
65 |
-- |
66 |
gentoo-user@g.o mailing list |