Pascal Hambourg <boite-a-spam@plouf.fr.eu.org> wrote:
> Just as expected. Are you really really 100% sure that hosts outside the
> list ranges can connect to the port ?

I am using tcpdump -nA port 7500 on the machine. This shows entries from
various hosts outside of the allowable range. An example is shown below:

08:10:54.949811 IP 216.139.243.81.1630 > 10.0.0.8.7500: P 1:1208(1207)
ack 1 win 65535

The address 216.139.243.81 is not on my access list. I want to restrict
traffic on that port to hosts within the selected territories of the
United Kingdom of Great Britain.

The 216.139.243.81 access above is coming from a Microsoft Windows based
robot in Texas, USA.

I have a list of ISP internet network addresses, that I want to use as the
permitted access list against the port.

Regards,

Mark.

--
Mark Hobley,
393 Quinton Road West,
Quinton, BIRMINGHAM.
B32 1QE.

Mark Hobley a écrit :
> Pascal Hambourg <boite-a-spam@plouf.fr.eu.org> wrote:
>
>>Just as expected. Are you really really 100% sure that hosts outside the
>>list ranges can connect to the port ?
>
> I am using tcpdump -nA port 7500 on the machine. This shows entries from
> various hosts outside of the allowable range.

Tcpdump captures traffic at the interface, before incoming packets enter
the iptables chains and after outgoing packets leave the iptables
chains. It shows all incoming SYN requests from any source, but I guess
only allowed sources get a SYN/ACK reply.

In short :

interface --- iptables --- TCP/IP stack --- process
^
|
tcpdump is here

Chipmunk wrote:

> Baho Utot wrote:
>> Mark Hobley wrote:
>>
>>> Pascal Hambourg <boite-a-spam@plouf.fr.eu.org> wrote:
>>>
>>>> Weird. Are there other rules in the ruleset ? What happens if you
>>>> remove all the ACCEPT rules and leave only the DROP rule ?
>>> There are no additional rules in the ruleset. The setup script is as
>>> posted.
>>>
>>> If I just have the drop line, all traffic to the port is dropped.
>>>
>>> If I invert the script as follows:
>>>
>>> iptables -A INPUT -p tcp --dport 7500 -jDROP
>>>
>>> for addr in $ALLOWED
>>> do
>>> iptables -A INPUT -s $addr -p tcp --dport 7500 -jACCEPT
>>> done
>>>
>>> This produces a filter table as follows:
>>>
>>> DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
>>> dpt:7500
>>> ACCEPT tcp -- 10.0.0.0/8 anywhere tcp
>>> dpt:7500
>>> ACCEPT tcp -- 192.168.0.0/16 anywhere tcp
>>> dpt:7500
>>> ACCEPT tcp -- 51.0.0.0/8 anywhere tcp
>>> dpt:7500
>>> ACCEPT tcp -- 62.30.0.0/16 anywhere tcp
>>> dpt:7500
>>> ACCEPT tcp -- 80.0.0.0/13 anywhere tcp
>>> dpt:7500
>>>
>>> However, in this scenario, all network traffic to port 7500 remains
>>> blocked, even from the accepted ports, presumable because the first rule
>>> produces a match, and the rest of the table is then ignored.
>>>
>>> iptables -V reveals:
>>>
>>> iptables v1.3.6
>>>
>>> cat /proc/version reveals:
>>>
>>> Linux version 2.6.18-6-486 (Debian 2.6.18.dfsg.1-18etch6)
>>>
>>> Regards,
>>>
>>> Mark.
>>>
>>
>> Yes working correctly.
>> The first rule drops the packet and the other rules then match nothing.
>>
>
> Erm shouldn't the DROP rule be at after the accept rules?

Yes that's just what I said. The first rule drops the packet the others see
nothing. Conclusion IPTABLES and script working as written. The order of
the rules matters -----> producing exactly what he described :)

--
Tayo'y mga Pinoy

Pascal Hambourg <boite-a-spam@plouf.fr.eu.org> wrote:
> Tcpdump captures traffic at the interface, before incoming packets enter
> the iptables chains and after outgoing packets leave the iptables
> chains. It shows all incoming SYN requests from any source, but I guess
> only allowed sources get a SYN/ACK reply.
>
> In short :
>
> interface --- iptables --- TCP/IP stack --- process
> ^
> |
> tcpdump is here

Hmmm, for some reason, the traffic is reaching the application process,
because tcpdump also shows reply traffic coming from the server process
to the unauthorized client:

21:22:07.637908 IP 202.100.82.9.22091 > 10.0.0.8.7500: F 2082:2082(0)
ack 3973 win 65535
E..().@.p....dR
....VK.@}D......P...T.........
21:22:07.638071 IP 10.0.0.8.7500 > 202.100.82.9.22091: . ack 2083 win
11680
E..(..@.@..[
.....dR .@VK....}D..P.-.'...

Could it be that the traffic is not being recognized as tcp type
traffic? I am also wondering if there is some sort of limit in iptables
causing it to somehow bomb out before the final drop line is reached. In
reality my allow list has some 2000 or so British networks listed (taken from
http://www.countryipblocks.net). The list appears to be complete if I do
iptables -L -n. This lists shows all the networks, and tne final drop
line, so I know that my script is populating iptables.

I am performing further tests.

Regards,

Mark.

--
Mark Hobley,
393 Quinton Road West,
Quinton, BIRMINGHAM.
B32 1QE.

On Fri, 04 Jul 2008 21:30:24 +0100, Mark Hobley passed an empty day by
writing:

> Pascal Hambourg <boite-a-spam@plouf.fr.eu.org> wrote:
>> Tcpdump captures traffic at the interface, before incoming packets
>> enter the iptables chains and after outgoing packets leave the iptables
>> chains. It shows all incoming SYN requests from any source, but I guess
>> only allowed sources get a SYN/ACK reply.
>>
>> In short :
>>
>> interface --- iptables --- TCP/IP stack --- process
>> ^
>> |
>> tcpdump is here
>
> Hmmm, for some reason, the traffic is reaching the application process,
> because tcpdump also shows reply traffic coming from the server process
> to the unauthorized client:
>
> 21:22:07.637908 IP 202.100.82.9.22091 > 10.0.0.8.7500: F 2082:2082(0)
> ack 3973 win 65535
> E..().@.p....dR
> ...VK.@}D......P...T.........
> 21:22:07.638071 IP 10.0.0.8.7500 > 202.100.82.9.22091: . ack 2083 win
> 11680
> E..(..@.@..[
> ....dR .@VK....}D..P.-.'...
>
> Could it be that the traffic is not being recognized as tcp type
> traffic? I am also wondering if there is some sort of limit in iptables
> causing it to somehow bomb out before the final drop line is reached. In
> reality my allow list has some 2000 or so British networks listed (taken
> from http://www.countryipblocks.net). The list appears to be complete if
> I do iptables -L -n. This lists shows all the networks, and tne final
> drop line, so I know that my script is populating iptables.
>
> I am performing further tests.
>
> Regards,
>
> Mark.

That is an interesting site Mark. The only flaw in the plan is most
attackers use a chain of proxies and bypass this kind of filtering.


--
begin oefixed_in_2005.exe

Klunk <bill.gates@microsoft.com> wrote:
> That is an interesting site Mark. The only flaw in the plan is most
> attackers use a chain of proxies and bypass this kind of filtering.

Yeah. I would like to see doornumber and postcode in all hostnames, so
that owners of compromised machines could be notified.

Mark.

--
Mark Hobley,
393 Quinton Road West,
Quinton, BIRMINGHAM.
B32 1QE.