| View previous topic :: View next topic |
| Author |
Message |
Putrifier
n00b
Joined: 29 Jun 2004
Posts: 46
|
 Posted: Sun Jul 04, 2004 8:07 pm Post subject: Is the iptables firewall really THIS effective? |
 |
|
a few days ago I adapted the great script found here, https://forums.gentoo.org/viewtopic.php?t=159710 , by krunk, for my system, and started it up.
Today, checking /usr/log/messages, I found it choking with stuff like this:
| Code: | WINDOW=16384 RES=0x00 SYN URGP=0
Jul 4 15:42:26 kix DROPl:IN=ppp0 OUT= MAC= SRC=67.160.82.205 DST=64.229.25.81 LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=10508 DF PROTO=TCP SPT=64894 DPT=6881 WINDOW=64240 RES=0x00 SYN URGP=0
Jul 4 15:42:28 kix DROPl:IN=ppp0 OUT= MAC= SRC=67.160.82.205 DST=64.229.25.81 LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=10825 DF PROTO=TCP SPT=64894 DPT=6881 WINDOW=64240 RES=0x00 SYN URGP=0
Jul 4 15:42:34 kix DROPl:IN=ppp0 OUT= MAC= SRC=67.160.82.205 DST=64.229.25.81 LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=11450 DF PROTO=TCP SPT=64894 DPT=6881 WINDOW=64240 RES=0x00 SYN URGP=0
Jul 4 15:42:47 kix DROPl:IN=ppp0 OUT= MAC= SRC=68.41.226.87 DST=64.229.25.81 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=47048 DF PROTO=TCP SPT=3160 DPT=6881 WINDOW=64240 RES=0x00 SYN URGP=0
Jul 4 15:42:50 kix DROPl:IN=ppp0 OUT= MAC= SRC=68.41.226.87 DST=64.229.25.81 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=47913 DF PROTO=TCP SPT=3160 DPT=6881 WINDOW=64240 RES=0x00 SYN URGP=0
Jul 4 15:42:53 kix DROPl:IN=ppp0 OUT= MAC= SRC=64.229.226.110 DST=64.229.25.81 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=16965 DF PROTO=TCP SPT=3323 DPT=135 WINDOW=64800 RES=0x00 SYN URGP=0
Jul 4 15:42:56 kix DROPl:IN=ppp0 OUT= MAC= SRC=68.41.226.87 DST=64.229.25.81 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=48967 DF PROTO=TCP SPT=3160 DPT=6881 WINDOW=64240 RES=0x00 SYN URGP=0
Jul 4 15:42:56 kix DROPl:IN=ppp0 OUT= MAC= SRC=64.229.226.110 DST=64.229.25.81 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=17129 DF PROTO=TCP SPT=3323 DPT=135 WINDOW=64800 RES=0x00 SYN URGP=0
Jul 4 15:43:02 kix DROPl:IN=ppp0 OUT= MAC= SRC=61.64.164.136 DST=64.229.25.81 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=27983 DF PROTO=TCP SPT=30429 DPT=6881 WINDOW=44620 RES=0x00 SYN URGP=0
Jul 4 15:43:04 kix DROPl:IN=ppp0 OUT= MAC= SRC=61.64.164.136 DST=64.229.25.81 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=28147 DF PROTO=TCP SPT=30429 DPT=6881 WINDOW=44620 RES=0x00 SYN URGP=0
Jul 4 15:43:05 kix REJECTl:IN= OUT=ppp0 SRC=64.229.25.81 DST=239.255.255.250 LEN=129 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=8008 DPT=1900 LEN=109
Jul 4 15:43:05 kix REJECTl:IN= OUT=ppp0 SRC=64.229.25.81 DST=239.255.255.250 LEN=129 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=8008 DPT=1900 LEN=109
Jul 4 15:43:11 kix DROPl:IN=ppp0 OUT= MAC= SRC=64.229.210.228 DST=64.229.25.81 LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=2049 DF PROTO=TCP SPT=1871 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
Jul 4 15:43:11 kix DROPl:IN=ppp0 OUT= MAC= SRC=61.64.164.136 DST=64.229.25.81 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=28320 DF PROTO=TCP SPT=30429 DPT=6881 WINDOW=44620 RES=0x00 SYN URGP=0 |
Now, I have to admit Im a complete newbie regarding networks here, so maybe I am missing the point of these. (there are hundreds and hundreds of lines like that, btw, in huge chunks.
Whois-ing some of those SRC ip's, I get weird things, like "Latin American and Caribbean IP address Regional Registry", from Uruguay, or "Asia Pacific Network Information Centre", in Australia.
My ISP is Bell Sympatico, by the way, regular ADSL service.
Any ideas what could be going on there? Is the web really such a dangerous place?
And, if those messages are normal, how exactly do I modify the firewall script, so it doesn't log them, as its quite a waste of resources.
Thanks in advance. |
|
| Back to top |
|
 |
amne
Bodhisattva
Joined: 17 Nov 2002
Posts: 6378
Location: Graz / EU
|
| Posted: Sun Jul 04, 2004 8:35 pm Post subject: |
|
|
Nothing to be worried about, these are only misguided Bittorrent clients trying to connect to you because they think you are running BT, too. Some filesharing clients can be quite persistent in trying connecting, just ignore it.
I think removing the lines containing -j LOG in the definitions of the DROP and REJECT chains should work, but you might get a second opinion on it. |
|
| Back to top |
|
|
Putrifier
n00b
Joined: 29 Jun 2004
Posts: 46
|
| Posted: Sun Jul 04, 2004 8:37 pm Post subject: |
|
|
Great. Thanks a lot.  |
|
| Back to top |
|
|
Chris W
l33t
Joined: 25 Jun 2002
Posts: 972
Location: Brisbane, Australia
|
| Posted: Mon Jul 05, 2004 2:19 am Post subject: Re: Is the iptables firewall really THIS effective? |
|
|
| Putrifier wrote: | | Any ideas what could be going on there? Is the web really such a dangerous place? |
Most of what you see is just noise. A lot comes from peer-to-peer clients trying to connect to a service that might once have been on your IP. They are essentially harmless. Some of your entries are your machine trying to broadcast uPNP information (UDP port 1900), and this should be blocked.
You will also see attempts to connect to well-known ports for SMTP, FTP, HTTP, DNS, web proxies, and others including trojans, looking for abusable machines to relay spam, viruses, trojans and other nasties. These, too, are harmless if the ports are closed.
_________________
Cheers,
Chris W
"Common sense: The collection of prejudices acquired by age 18." -- Einstein |
|
| Back to top |
|
|
serendipity
n00b
Joined: 05 Jun 2004
Posts: 69
|
| Posted: Wed Jul 07, 2004 6:10 pm Post subject: |
|
|
Most of the traffic is P2P, but I must say that I receive constant probes from viruses, portscanners, you name it. I had a similar remark from a friend the other day, who was horrified to see the level of dropped traffic. I could not imagine putting a non-firewalled machine up on the net. I am so paranoid, that my Gentoo box is behind a stateful hardware firewall and is itself running an iptables firewall (I use the wonderful fwbuilder gui to generate my iptables scripts).
I tend to filter out blocked P2P traffic, otherwise the logs grow FAR too quickly. |
|
| Back to top |
|
|
bk0
Apprentice
Joined: 04 Jan 2004
Posts: 266
|
| Posted: Thu Jul 08, 2004 1:01 am Post subject: |
|
|
You are using BitTorrent? If you are going to use it on a regular basis I *STRONGLY* recommend you enable incoming connections on the BitTorrent port range with your iptables setup. Lots of people complain that their torrent speeds are lousy or that they can't get a decent ratio, without realizing that their port(s) are closed.
From your log you appear to be blocking all attempts for peers to connect to you on the torrents you have active, which means you can't upload to them which makes the torrent less efficient. Since you can't upload very well your download speed won't be as good as it could be either. So open TCP port 6881-6890:
| Code: |
# iptables -A INPUT -p tcp --dport 6881-6890 -j ACCEPT
|
|
|
| Back to top |
|
|
Putrifier
n00b
Joined: 29 Jun 2004
Posts: 46
|
| Posted: Thu Jul 08, 2004 2:30 am Post subject: |
|
|
| allright, thanks. going to change my iptables firewall to allow that. thanks again. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
