[lug] iptables mystery, redhat/fedora flavor
D. Stimits
stimits at comcast.net
Mon Jan 1 18:58:36 MST 2007
I'm editing iptables rules in /etc/sysconfig/iptables, which is set up
fairly standard for the most part. It denies everything except what is
explicitly allowed. After it is done with specific deny or allow rules,
it hits a LOG rule, and then the final REJECT rule for all things.
I'm getting so many hits to microsoft vulnerabilities that I wanted to
catch some of the particular high traffic ports and avoid logging them.
I'm hoping that catching a port hit with a specific rule to DENY prior
to reaching LOG will stop the LOG rule from seeing it, but this is not
happening. The traffic is definitely being denied, I can even verify
that with port scanning. What I can't verify is if it is the blanket
deny all at the end, or the specific deny earlier on...indications are
that since the log rule is seeing the hit, then it must be only the
blanket deny at the end which is actually blocking it.
Is there something wrong with this rule pair which would cause it to not
block port 139 TCP?
-A INPUT -p tcp -m tcp -d 209.97.225.113/32 --dport 139 --syn -j REJECT
-A INPUT -p tcp -m tcp -d 209.97.225.113/32 --dport 139 -j REJECT
I added the --syn rule as an experiment because the rule following it
was not stopping it from logging. The final blanket deny rule is:
-A INPUT -j REJECT --reject-with icmp-host-prohibited
D. Stimits, stimits AT comcast DOT net
More information about the LUG
mailing list