jimfix5's Avatar, Join Date: Sep 2008
Go4Expert Member
Found some errors in the configuration and rules. Fixed that. And looks like I'm all set. Want to say a very big Thank You! One last thing: what do you think is the best AV(s) for cleaning up a machine? I use AVG, Prevx and ZA. Is there one you can recommend above all others? Thanks again, spoonwizard.
SpOonWiZaRd's Avatar, Join Date: May 2007
Know what you can do.
You can use spam assassin and clam AV to act as a virus filter for your network once you have set up your linux box correctly, and on the personal computer you can use Mcafee 2008 download it from http://www.piratebay.org and just ask me if you need any login information.
jimfix5's Avatar, Join Date: Sep 2008
Go4Expert Member
Tx
jimfix5's Avatar, Join Date: Sep 2008
Go4Expert Member
Hey, spoonwizard. My friends hacked in again last night. Finally kicked them out by limiting the number of DHCP leases to 2 (the number of machines behind my Linux firewall) and then quickly acquiring them. But I was really surprised that they got through. Could you take a look at my iptables.up.rules below?

# Generated by iptables-save v1.3.8 on Mon Oct 6 22:31:42 2008
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i eth0 -j LOG --log-prefix "BANDWIDTH_IN:" --log-level 7
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -m state -i eth0 --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o eth0 -j LOG --log-prefix "BANDWIDTH_OUT:" --log-level 7
-A FORWARD -i eth0 -j LOG --log-prefix "BANDWIDTH_IN:" --log-level 7
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -m state -i eth0 -o eth1 --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -j LOG --log-prefix "BANDWIDTH_OUT:" --log-level 7
COMMIT
# Completed on Mon Oct 6 22:31:42 2008
# Generated by iptables-save v1.3.8 on Mon Oct 6 22:31:42 2008
*mangle
:PREROUTING ACCEPT [8032809:4858810232]
:INPUT ACCEPT [274326:82321712]
:FORWARD ACCEPT [7758442:4776486176]
:OUTPUT ACCEPT [188189:57922151]
:POSTROUTING ACCEPT [7950189:4835227897]
COMMIT
# Completed on Mon Oct 6 22:31:42 2008
# Generated by iptables-save v1.3.8 on Mon Oct 6 22:31:42 2008
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Oct 6 22:31:42 2008

I tried installing configserver, but it blocked my two workstations from accessing the Internet.

Any idea how they got through?
jimfix5's Avatar, Join Date: Sep 2008
Go4Expert Member
Also, is there a log anywhere where I can get their IP address on the net?

Update - found this:

Oct 20 02:08:35 remote kernel: [221331.793129] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:80:ad:78:5f:c3:00:1e:be:ff:3d:05:08:00 SRC=60.222.224.134 DST=24.218.151.102 LEN=620 TOS=0x00 PREC=0x20 TTL=48 ID=0 DF PROTO=UDP SPT=55669 DPT=1026 LEN=600
Oct 20 02:08:35 remote kernel: [221331.793190] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:80:ad:78:5f:c3:00:1e:be:ff:3d:05:08:00 SRC=60.222.224.134 DST=24.218.151.102 LEN=620 TOS=0x00 PREC=0x20 TTL=48 ID=0 DF PROTO=UDP SPT=55669 DPT=1027 LEN=600

SRC traces to Beijing. Any idea what this means?

Last edited by jimfix5; 22Oct2008 at 16:12..
SpOonWiZaRd's Avatar, Join Date: May 2007
Know what you can do.
Well you ACCEPT access from both your NIC's, you must only ACCEPT from your internal NIC and DROP all other packets i.e ICMP and so on that comes in from your external NIC. If eth1 is external NIC then iptables must be like this:

-A INPUT -i eth1 -p icmp -j DROP
-A INPUT -i eth1 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT

try that.
jimfix5's Avatar, Join Date: Sep 2008
Go4Expert Member
External is eth0, and internal is eth1; will reconfigure
jimfix5's Avatar, Join Date: Sep 2008
Go4Expert Member
Also, can't get serv-u on win server 2003 behind Linux to accept connection. Really appreciate your expert help.
jimfix5's Avatar, Join Date: Sep 2008
Go4Expert Member
Trying to understand here. If my external NIC is eth0 and my internal is eth1, which they are, then the above rules allow input to the external ONLY if the connection is established and related, and that connection is then allowed to pass through the internal as well. If the external connection is not BOTH established AND related, nothing comes through the external. Is this not what the above rules dictate?
kunals's Avatar
Contributor
spoonwizard is a hero