block outgoing packets with iptables

Having set up a Windows 2000 PC I observed packets leaving the LAN, out
through the firewall/gateway to an IP address to a university in Korea.
Whereas it comes as little surprise that Win2k has trojans right out of the
box what I want to do now is block the outgoing packets.

I use iptables and my configuration is as follows:


---------------------------------------------------
# set the standard stuff

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth1 -j SNAT --to-source 203.97.251.40
COMMIT

*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
# -A FORWARD -m state --state INVALID -j DROP

#### Host specific
-A INPUT -s 67.19.44.116/255.255.255.255 -j DROP
-A INPUT -s 61.145.116.86/255.255.255.255 -j DROP
-A INPUT -s 202.101.119.196/255.255.255.255 -j DROP
-A INPUT -s 200.49.242.35/255.255.255.255 -j DROP
-A INPUT -s 210.208.183.55/255.255.255.255 -j DROP

# Network specific

# akamai networks
-A INPUT -s 203.167.251.247/255.255.255.255 -j DROP

# sucking data from ms machines
-A INPUT -s 165.246.99.95/255.255.255.255 -j DROP
-A INPUT -s 221.9.142.91/255.255.255.255 -j DROP

# senders of viruses in junkmail
-A INPUT -s 61.246.18.251/255.255.255.255 -j DROP

# Tell Yahoo's robot to fuck off
-A INPUT -s 216.136.232.41/255.255.255.255 -j REJECT

COMMIT
---------------------------------------------------------

You can see the #sucking data stuff, well that only stops connections from
the machines that otherwise receive unauthorised packets. How do I block
the packets from leaving the LAN to begin with? Like, can I use "!" to mean
the reverse, like this:

-A INPUT -s ! 165.246.99.95/255.255.255.255 -j DROP

or could I go:

-A OUTPUT -s 165.246.99.95/255.255.255.255 -j DROP


--
Regards,
Peter.
http://www.pelicom.net.nz

On Fri, 05 May 2006 13:43:40 +1200, Peter Lowrie <(E-Mail Removed)> wrote:

>Having set up a Windows 2000 PC I observed packets leaving the LAN, out
>through the firewall/gateway to an IP address to a university in Korea.
>Whereas it comes as little surprise that Win2k has trojans right out of the
>box what I want to do now is block the outgoing packets.

No, you block the crap coming in GIGO!

>*filter
>:INPUT ACCEPT [0:0]
>:FORWARD ACCEPT [0:0]

These two must be DROP policy for security, you are letting
anything from world into box and localnet. Instead, deny all
then carefully select what you allow in.

See my: <http://bugsplatter.mine.nu/junkview/> for router firewall
plus logging utility info and code (GPL) as a starter, or try one
of the iptables firewall setup programs out there.

Grant.
--
Memory fault -- brain fried

On Fri, 05 May 2006, in the Usenet newsgroup comp.os.linux.networking, in
article <(E-Mail Removed)>, Peter Lowrie wrote:

>Having set up a Windows 2000 PC I observed packets leaving the LAN, out
>through the firewall/gateway to an IP address to a university in Korea.

How did it get infected? Did someone click on a "bad" site while windoze
was in the "install anything without asking me" mode, or someone install
some n34t0 windoze helper that was really a trojan, or did you forward
packets to the windoze box because you want it to run some server?

>Whereas it comes as little surprise that Win2k has trojans right out of the
>box what I want to do now is block the outgoing packets.

The easier way is to disconnect the damn thing, wipe it clean, and
reinstall - this time, locking it down before connecting. As for blocking
the outbound packets - that a piece of cake.

>I use iptables and my configuration is as follows:

There are a number of HOWTOs that give good advice on this. It's not
obvious what distribution you are using, so start with

278012 Jul 23 2002 Security-Quickstart-HOWTO

># set the standard stuff

OK

>*filter

I think you want thos to be DROP rather than ACCEPT.

>#### Host specific

Any specific reason to block by host addresses?

>-A INPUT -s 67.19.44.116/255.255.255.255 -j DROP

67.18.0.0 - 67.19.255.255 ThePlanet.com KDAL rwhois://rwhois.theplanet.com:4321

>-A INPUT -s 61.145.116.86/255.255.255.255 -j DROP

61.128.0.0 - 61.191.255.255 ChinaNet - various provincial networks

>-A INPUT -s 202.101.119.196/255.255.255.255 -j DROP

202.95.252.0 - 202.122.7.255 ChinaNet - various provincial networks

>-A INPUT -s 200.49.242.35/255.255.255.255 -j DROP

200.49.240.0 - 200.49.247.255 ESPOLTEL Guayaquil, Ecuador

>-A INPUT -s 210.208.183.55/255.255.255.255 -j DROP

210.208.128.0 - 210.208.191.255 nap.net.tw

># akamai networks
>-A INPUT -s 203.167.251.247/255.255.255.255 -j DROP

That's TelstraClear (203.167.224.0/19) - but I'd be careful about
blocking Akamai, as they are a content delivery service, meaning that
they provide service for others, such as microsoft, and a couple of
windoze anti-virus companies.

>-A INPUT -s 165.246.99.95/255.255.255.255 -j DROP

165.246.0.0 - 165.246.255.255 Inha University

>-A INPUT -s 221.9.142.91/255.255.255.255 -j DROP

221.8.0.0 - 221.9.255.255 CNC Group CHINA169 Jilin Province Network

># senders of viruses in junkmail
>-A INPUT -s 61.246.18.251/255.255.255.255 -j DROP

61.246.0.0 - 61.246.255.255 BHARTI INFOTEL LTD New Delhi

Not sure why you bother - just nuke the whole thing.

>You can see the #sucking data stuff, well that only stops connections from
>the machines that otherwise receive unauthorised packets. How do I block
>the packets from leaving the LAN to begin with?

No, that blocks the connection to that host, period. You can send a SYN
packet, but your INPUT DROP rule blocks the resulting SYN/ACK - ergo, no
connection can be established.

>Like, can I use "!" to mean the reverse, like this:

That makes no sense.

>or could I go:
>
>-A OUTPUT -s 165.246.99.95/255.255.255.255 -j DROP

Neither does that - you would want to block that as a _destination_ not
a _source_ address... unless you have that address on your LAN ;-)

Old guy