Hi there, > Now the weird problem is that I can't for my life block these packets! > I've tried blocking them like this: > iptables -I INPUT -s y.y.y.y -j DROP > And the same for OUTPUT and FORWARD, and I've tried blocking > on UDP port > 0, but they still come in. You can't stop the packets from coming to your machine. If your IDS (snort) is listening on the outside interface, then you'll see the packets regardless if you drop them or not. If the packets are addressed to the firewall/ids machine itself use the INPUT chain. If they are addressed to somebody inside use the FORWARD chain.
> I see them with snort, even when the interface is not in promiscious > mode. What can I do? I'm stuck. The promiscous mode only changes if you see or not the traffic not addressed to you on the datalink layer. E.g. hosts A, B and C are connected to an ethernet hub. B and C exchange some information. If you run a sniffer on A you won't see anything _unless_ you enable promiscious mode on the ethernet card of A. If you are not in promiscous mode you still see all traffic that is addressed to you and the broadcasts/multicasts on datalink layer. That includes all traffic routed through the box. Take a peek at iptables -L INPUT -nvx iptables -L FORWARD -nvx If the byte and packet counters increase over time it means that you drop some the traffic now. If the counters are not zero it means that you have dropped some traffic since you inserted the rule or cleared the counters. Try inserting a -s y.y.y.y -j LOG rule just before the -s y.y.y.y -j DROP rule. If it logs anything to the kernel log (dmesg or tail /var/log/kern.log) then you in fact drop the traffic. Try sniffing where the traffic should be filtered (maybe on the internal interface). If you can't see it there, obviously you have dropped it. Best regards, Boyan Krosnov, CCIE#8701 http://boyan.ludost.net/ just another techie speaking for himself
