Re: Circumventing IPTables

[Chris Hoeschen]

Sure thing:   Chain PREROUTING (policy ACCEPT) target     prot opt source               destination         ACCEPT     all  --  127.0.0.1            127.0.0.1          ACCEPT     all  --  127.0.0.1            192.168.10.0/24    ACCEPT     all  --  192.168.10.0/24      127.0.0.1          ACCEPT     all  --  192.168.10.0/24      192.168.10.0/24    ACCEPT     all  --  192.168.10.0/24      0.0.0.0/0          DNAT       tcp  --  0.0.0.0/0            x.x.x.x      tcp dpt:80 to:192.168.0.2:80   Chain FORWARD (policy DROP) target     prot opt source               destination         ACCEPT     all  --  127.0.0.1            127.0.0.1          ACCEPT     all  --  127.0.0.1            192.168.10.0/24    ACCEPT     all  --  192.168.10.0/24      127.0.0.1          ACCEPT     all  --  192.168.10.0/24      192.168.10.0/24    BANNED     all  --  0.0.0.0/0            0.0.0.0/0          ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:0x16/0x02 ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED   Chain BANNED (2 references) target     prot opt source               destination         ACCEPT     all  --  127.0.0.1            127.0.0.1          ACCEPT     all  --  127.0.0.1            192.168.10.0/24    ACCEPT     all  --  192.168.10.0/24      127.0.0.1          ACCEPT     all  --  192.168.10.0/24      192.168.10.0/24    LOGDROP   all  --  y.y.y.y/16       0.0.0.0/0            $IPTABLES -A LOGDROP -j LOG --log-prefix Logged: $IPTABLES -A LOGDROP -j DROP     My IP address is x.x.x.x and trying to block y.y.y.y/16     ----- Original Message ----- From: Stewart Thompson To: [EMAIL PROTECTED] Sent: Monday, April 29, 2002 7:27 PM Subject: RE: Circumventing IPTables Chris:               The information you give is a little sketchy for any of us to give you a good answer. In general the order of the rules is important. If the packet traverses a rule which accepts it before it reaches your ban rule, it will make it through every time. Review your rules carefully. If you are forwarding to a machine inside your network, there must be a DNAT and Forward rule associated with this as well. How about reposting with the pertinent rules, a printout of your iptables �v �L �t nat and iptables �v �L FORWARD.     Stu���..       -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Chris Hoeschen Sent: April 29, 2002 4:25 PM To: [EMAIL PROTECTED] Subject: Circumventing IPTables   I have a situation on my network.  I want to block access to my site (web server, etc) from a IP address class.  I created a rule to drop connections coming from this IP address range (iptables -A BANNED -p tcp -s 1.2.3.4/16 -j DROP) but this person keeps getting connected to me.  I know this because my message boards on my web server logs the IP address of the poster and I am getting a post from ip address 1.2.150.200 which should be included in the DROP rule.  Now I added a log rule with the same IP address and I don't see any log entries.  The only logical conclusion I can come up with is this person is somehow finding a way to circumvent my firewall.   My question to you all and to you hackers is is there a way to get around a firewall based on IPTables either by spoofing an IP address or creating a TCP packet that IPTables lets though or any other way you can possible think of to get around a IPTables based firewall?   I should also add that my firewall is dedicated and my web server is behind it getting its packets forwarded.  In my FORWARD chain I have all packets going though the BANNED user defined chain (iptables -A FORWARD -j BANNED.)  Also I have tested this by blocked myself and I can't connect to anything when I am blocked.  I also blocked other people and they all told me that they can't get though so I know it is working.   Please Help because I am almost out of hair!!!!!!