Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
5266 Views 5 Replies Latest reply: Feb 3, 2013 9:58 PM by tomcross RSS
tomcross Newcomer 4 posts since
Jan 28, 2013
Currently Being Moderated

Jan 28, 2013 11:52 PM

Packet Filter rules not taking affect

Hi

We have a SG 565, with a Ethernet over copper internet connection.

this feeds to a C class ip range visible over the internet.

It is not Nated.

The person that set it up and looked after the security of the network has now passed away.

 

After doing a bit of reading, it seems that the way the security was handled is not best practice.

From what I have read, there should be rules for the ports you want to allow to come in and block everything else with a drop all at the end of the rules.

 

The only rules in the Packet Filtering > Packet Filter Rules tab were the default rules.

Drop Windows Networking     Active

Drop RFC1918 Incoming     Not Active

Drop RFC1918 Outgoing     Not Active

 

The rules in the Packet Filtering > Custom Firewall Rules tab > Custom Firewall rules are instead of built in rules NOT Ticked     Has around 270 rows of rules

Starting with the following between the ==============

================================================================================ ==========

cp /etc/0 /proc/sys/net/ipv4/conf/eth0/proxy_arp

cp /etc/0 /proc/sys/net/ipv4/conf/eth1/proxy_arp

cp /etc/1 /proc/sys/net/ipv4/ip_forward

sysctl -w net.ipv4.route.max_size=8192

iptables -F

iptables -N LOGDROP

iptables -A LOGDROP -j LOG

iptables -A LOGDROP -j DROP

iptables -N LOGREJ

iptables -A LOGREJ -j LOG

iptables -A LOGREJ -p tcp -j REJECT --reject-with tcp-reset

iptables -A LOGREJ -j REJECT --reject-with icmp-port-unreachable

iptables -N REJ

iptables -A REJ -p tcp -j REJECT --reject-with tcp-reset

iptables -A REJ -p udp -j REJECT --reject-with icmp-port-unreachable

iptables -t nat -F

iptables -t mangle -F

iptables -P INPUT ACCEPT

#    10%

================================================================================ ==========

Further down there is a 25% a 50% and a 75%

OK I say see if we can tidy this up, since we are getting hammered by Chinese IP's trying to hack our servers, doing dictionary attacks.

So in the Packet filter rules I go through and add all the ports we need coming in and activate them. Also add the Drop all at the end.

No difference, which is what I thought would happen, since the other rules are still in operation.

I now delete all the custom firewall rules, after backing up.

 

That blocked them allright, we could not get anything from external, no web no mail.

Copied Custom firewall rules back, all OK.

Next, deleted all after the 10%.

Same result.

Copied Custom firewall rules back, all OK.

Next, found 2 more iptables -P INPUT commands

first lines after 50%

iptables -P OUTPUT ACCEPT

iptables -P FORWARD ACCEPT

copied those under the INPUT ACCEPT,

above the 10%

Deleted all after the 10%, updated.

We now had web, mail. so that part worked.

BUT none of the rules in the first tab (Packet filter rules) seem to be working.

We are still getting hammered.

I set  up a couple of tests.

Dropping 3389 to a server, ticked the check box, restarted the router, I could still come into that server on 3389.

Copied all Custom firewall rule back.

Any ideas please,

  • Community Leader 477 posts since
    Oct 14, 2009
    Currently Being Moderated
    1. Jan 31, 2013 3:41 PM (in response to tomcross)
    Re: Packet Filter rules not taking affect

    the custom rules look identical to the inbuilt rules run by default. I would suggest he has copied them at some stage.

     

    I suggest you dont use custom rules and instead use the GUI

     

    since you are not in a NATted enviroment, you simply need to create packet filter rules of type = forward to allow the services you require.

     

    when you say you are getting 'hammed'...what exactly does this mean. ?

    does it mean the firewall is performing its job and successfully blocking probes/attacks ( and perhaps logging this ), or does it mean your internal servers are under excessive load due to packets coming in via the firewall ?

  • Community Leader 477 posts since
    Oct 14, 2009
    Currently Being Moderated
    3. Feb 3, 2013 3:15 PM (in response to tomcross)
    Re: Packet Filter rules not taking affect

    These logs tell you attacks are being detected although it does appear you have open up a port for your web server, which is failing logins from the web server logs

     

    Unless you have these ports open, these attacks will be blocked.

     

    if they are open, IPS can optionally block the sender IP if desired.

     

    Can I assist further ?

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points