44net-request@hamradio.ucsd.edu wrote:
Subject: Re: [44net] 44Net Digest, Vol 3, Issue 31 From: John Ronan jpronans@gmail.com Date: 02/10/2014 10:01 AM
To: AMPRNet working group 44net@hamradio.ucsd.edu
Hi Rob/all, Well as long as it wasn't just me the packets were hitting, I'm happier :). I guess your 'firewall' is a chain you created yourself? Either that or my iptables/kernel is quite a bit older than yours.
Thats a nice/handy ruleset actually, thanks for the reply.
Oh, apologies for my slowness in replying, birthday party (my own) Saturday meant I was recovering yesterday.
Regards John EI7IG
Yes, "firewall" is a chain that is joined to the INPUT chain for some of the traffic. In a typical Linux tunneling server you first separate the raw input and the tunnel input, and then deal with that in separate chains. In my tunnel router I have 4 of them, one for internet traffic to the public IP address, one for traffic destined to the 44-net address of the router, one for 44-net traffic routed thu to systems behind my router, and one for traffic destined to my locally running copy of NETCHL (most others would use JNOS there). It gets kind of difficult to handle all of that in one INPUT chain. So my INPUT chain is built like this: iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i eth0 -d 111.222.333.444 -j firewall iptables -A INPUT -i tunl0 -j firewall2 etc, and similar for the FORWARD chain.
BTW, the "attack" on http (which probably was not sourced from the addresses in the packets, but was rather meant to be a reflection attack on some other party) continued through today and ended a few hours ago. The second example that I posted became the main attack later, and I added another rule below the first line in my example:
iptables -A firewall -p tcp -m multiport --sport 0:1023 --syn -j DROP
This blocks any incoming connects that are coming FROM port numbers below 1024. Those do not occur in normal practice. Port numbers below 1024 are "special" ports for protected system services and normally are never the source port for connects. Any connects from ports below 1024 are highly suspect for being reflection attacks so above I block them all.
Rob