IPTables ISP Open Port Notices

IPTables ISP Open Port Notices

[Robert Steinmetz]

I keep getting notices from my ISP (ATT) that I have an open port. I've 
tried to block it and nothing seems to satisfy them. So far I'm not 
detecting any traffic on that port, but in an abundance of caution I'm 
reluctant to post too much information. So I'll try to describe what is 
going on.

I have a computer running Ubuntu 18.04.6 LTS (GNU/Linux 
4.4.0-109-generic i686) using Iptables to do address mapping to my block 
of static IP addresses. I am also running fail2ban, this appears to be 
running as expected.

In the routing section I have pairs of statements doing the Address 
Translation, one pair for each ip address

-A PREROUTING -d aa.bb.cc.12/32 -j DNAT --to-destination 192.168.1.29
-A POSTROUTING -s 192.168.1.29/32 -j SNAT --to-source aa.bb.cc.12
-A POSTROUTING -o enp1s0 -j MASQUERADE

I have other ports I have blocked which seem to work. In fact I got 
similar notices for those ports and added a INPUT and OUTPUT statement 
for each port, both tcp and udp both general and for a specific IP 
address ranges.

-A INPUT -p udp -m udp --dport <port> -j DROP
-A INPUT -p udp -m udp --dport <port> -j DROP
-A OUTPUT -p tcp -m tcp --dport <port> -j DROP
-A OUTPUT -p udp -m udp --dport <port> -j DROP

-A INPUT -s aa.bb.cc.8/29 -p tcp -m tcp --dport <port> -j DROP
-A INPUT -s aa.bb.cc.8/29 -p udp -m udp --dport <port> -j DROP
-A OUTPUT -s aa.bb.cc.8/29 -p udp -m udp --dport <port> -j DROP
-A OUTPUT -s aa.bb.cc.8/29 -p tcp -m tcp --dport <port> -j DROP

The notice I get from my ISP says the port is a udp port for a Windows 
service on a Windows server (the only one we have.
  With my limited understanding of IP tables this seems like it should 
work, but apparently it's not.

I guess I could add an INPUT and OUTPUT statement for the specific IP 
address, something like this:

-A INPUT -s aa.bb.cc.9/32 -p udp -m udp --dport <port> -j DROP
-A OUTPUT -s aa.bb.cc.9/32 -p udp -m udp --dport <port> -j DROP

-- 
Robert Steinmetz, AIA
Principal
Steinmetz & Associates
Signature

Re: IPTables ISP Open Port Notices

[Dave Osbourne]

Hi,

Possibly a stupid question, and I'm doing this in haste, but you're 
FORWARDING the traffic between aa.bb.cc.12 and 192.168.1.29 ...  it 
won't appear on the INPUT or OUTPUT chains...

Dave

On 01/06/2022 17:30, Robert Steinmetz wrote:
> I keep getting notices from my ISP (ATT) that I have an open port. 
> I've tried to block it and nothing seems to satisfy them. So far I'm 
> not detecting any traffic on that port, but in an abundance of caution 
> I'm reluctant to post too much information. So I'll try to describe 
> what is going on.
>
> I have a computer running Ubuntu 18.04.6 LTS (GNU/Linux 
> 4.4.0-109-generic i686) using Iptables to do address mapping to my 
> block of static IP addresses. I am also running fail2ban, this appears 
> to be running as expected.
>
> In the routing section I have pairs of statements doing the Address 
> Translation, one pair for each ip address
>
> -A PREROUTING -d aa.bb.cc.12/32 -j DNAT --to-destination 192.168.1.29
> -A POSTROUTING -s 192.168.1.29/32 -j SNAT --to-source aa.bb.cc.12
> -A POSTROUTING -o enp1s0 -j MASQUERADE
>
> I have other ports I have blocked which seem to work. In fact I got 
> similar notices for those ports and added a INPUT and OUTPUT statement 
> for each port, both tcp and udp both general and for a specific IP 
> address ranges.
>
> -A INPUT -p udp -m udp --dport <port> -j DROP
> -A INPUT -p udp -m udp --dport <port> -j DROP
> -A OUTPUT -p tcp -m tcp --dport <port> -j DROP
> -A OUTPUT -p udp -m udp --dport <port> -j DROP
>
> -A INPUT -s aa.bb.cc.8/29 -p tcp -m tcp --dport <port> -j DROP
> -A INPUT -s aa.bb.cc.8/29 -p udp -m udp --dport <port> -j DROP
> -A OUTPUT -s aa.bb.cc.8/29 -p udp -m udp --dport <port> -j DROP
> -A OUTPUT -s aa.bb.cc.8/29 -p tcp -m tcp --dport <port> -j DROP
>
> The notice I get from my ISP says the port is a udp port for a Windows 
> service on a Windows server (the only one we have.
>  With my limited understanding of IP tables this seems like it should 
> work, but apparently it's not.
>
> I guess I could add an INPUT and OUTPUT statement for the specific IP 
> address, something like this:
>
> -A INPUT -s aa.bb.cc.9/32 -p udp -m udp --dport <port> -j DROP
> -A OUTPUT -s aa.bb.cc.9/32 -p udp -m udp --dport <port> -j DROP
>

Re: IPTables ISP Open Port Notices

[Alex Buie]

You shouldn't need to add a separate rule for the public IPs - the NAT
rule will get evaluated first, so in the context of the FORWARD chain
(which is where you need to do this processing) the traffic will
already have a post-NAT destination (aka private IP)

https://upload.wikimedia.org/wikipedia/commons/thumb/3/37/Netfilter-packet-flow.svg/2560px-Netfilter-packet-flow.svg.png

This chart might be helpful - if you look in the middle in the green
by "Routing Decision", you'll see that the NAT table's prerouting
chain gets evaluated just before that point. (so we come in to
"Routing Decision" with the DNAT'd internal IP address, not the public
IP) Then, since these are forwarded, it continues on to the right of
the chart to the mangle (modify) table's FORWARD(ing) chain, and then
finally to the filter table (also the default table when
unspecified)'s FORWARD chain. That is where your DROP rules are
getting inserted, and why they need to be the internal IPs and not the
publics.

On Fri, Jun 3, 2022 at 5:07 PM Robert Steinmetz,,, <rob@steinmetznet.com> wrote:
>
>
> On 6/1/2022 11:50 AM, Alex Buie wrote:
>
> Try adding DROPs to the FORWARD chain for the internal (post-DNAT) IP address (ie, ) [or even REJECT if you wanna send ICMP back]
>
> Since these are routed they will not traverse the INPUT and OUTPUT chains, which are only for traffic specifically destined to or generated from the host. Routed traffic will traverse the FORWARD chain.
>
> Thanks.
>
> That's what I needed to understand. I've added:
>
> -A FORWARD -d 192.168.1.2 -p udp -m udp --dport <port> -j DROP
>
> -A FORWARD -d 192.168.1.3 -p udp -m udp --dport <port> -j DROP
>
> My understanding is this will drop packets routed from the Public IP address to the Private IP address.  One question I have does this block traffic on that port in both directions, or just the incoming traffic to the private address? Should there be a similar statement for the corresponding Public IP address?
>
> I hope this works. I've updated my rule set. My ISP apparently runs these checks every 3 days or so so now I just need to wait and see if it stops sending them. I don't work with iptables very often, once they're set up I tend to leave them alone for years.
>
> I'll report back in a few days.
>
> --
> Robert Steinmetz AIA
> Principal
> Steinmetz & Associates
>
> New Orleans & Atlanta



-- 
Alex Buie
Senior Networking Software Engineer
Datto, Inc.
475-288-4550 (o)
585-653-8779 (c)
www.datto.com



Join the conversation!