iptables issue

Dim_Git · October 24, 2011, 3:56pm

Hi everybody, sorry to descend upon you all and disturb your peace again.

On a post elsewhere I mentioned that I was having difficulties with OSSEC and decided to give up trying to sort it out opting to use Fail2Ban as used on another box.

Before I went ahead all gung-ho I decided to take a look around to see that all was ok. That was when the panic started.

When I run iptables -L I get what looks like thousands of lines which I guess are left over by OSSEC (happy to be corrected).

Here is the output of iptables -L


target     prot opt source               destination         
DROP       all  --  host-2-60-41-171.pppoe.omsknet.ru  anywhere            
DROP       all  --  175.106.48.52        anywhere            
DROP       all  --  41.216.48.37         anywhere

hundreds of lines snipped out


DROP       all  --  bd3f8342.virtua.com.br  anywhere            
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ftp-data 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ftp 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:dnp 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ndmp 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:imaps 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:imap 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3s 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp-data 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp 
ACCEPT     all  --  anywhere             anywhere

Hundreds more snipped


Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  smtp-9.star.net.uk   anywhere            
DROP       all  --  pingability.com      anywhere            
DROP       all  --  58.187.110.134       anywhere            
DROP       all  --  c94b0e05.virtua.com.br  anywhere

Hundreds more snipped


DROP       all  --  localhost            anywhere            
DROP       all  --  187-35-231-149.dsl.telesp.net.br  anywhere            
ACCEPT     all  --  anywhere             anywhere            
DROP       all  --  41.230.20.248        anywhere

Hundreds more snipped

This is obviously wrong and when I was reading trying to solve my OSSEC problem I found a post in these illustrious forums which mentioned thousands of log lines in iptables (was discussing a different issue) but for the life of me I can’t find it now.

So, onto the point of all this which is probably quite obvious I guess. How do I go about cleaning all that mess up?

I have Googled but can’t find a trusted reply.

Again, thanks for reading and any suggestions/pointers you might be able to offer.

Tim

Operating system CentOS Linux 5.7
Webmin version 1.562
Virtualmin version 3.88 Pro

Eric · October 24, 2011, 4:12pm

Howdy,

So, onto the point of all this which is probably quite obvious I guess. How do I go about cleaning all that mess up?

Well, just to clarify – the above isn’t necessarily incorrect. If you don’t want it, we can get rid of it. But I don’t see anything in the above that suggests “horribly wrong”.

It looks like you have a lot of entries that were added to block this or that host… that sounds like OSSEC (or some other tool) was blocking hosts based on some criteria, perhaps too many failed login attempts.

Are you saying you wish to get rid of all your iptables entries?

-Eric

Dim_Git · October 25, 2011, 9:27am

Thanks Eric,

Happy to be corrected on any of the following.

Obviously if nothing ever removed any of those entries they will remain permanently. I guess I wouldn’t be upset if some of them stayed, but even then, I have a customer who does extensive business with Russian companies so I couldn’t even leave the Russian ones permanently blocked. Some of the IP numbers are big ISPs here in the UK so that could be another problem.

Having used it before with great success (and I can understand it), I intend to install Fail2Ban on this server so it would probably be better to clear it out and start again.

Does all that sound sensible ?

Tim

Eric · October 25, 2011, 2:45pm

Howdy,

Well, I don’t know anything about those rules, or whether they’re permanent or temporary (ie, if OSSEC did indeed add them, is it planning to remove them at some point?). That’s the part you’ll have to figure out

If you do wish to clear all that out all your firewall rules, you can run these commands:


iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
iptables -X

Dim_Git · October 25, 2011, 3:03pm

Thanks Eric, that worked and I’m not locked out of my server either which is always a bonus.

It would seem that those are built up over time by OSSEC because the server is actually quite a quiet one and OSSEC is supposed to only ban for a matter of 20 minutes as far as I can see. I guess it is not working for me, which is almost undoubtedly my fault somewhere along the line.

Now I can get to work on Fail2ban

Appreciate your help, it is always difficult to trust most sources on the web, but I do feel very safe here. Thanks for a great product and support.