More UDP drama, and firewalling questions.

[carliebentley]

Greetings again everyone.

Again, my configuration:
CentOS 5.4, Plesk 9.3, ASL 2.2

I am attempting to stop a UDP flood attack that seems to be on going, and I've had a little progress (it seems) by adding rules to my iptables that are supposed to ignore UDP packets that originate from any port other than 53, and destined to any port other than 53.

However, it doesn't seem to be working as prescribed.

This brings me to questioning if iptables is what I should be using or something else. The server has the Plesk firewall module installed, and it is not very configurable, but it does seem to be GOD in this situation, because I can use it to stop traffic from or to IP ranges in certain ports, and it's pretty effective.

But because the Plesk firewall module is "limited" in it's flexibility, I have been attempting to use iptables in order to restrict this insane UDP traffic.

I know ASL has geoblocking, blacklisting, etc, so is it using iptables? Is the Plesk firewall module getting in the way?

I'm monitoring the traffic on eth0 with iptraf, and just watching the huge stream of UDP requests from random ports to port 53, and then watching my server respond with UDP to those random ports, even though I have an iptables rule that says it should drop them if they are UDP requests to ports other than 53, or UDP responses to other than 53.

This is getting highly annoying.

[scott]

Its all using the same firewall code underneath, called netfilter. psa-firewall is a front end to iptables, which in turn is a front end to netfilter. Ditto with ASL.

You might want to try if you havent already (note -I, not -A):

iptables -I INPUT -p udp --dport ! 53 -j DROP

This would drop incoming UDP requests if they are not destined to port 53.

[carliebentley]

Its all using the same firewall code underneath, called netfilter. psa-firewall is a front end to iptables, which in turn is a front end to netfilter. Ditto with ASL.

You might want to try if you havent already (note -I, not -A):

iptables -I INPUT -p udp --dport ! 53 -j DROP

This would drop incoming UDP requests if they are not destined to port 53.

Yep, tried that, and I'm still being bombarded. That's what makes me think that iptables is being ignored.

[mikeshinn]

Lets take a look at your iptable rules, whats the output of this:

iptables -L -n

[carliebentley]

I've removed the ASL-BLACKLIST chain in an effort to save space.

Code: Select all

Chain INPUT (policy DROP)
target     prot opt source               destination         
DROP       udp  --  0.0.0.0/0            0.0.0.0/0           udp multiport ports ! 53 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:!0x17/0x02 reject-with tcp-reset 
DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
DROP       udp  --  0.0.0.0/0            0.0.0.0/0           udp dpts:10000:64127 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:2025 

---- A boat load of ASL-BLACKLIST entries snipped ------

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DROP       udp  --  0.0.0.0/0            0.0.0.0/0           udp 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:!0x17/0x02 reject-with tcp-reset 
DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
DROP       udp  --  0.0.0.0/0            0.0.0.0/0           udp multiport ports ! 53 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:!0x17/0x02 reject-with tcp-reset 
DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
DROP       udp  --  0.0.0.0/0            182.0.0.0/8         
DROP       tcp  --  0.0.0.0/0            182.0.0.0/8         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain ASL-BLACKLIST (19429 references)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0

I have also noticed that the ASL-BLACKLIST chain, is apparently allowing connections on UDP from some of the IP ranges that are geoblocked.

[mikeshinn]

So your issue is that you have global ACCEPT rules before some of your DROP rules. All firewalls are first match, so if there is a match the action is taken, and if you have a global ACCEPT before a DROP, the packet is accepted and processing stops.

So you need to get your rules in order. For example:

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts64127
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2025

Means that second rule will never get processed as you already accepted the packet, and also the last rule is not necessary because you also have a global accept - this may also be causing issues with your geoip rules. I highly recommend you take a look at our book on troubleshooting linux firewalls for more guidance if you are running into rule order issues - its vital the order be right when you create custom rules, otherwise your firewall will not behave as you expect:

http://www.amazon.com/Troubleshooting-L ... 622&sr=8-1

[biggles]

I highly recommend you take a look at our book on troubleshooting linux firewalls for more guidance if you are running into rule order issues - its vital the order be right when you create custom rules, otherwise your firewall will not behave as you expect:

http://www.amazon.com/Troubleshooting-L ... 622&sr=8-1

Great book BTW!

[carliebentley]

Thanks.

The ordering of the rules looked a little wonky to me anyway.

I'll sort things out and see if that helps the problem.

[mikeshinn]

good rule of thumb, allow by exception - which means:

1. Set all your specific denys first (INVALID, rate limiting, etc.)
2. Set all your specific allows second (the ports you want to allow in, 80, 22, 993, 53/udp, etc.)
3. never ever set a global allow
4. set your last rule as a global deny(which should be deny all)

Also unless your server is functioning as a firewall for another server, you dont need any FORWARD rules, just set the FORWARD policy to DROP. FORWARD doesnt mean anything to the server itself. The flow is:

WORLD -> INPUT -> SERVER !STOP!

!START! SERVER -> OUTPUT -> WORLD

WORLD -> FORWARD -> SERVER -> FORWARD -> WORLD

You'll notice that input and output never allow anything to flow THRU the server. Those chains refer to input to the server, and output from the server, which is not the same as forwarding. Forwarding is never TO or FROM the server, its to and from something else thru the server to something else. If your server were an actual firewall that would be an example of where this rule would be used, if you have a typical server your forward rules will never trigger unless you forward traffic to something else. If you do not forward, set your FORWARD policy to DROP.

[faris]

There are two problems with the Plesk firewall.

1) It is very very basic in what it does (not a bad thing)
2) By default (on 8.6 and earlier at least), anything not set to block in the GUI is allowed (you can change this with the click of a mouse, but still.....)

A lot of people here use APF for their firewall instead of the Plesk one. It is an order of magnitude better. It does not have a GUI, but basically since it blocks everything other than the short list of ports you tell it you want open, it is very simple to configure.

http://www.rfxn.com/projects/advanced-policy-firewall/

You do need to make a small change in one of the files in order for it to work 100% correctly with ASL, but that's minor. There's a post on it here in the forum somewhere ( http://www.atomicorp.com/forum/viewtopic.php?f=3&t=2409 )

I think you will love it once you have played with it.

Of course we are still waiting for Scott and Mike to get round to creating the Atomic Firewall. I don't know how far down their todo list it is though.

Faris.

[biggles]

faris: According to the thread you linked to ASL Firewall was the next feature on the list on the 28th of Aug 2009.

[mikeshinn]

And its still in development.

[biggles]

Great to hear!!!

[mneese77]

I'm very sorry to witness someone's distressing situation, as carlibentley's is, but I am eager to learn from this...
My basic plesk firewall config resembles carlibentley's, so i'm nervous...
but being a novice makes me hesitate to make potentially incorrect settings...I do wish to change my plesk settings regarding the "accept all" preceeding other rules, but the interface in plesk isn't too clear on what to change to remove those "accept all" settings...
Looking at my iptables is straightforward and quite simple, is there a file that can be manually altered to make those simple changes...bypassing the confusing plesk interface? Or is that not the way it's done...I see that the asl-blacklist is at the top of the tables in my iptables, yet the only asl referrence in the plesk interface is for the 30000 port....
Also, Faris, if I was to change to the APF, which I've heard many people recommend, what is the process specifically when you changeover? Do you disable the plesk, then install the APF, or install over the plesk? Are there issues with a live server?
Possibly there may be a step by step for the installation within plesk somewhere that you could point us to...or is it covered in the link you have posted for the APF?

[Highland]

In reality, you already have a firewall: iptables. Every versions and flavor of Linux comes with it. But iptables is too granular for the average user and too complex.

Enter the iptables frontend. Plesk firewall, APF and eventually ASL Firewall will all simply configure iptables for you. APF is the most popular because it's the easiest. One file for global rules, one for specific deny and one for specific allow. If you disable the Plesk firewall then that should clear the way for APF. Just install it, configure and enjoy.