About this list Date view Thread view Subject view Author view Attachment view

From: Roderick A. Anderson (raanders_at_acm.org)
Date: Fri 09 Jan 2004 - 23:55:20 GMT


I'm sorry to ask here but it is only happening on to some domains hosted
on/in vservers. More probably related to the services that are running
for those domains.

I don't have the hardware and software in place plus I work in a _very_
Windows oriented company so the information is coming second hand. From a
program call CommView. Heck there is something running around in the back
of my mind that it might be Apache related though I'm running 2.0.40-11
from Redhat 8.

We're seeing traffic that appears to be passed through on REALLY high port
numbers. I'm running the standard RHL 8 firewall settings. Here is my
/etc/sysconfig/iptables file.

        *filter
        :INPUT ACCEPT [0:0]
        :FORWARD ACCEPT [0:0]
        :OUTPUT ACCEPT [0:0]
        :RH-Lokkit-0-50-INPUT - [0:0]
        -A INPUT -j RH-Lokkit-0-50-INPUT
        -A FORWARD -j RH-Lokkit-0-50-INPUT
        -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT
        -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
        -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 21 --syn -j ACCEPT
        -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
        -A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
        -A RH-Lokkit-0-50-INPUT -i eth0 -j ACCEPT
        -A RH-Lokkit-0-50-INPUT -i eth1 -j ACCEPT
        -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT
        -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j REJECT
        -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT
        -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT
        -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn -j REJECT

I suspect it might be the eth0 and eth1 settings added for some reason
during install or later to get some troublesome service working.

Is there a quick fix (besides unplugging the $%^&* machine) to block high
port outbound traffic?

I just started reading "Linux Network Administrator's Guide, Second
Edition" and jumped to the NetFilter/iptables stuff but haven't got very
far. (Even spare time -- for reading -- is limited. :-).

Does this catch anybody's attention?

Thanks (again) for any pointers or clue-stick whacks,
Rod

-- 
    "Open Source Software - You usually get more than you pay for..."
     "Build A Brighter Lamp :: Linux Apache {middleware} PostgreSQL"

_______________________________________________ Vserver mailing list Vserver_at_list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver


About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Fri 09 Jan 2004 - 23:56:41 GMT by hypermail 2.1.3