Re: ufw and blocking certain IP in and out
El jue., 28 de mayo de 2020 7:25 a. m., songbird escribió: > it seems i have a mental block block of my own here where > ufw is concerned... > > i tell it to block connections in and out from a certain > IP but when i visit a certain website those connections are > still happening. > > i've tried to audit the code for the website itself (as it > is a static website i generate), but i cannot find where those > references to this other website are coming from. i use strings > to examine everything and grep for the website name and also > the ip address. neither show up. that doesn't mean it isn't > in there just that i can't find it. > > i'm wondering if the ISP or some other service is getting in > between? > > i use firefox and have a popup blocker but cannot get it to > filter these connections either. > > here is ufw output > > root@ant(4)~# ufw status numbered > Status: active > > To Action From > -- -- > [ 1] Anywhere DENY IN 1.2.3.4 > [ 2] Anywhere REJECT OUT 1.2.3.4 (out) > > when i connect to the website netstat still shows connections > to 1.2.3.4... > > yes, i'm not a security or networking guru so any tools > you can mention that will help me track this down would be > appreciated. > > > songbird > > -- * * * * *Declinación de Responsabilidades:* Los servicios de MISENA son soportados tecnológicamente por © Google y ofrecidos por el Servicio Nacional de Aprendizaje – SENA de manera gratuita a los aprendices e instructores de programas de formación titulada, las opiniones que contenga este mensaje son exclusivas de su autor y no representan la opinión del Servicio Nacional de Aprendizaje o de sus autoridades. El receptor deberá verificar posibles virus informáticos que tenga el correo o cualquier anexo, razón por la cual el SENA no es responsable de los daños causados por cualquier virus transmitido en este correo electrónico. Los contenidos, textos, imágenes, archivos enviados en este mensaje son responsabilidad exclusiva del remitente y no reflejan ni comprometen de ninguna manera a la institución. No se autoriza el uso de esta herramienta para el intercambio de correos masivos, cadenas o spam, ni de mensajes ofensivos, de carácter político, sexual o religioso, con fines de lucro, con propósitos delictivos o cualquier otro mensaje que se considere indebido o que vaya en contra de la Ley.
Re: ufw and blocking certain IP in and out
Reco wrote: ... > This rule is wrong, assuming that you're trying to prevent your browser > to connect to 1.2.3.4: > > -A ufw-user-output -s 1.2.3.4/32 -j REJECT --reject-with icmp-port-unreachable > > "-s" means "source", and it'll only work if you have ip 1.2.3.4. i don't have 1.2.3.4 and i have no idea how 1.2.3.4 is getting involved, it isn't a cloud service or hosting site just some completely unrelated site and i have no idea why it is being dragged into any of this unless there is some infection or redirection going on which i have no knowledge. i know i didn't put it in there, so it is either produced by the website generator code, some other library involved or the hosting service. i can't find it in any of the code i have so i don't think i'm doing this specifically, but i don't know how to narrow it down either. > What you should use is: > > -A ufw-user-output -d 1.2.3.4/32 -j REJECT --reject-with icmp-port-unreachable > > "-d" means destination. i'd be ok with just dropping it all. > I don't use ufw, so I cannot comment on how to specify "source" and > "destination" there. ok, thanks for commenting. not sure what i'll do yet. songbird
Re: ufw and blocking certain IP in and out
On Thu, May 28, 2020 at 11:56:10AM -0400, songbird wrote: > Reco wrote: > > Hi. > > > > On Thu, May 28, 2020 at 08:24:27AM -0400, songbird wrote: > >> it seems i have a mental block block of my own here where > >> ufw is concerned... > >> > >> i tell it to block connections in and out from a certain > >> IP but when i visit a certain website those connections are > >> still happening. > > > > Can you show the resulting iptables rules (iptables-save format > > preferred)? ufw output is terse, but hardly useful. > > sure, appended... This rule is useless: -A ufw-user-input -s 1.2.3.4/32 -j DROP It's highly unlikely (and is complex in the case of the NAT) that 1.2.3.4 would establish a fresh connection to you. And it's the only usage of this rule considering that it is checked after this one: -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT I.e. you cannot use your "-s 1.2.3.4/32" rule to break an existing connection. So, drop it, it won't work the way you need. This rule is wrong, assuming that you're trying to prevent your browser to connect to 1.2.3.4: -A ufw-user-output -s 1.2.3.4/32 -j REJECT --reject-with icmp-port-unreachable "-s" means "source", and it'll only work if you have ip 1.2.3.4. What you should use is: -A ufw-user-output -d 1.2.3.4/32 -j REJECT --reject-with icmp-port-unreachable "-d" means destination. I don't use ufw, so I cannot comment on how to specify "source" and "destination" there. Reco
Re: ufw and blocking certain IP in and out
Reco wrote: > Hi. > > On Thu, May 28, 2020 at 08:24:27AM -0400, songbird wrote: >> it seems i have a mental block block of my own here where >> ufw is concerned... >> >> i tell it to block connections in and out from a certain >> IP but when i visit a certain website those connections are >> still happening. > > Can you show the resulting iptables rules (iptables-save format > preferred)? ufw output is terse, but hardly useful. sure, appended... >> i'm wondering if the ISP or some other service is getting in >> between? > > Definitely possible, if you're using plain HTTP. > Complicated, and has many "if"s, but possible if you're using HTTPS. the website is static generated by me so there is no reason to attack it or to get in between that i can figure out. i just find it annoying that i'm getting this on something that i'm supposed to be in control of and i can't find in the code itself where the issue is coming from. as a test today i made sure to regenerate a local fresh copy of everything and overwrote the entire website. ok, here is iptables-save... thanks. :) = # Generated by iptables-save v1.8.4 on Thu May 28 11:45:39 2020 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [10:400] :ufw-before-logging-input - [0:0] :ufw-before-logging-output - [0:0] :ufw-before-logging-forward - [0:0] :ufw-before-input - [0:0] :ufw-before-output - [0:0] :ufw-before-forward - [0:0] :ufw-after-input - [0:0] :ufw-after-output - [0:0] :ufw-after-forward - [0:0] :ufw-after-logging-input - [0:0] :ufw-after-logging-output - [0:0] :ufw-after-logging-forward - [0:0] :ufw-reject-input - [0:0] :ufw-reject-output - [0:0] :ufw-reject-forward - [0:0] :ufw-track-input - [0:0] :ufw-track-output - [0:0] :ufw-track-forward - [0:0] :ufw-logging-deny - [0:0] :ufw-logging-allow - [0:0] :ufw-skip-to-policy-input - [0:0] :ufw-skip-to-policy-output - [0:0] :ufw-skip-to-policy-forward - [0:0] :ufw-not-local - [0:0] :ufw-user-input - [0:0] :ufw-user-output - [0:0] :ufw-user-forward - [0:0] :ufw-user-logging-input - [0:0] :ufw-user-logging-output - [0:0] :ufw-user-logging-forward - [0:0] :ufw-user-limit - [0:0] :ufw-user-limit-accept - [0:0] -A INPUT -j ufw-before-logging-input -A INPUT -j ufw-before-input -A INPUT -j ufw-after-input -A INPUT -j ufw-after-logging-input -A INPUT -j ufw-reject-input -A INPUT -j ufw-track-input -A FORWARD -j ufw-before-logging-forward -A FORWARD -j ufw-before-forward -A FORWARD -j ufw-after-forward -A FORWARD -j ufw-after-logging-forward -A FORWARD -j ufw-reject-forward -A FORWARD -j ufw-track-forward -A OUTPUT -j ufw-before-logging-output -A OUTPUT -j ufw-before-output -A OUTPUT -j ufw-after-output -A OUTPUT -j ufw-after-logging-output -A OUTPUT -j ufw-reject-output -A OUTPUT -j ufw-track-output -A ufw-before-input -i lo -j ACCEPT -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny -A ufw-before-input -m conntrack --ctstate INVALID -j DROP -A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT -A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT -A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT -A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT -A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT -A ufw-before-input -j ufw-not-local -A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT -A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT -A ufw-before-input -j ufw-user-input -A ufw-before-output -o lo -j ACCEPT -A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A ufw-before-output -j ufw-user-output -A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT -A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT -A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT -A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT -A ufw-before-forward -j ufw-user-forward -A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input -A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input -A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input -A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input -A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input -A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input -A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input -A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " -A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " -A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT -A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit
Re: ufw and blocking certain IP in and out
Hi. On Thu, May 28, 2020 at 08:24:27AM -0400, songbird wrote: > it seems i have a mental block block of my own here where > ufw is concerned... > > i tell it to block connections in and out from a certain > IP but when i visit a certain website those connections are > still happening. Can you show the resulting iptables rules (iptables-save format preferred)? ufw output is terse, but hardly useful. > i'm wondering if the ISP or some other service is getting in > between? Definitely possible, if you're using plain HTTP. Complicated, and has many "if"s, but possible if you're using HTTPS. Reco
