My 'iptables' rules change by itself and add some ip-addresses
by hkjz from LinuxQuestions.org on (#5Q2DB)
Hey Hello,
First of all - 'cronetab' at every reboot reload iptables rules.
recenty i randlomly ran program >> tcpdump <<
to check whats happening what are connections that performs.
Problem is that my iptables got changed, by some unknown force. Any idea what that could be?
When they are freshly loaded they look like this
Code:$ sudo iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j LOG
-A INPUT -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -j ACCEPT
however during the check i had this
Code:$ sudo iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -s 107.150.94.3/32 -i wlan0 -j ACCEPT
-A INPUT -s 107.150.94.3/32 -i eth0 -j ACCEPT
-A INPUT -i wlan0 -j DROP
-A INPUT -i eth0 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j LOG
-A INPUT -j DROP
-A OUTPUT -d 107.150.94.3/32 -o wlan0 -j ACCEPT
-A OUTPUT -d 107.150.94.3/32 -o eth0 -j ACCEPT
-A OUTPUT -o wlan0 -j DROP
-A OUTPUT -o eth0 -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -j ACCEPTand my tcpdump had a lot of those
Code:00:13:14.889336 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:14.889373 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:14.889622 IP 107.150.94.3.1216 > mx.52975: UDP, length 1391
00:13:14.889646 IP 107.150.94.3.1216 > mx.52975: UDP, length 1391
00:13:14.889866 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:14.890408 IP 107.150.94.3.1216 > mx.52975: UDP, length 1391
00:13:14.890749 IP 107.150.94.3.1216 > mx.52975: UDP, length 1391
00:13:14.890772 IP 107.150.94.3.1216 > mx.52975: UDP, length 1391
00:13:14.890790 IP 107.150.94.3.1216 > mx.52975: UDP, length 678
00:13:14.891173 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:14.891490 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:14.891620 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:14.994781 IP 107.150.94.3.1216 > mx.52975: UDP, length 77
00:13:15.098738 IP 107.150.94.3.1216 > mx.52975: UDP, length 77
00:13:15.098917 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:15.914889 IP mx.52975 > 107.150.94.3.1216: UDP, length 84
00:13:15.979540 IP 107.150.94.3.1216 > mx.52975: UDP, length 311
00:13:15.981930 IP mx.52975 > 107.150.94.3.1216: UDP, length 85
00:13:16.046333 IP 107.150.94.3.1216 > mx.52975: UDP, length 85
00:13:16.046538 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:16.046584 IP mx.52975 > 107.150.94.3.1216: UDP, length 274
00:13:16.111812 IP 107.150.94.3.1216 > mx.52975: UDP, length 77
00:13:16.397400 IP 107.150.94.3.1216 > mx.52975: UDP, length 221
00:13:16.397589 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:16.400295 IP mx.52975 > 107.150.94.3.1216: UDP, length 84
00:13:16.464656 IP 107.150.94.3.1216 > mx.52975: UDP, length 311
00:13:16.466825 IP mx.52975 > 107.150.94.3.1216: UDP, length 85
00:13:16.531744 IP 107.150.94.3.1216 > mx.52975: UDP, length 85
00:13:16.531937 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:16.543677 IP mx.52975 > 107.150.94.3.1216: UDP, length 594
00:13:16.609471 IP 107.150.94.3.1216 > mx.52975: UDP, length 77
00:13:16.891860 IP 107.150.94.3.1216 > mx.52975: UDP, length 1391
00:13:16.891892 IP 107.150.94.3.1216 > mx.52975: UDP, length 1391
00:13:16.891904 IP 107.150.94.3.1216 > mx.52975: UDP, length 1391
00:13:16.892080 IP 107.150.94.3.1216 > mx.52975: UDP, length 845
00:13:16.892325 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:16.892368 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:16.892395 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:16.892422 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:16.897658 IP mx.52975 > 107.150.94.3.1216: UDP, length 235
00:13:16.961150 IP 107.150.94.3.1216 > mx.52975: UDP, length 77
00:13:17.105790 IP 107.150.94.3.1216 > mx.52975: UDP, length 128
00:13:17.107236 IP mx.52975 > 107.150.94.3.1216: UDP, length 303
00:13:17.172072 IP 107.150.94.3.1216 > mx.52975: UDP, length 77
00:13:17.318467 IP 107.150.94.3.1216 > mx.52975: UDP, length 1391
00:13:17.318739 IP 107.150.94.3.1216 > mx.52975: UDP, length 1391
00:13:17.318820 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:17.319015 IP 107.150.94.3.1216 > mx.52975: UDP, length 1391
00:13:17.319028 IP 107.150.94.3.1216 > mx.52975: UDP, length 1391
00:13:17.319032 IP 107.150.94.3.1216 > mx.52975: UDP, length 557
00:13:17.319146 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:17.319854 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:17.320658 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:17.430676 IP 107.150.94.3.1216 > mx.52975: UDP, length 77
00:13:17.430831 IP 107.150.94.3.1216 > mx.52975: UDP, length 77
00:13:17.526959 IP 107.150.94.3.1216 > mx.52975: UDP, length 77
00:13:17.527097 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:17.528375 IP 107.150.94.3.1216 > mx.52975: UDP, length 77
00:13:17.528493 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:28.061473 IP _gateway > all-systems.mcast.net: igmp query v3
00:13:48.362757 IP _gateway > all-systems.mcast.net: igmp query v3
00:13:51.483950 IP mx.52975 > 107.150.94.3.1216: UDP, length 138
00:13:51.549192 IP 107.150.94.3.1216 > mx.52975: UDP, length 77
00:13:51.677058 IP 107.150.94.3.1216 > mx.52975: UDP, length 230
00:13:51.677253 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:54.365744 IP mx.52975 > 107.150.94.3.1216: UDP, length 101
00:13:54.502097 IP 107.150.94.3.1216 > mx.52975: UDP, length 101
00:13:56.674243 ARP, Request who-has _gateway tell mx, length 28
00:13:56.675275 ARP, Reply _gateway is-at 24:4b:fe:e4:7e:00 (oui Unknown), length 46
00:14:01.381356 IP mx.52975 > 107.150.94.3.1216: UDP, length 138
00:14:01.446102 IP 107.150.94.3.1216 > mx.52975: UDP, length 77
00:14:01.572937 IP 107.150.94.3.1216 > mx.52975: UDP, length 139
00:14:01.573106 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
Recently i made simmilar check, and i got this
Code:$ sudo iptables -S
[sudo] password for mx:
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -s 5.180.62.164/32 -i wlan0 -j ACCEPT
-A INPUT -s 5.180.62.164/32 -i eth0 -j ACCEPT
-A INPUT -i wlan0 -j DROP
-A INPUT -i eth0 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j LOG
-A INPUT -j DROP
-A OUTPUT -d 5.180.62.164/32 -o wlan0 -j ACCEPT
-A OUTPUT -d 5.180.62.164/32 -o eth0 -j ACCEPT
-A OUTPUT -o wlan0 -j DROP
-A OUTPUT -o eth0 -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -j ACCEPT
First of all - 'cronetab' at every reboot reload iptables rules.
recenty i randlomly ran program >> tcpdump <<
to check whats happening what are connections that performs.
Problem is that my iptables got changed, by some unknown force. Any idea what that could be?
When they are freshly loaded they look like this
Code:$ sudo iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j LOG
-A INPUT -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -j ACCEPT
however during the check i had this
Code:$ sudo iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -s 107.150.94.3/32 -i wlan0 -j ACCEPT
-A INPUT -s 107.150.94.3/32 -i eth0 -j ACCEPT
-A INPUT -i wlan0 -j DROP
-A INPUT -i eth0 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j LOG
-A INPUT -j DROP
-A OUTPUT -d 107.150.94.3/32 -o wlan0 -j ACCEPT
-A OUTPUT -d 107.150.94.3/32 -o eth0 -j ACCEPT
-A OUTPUT -o wlan0 -j DROP
-A OUTPUT -o eth0 -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -j ACCEPTand my tcpdump had a lot of those
Code:00:13:14.889336 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:14.889373 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:14.889622 IP 107.150.94.3.1216 > mx.52975: UDP, length 1391
00:13:14.889646 IP 107.150.94.3.1216 > mx.52975: UDP, length 1391
00:13:14.889866 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:14.890408 IP 107.150.94.3.1216 > mx.52975: UDP, length 1391
00:13:14.890749 IP 107.150.94.3.1216 > mx.52975: UDP, length 1391
00:13:14.890772 IP 107.150.94.3.1216 > mx.52975: UDP, length 1391
00:13:14.890790 IP 107.150.94.3.1216 > mx.52975: UDP, length 678
00:13:14.891173 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:14.891490 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:14.891620 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:14.994781 IP 107.150.94.3.1216 > mx.52975: UDP, length 77
00:13:15.098738 IP 107.150.94.3.1216 > mx.52975: UDP, length 77
00:13:15.098917 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:15.914889 IP mx.52975 > 107.150.94.3.1216: UDP, length 84
00:13:15.979540 IP 107.150.94.3.1216 > mx.52975: UDP, length 311
00:13:15.981930 IP mx.52975 > 107.150.94.3.1216: UDP, length 85
00:13:16.046333 IP 107.150.94.3.1216 > mx.52975: UDP, length 85
00:13:16.046538 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:16.046584 IP mx.52975 > 107.150.94.3.1216: UDP, length 274
00:13:16.111812 IP 107.150.94.3.1216 > mx.52975: UDP, length 77
00:13:16.397400 IP 107.150.94.3.1216 > mx.52975: UDP, length 221
00:13:16.397589 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:16.400295 IP mx.52975 > 107.150.94.3.1216: UDP, length 84
00:13:16.464656 IP 107.150.94.3.1216 > mx.52975: UDP, length 311
00:13:16.466825 IP mx.52975 > 107.150.94.3.1216: UDP, length 85
00:13:16.531744 IP 107.150.94.3.1216 > mx.52975: UDP, length 85
00:13:16.531937 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:16.543677 IP mx.52975 > 107.150.94.3.1216: UDP, length 594
00:13:16.609471 IP 107.150.94.3.1216 > mx.52975: UDP, length 77
00:13:16.891860 IP 107.150.94.3.1216 > mx.52975: UDP, length 1391
00:13:16.891892 IP 107.150.94.3.1216 > mx.52975: UDP, length 1391
00:13:16.891904 IP 107.150.94.3.1216 > mx.52975: UDP, length 1391
00:13:16.892080 IP 107.150.94.3.1216 > mx.52975: UDP, length 845
00:13:16.892325 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:16.892368 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:16.892395 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:16.892422 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:16.897658 IP mx.52975 > 107.150.94.3.1216: UDP, length 235
00:13:16.961150 IP 107.150.94.3.1216 > mx.52975: UDP, length 77
00:13:17.105790 IP 107.150.94.3.1216 > mx.52975: UDP, length 128
00:13:17.107236 IP mx.52975 > 107.150.94.3.1216: UDP, length 303
00:13:17.172072 IP 107.150.94.3.1216 > mx.52975: UDP, length 77
00:13:17.318467 IP 107.150.94.3.1216 > mx.52975: UDP, length 1391
00:13:17.318739 IP 107.150.94.3.1216 > mx.52975: UDP, length 1391
00:13:17.318820 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:17.319015 IP 107.150.94.3.1216 > mx.52975: UDP, length 1391
00:13:17.319028 IP 107.150.94.3.1216 > mx.52975: UDP, length 1391
00:13:17.319032 IP 107.150.94.3.1216 > mx.52975: UDP, length 557
00:13:17.319146 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:17.319854 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:17.320658 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:17.430676 IP 107.150.94.3.1216 > mx.52975: UDP, length 77
00:13:17.430831 IP 107.150.94.3.1216 > mx.52975: UDP, length 77
00:13:17.526959 IP 107.150.94.3.1216 > mx.52975: UDP, length 77
00:13:17.527097 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:17.528375 IP 107.150.94.3.1216 > mx.52975: UDP, length 77
00:13:17.528493 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:28.061473 IP _gateway > all-systems.mcast.net: igmp query v3
00:13:48.362757 IP _gateway > all-systems.mcast.net: igmp query v3
00:13:51.483950 IP mx.52975 > 107.150.94.3.1216: UDP, length 138
00:13:51.549192 IP 107.150.94.3.1216 > mx.52975: UDP, length 77
00:13:51.677058 IP 107.150.94.3.1216 > mx.52975: UDP, length 230
00:13:51.677253 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
00:13:54.365744 IP mx.52975 > 107.150.94.3.1216: UDP, length 101
00:13:54.502097 IP 107.150.94.3.1216 > mx.52975: UDP, length 101
00:13:56.674243 ARP, Request who-has _gateway tell mx, length 28
00:13:56.675275 ARP, Reply _gateway is-at 24:4b:fe:e4:7e:00 (oui Unknown), length 46
00:14:01.381356 IP mx.52975 > 107.150.94.3.1216: UDP, length 138
00:14:01.446102 IP 107.150.94.3.1216 > mx.52975: UDP, length 77
00:14:01.572937 IP 107.150.94.3.1216 > mx.52975: UDP, length 139
00:14:01.573106 IP mx.52975 > 107.150.94.3.1216: UDP, length 77
Recently i made simmilar check, and i got this
Code:$ sudo iptables -S
[sudo] password for mx:
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -s 5.180.62.164/32 -i wlan0 -j ACCEPT
-A INPUT -s 5.180.62.164/32 -i eth0 -j ACCEPT
-A INPUT -i wlan0 -j DROP
-A INPUT -i eth0 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j LOG
-A INPUT -j DROP
-A OUTPUT -d 5.180.62.164/32 -o wlan0 -j ACCEPT
-A OUTPUT -d 5.180.62.164/32 -o eth0 -j ACCEPT
-A OUTPUT -o wlan0 -j DROP
-A OUTPUT -o eth0 -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -j ACCEPT