kazaa, dante, and iptables

From: John Allman (allmanj@houseofireland.com)
Date: 11/27/02

  • Next message: Michael: "Re: iptables REJECT types for UDP (if any)"
    Date: Wed, 27 Nov 2002 17:30:53 +0000
    From: John Allman <allmanj@houseofireland.com>
    To: focus-linux@securityfocus.com
    
    

    Hi - i'd like to allow kazaa access to an internal network, and was
    considering using a dante proxy server and some carefully crafted
    iptables rules to only allow outgoing traffic.

    Now, at first i thought just allowing access to destination ports 1214,
    both tcp and udp would be enough but that wasn't getting me diddly. i
    stopped the client from attempting to use the proxy and did a tcpdump to
    see what it was up to. As it started up it began sending a lot of udp
    packets with source port 1214 out. The destination ports were always
    different but usually somewhere above 3000.

    Now i'm not too happy to allow out this traffic as it's not as easy to
    be sure of but i'm thinking to myself that since dante is run by user
    sockd, i can put in a few owner matching rules and make this slightly
    secure.

    however after allowing the proxy server to make udp connections from
    source port 1214 i did a tcpdump and still found it was sending out no
    traffic. This could be because of a badly crafted rule or a complete
    lack of understanding of the situation on my part.

    I checked dantes logs and spotted this:

    Nov 21 12:21:17 sockd[17507]: internal addresses (1):
    Nov 21 12:21:17 sockd[17507]: 192.168.0.207.6001
    Nov 21 12:21:17 sockd[17507]: external addresses (1):
    Nov 21 12:21:17 sockd[17507]: 172.20.1.2/0.0.0.0
    Nov 21 12:21:17 sockd[17507]: compatibility options:
    Nov 21 12:21:17 sockd[17507]: extensions enabled:
    Nov 21 12:21:17 sockd[17507]: logoutput goes to: syslog, files (2)
    Nov 21 12:21:17 sockd[17507]: debug level: 0
    Nov 21 12:21:17 sockd[17507]: resolveprotocol: udp
    Nov 21 12:21:17 sockd[17507]: address/host mismatch tolerated: yes
    Nov 21 12:21:17 sockd[17507]: unresolvable addresses tolerated: yes
    Nov 21 12:21:17 sockd[17507]: negotiate timeout: 0s
    Nov 21 12:21:17 sockd[17507]: I/O timeout: 0s
    Nov 21 12:21:17 sockd[17507]: euid: 0
    Nov 21 12:21:17 sockd[17507]: userid.privileged: 0
    Nov 21 12:21:17 sockd[17507]: userid.unprivileged: 504
    Nov 21 12:21:17 sockd[17507]: userid.libwrap: 0
    Nov 21 12:21:17 sockd[17507]: method(s): none
    Nov 21 12:21:17 sockd[17507]: clientmethod(s): none
    Nov 21 12:21:17 sockd[17507]: dante/server v1.1.10 running
    Nov 26 09:21:35 sockd[17516]: run_request(): sending ack to mother
    failed: Broken pipe (errno = 32)

    my iptables rules look like this:
    to allow kazaa traffic:

    #allow tcp destination port 1214 out
    $ipt -A OUTPUT -o eth1 -p tcp -s $outip -d $0/0 --dport 1214 -m state
    --state NEW,ESTABLISHED -j ACCEPT
    $ipt -A INPUT -i eth1 -p tcp -d $outip -s $0/0 --sport 1214 -m state
    --state ESTABLISHED -j ACCEPT

    #allow udp destination port 1214 out
    $ipt -A OUTPUT -o eth1 -p udp -s $outip -d $0/0 --dport 1214 -m state
    --state NEW,ESTABLISHED -j ACCEPT
    $ipt -A INPUT -i eth1 -p udp -d $outip -s $0/0 --sport 1214 -m state
    --state ESTABLISHED -j ACCEPT

    #allow tcp source port 1214 out
    $ipt -A OUTPUT -o eth1 -p tcp -s $outip -d $0/0 --sport 1214 -m state
    --state NEW,ESTABLISHED -j ACCEPT
    $ipt -A INPUT -i eth1 -p tcp -d $outip -s $0/0 --dport 1214 -m state
    --state ESTABLISHED -j ACCEPT

    #allow udp source port 1214 out
    $ipt -A OUTPUT -o eth1 -p udp -s $outip -d $0/0 --sport 1214 -m state
    --state NEW,ESTABLISHED -j ACCEPT
    $ipt -A INPUT -i eth1 -p udp -d $outip -s $0/0 --dport 1214 -m state
    --state ESTABLISHED -j ACCEPT

    to allow socks:
    $ipt -A INPUT -i eth0 -p tcp -d $intip -s $intnws --dport 6001 -m state
    --state NEW,ESTABLISHED -j ACCEPT
    $ipt -A OUTPUT -o eth0 -p tcp -s $intip -d $intnws --sport 6001 -m state
    --state ESTABLISHED -j ACCEPT

    Socks proxy is running on port 6001. outip is the external ip address of
    the proxy server. intip is the internal ip address of the proxy server.
    ipt is iptables. eth1 is the external interface of the proxy server.
    eth0 is the internal interface of the proxy server. As i said, ideally
    i'd like to put in some process owner matching rules too but to my mind
    the above should be sufficient to test anyway.

    it takes up space so i dont want to post my entire sockd.conf but this
    is the output of sockd -V. If anyone thinks it will be beneficial i'll
    post my sockd.conf

    gw:/home/john # sockd -V
    Nov 27 17:14:35 sockd[2265]: internal addresses (1):
    Nov 27 17:14:35 sockd[2265]: 192.168.0.207.6001
    Nov 27 17:14:35 sockd[2265]: external addresses (1):
    Nov 27 17:14:35 sockd[2265]: 172.20.1.2/0.0.0.0
    Nov 27 17:14:35 sockd[2265]: compatibility options:
    Nov 27 17:14:35 sockd[2265]: extensions enabled:
    Nov 27 17:14:35 sockd[2265]: logoutput goes to: syslog, files (2)
    Nov 27 17:14:35 sockd[2265]: debug level: 0
    Nov 27 17:14:35 sockd[2265]: resolveprotocol: udp
    Nov 27 17:14:35 sockd[2265]: address/host mismatch tolerated: yes
    Nov 27 17:14:35 sockd[2265]: unresolvable addresses tolerated: yes
    Nov 27 17:14:35 sockd[2265]: negotiate timeout: 0s
    Nov 27 17:14:35 sockd[2265]: I/O timeout: 0s
    Nov 27 17:14:35 sockd[2265]: euid: 0
    Nov 27 17:14:35 sockd[2265]: userid.privileged: 0
    Nov 27 17:14:35 sockd[2265]: userid.unprivileged: 504
    Nov 27 17:14:35 sockd[2265]: userid.libwrap: 0
    Nov 27 17:14:35 sockd[2265]: method(s): none
    Nov 27 17:14:35 sockd[2265]: clientmethod(s): none

    Do i have something misconfigured? Can anyone suggest a secure (or
    mostly secure) way to allow enough kazaa traffic for searches and
    downloads? Should i scrap the whole project? I was thinking maybe
    there's some sort of problem with dante and udp? running dante version
    dante v1.1.10 on a suse 8.0 box.

    any advice would be appreciated

    thanks

    John



    Relevant Pages

    • Re: How are they broadcasting through my proxy server?
      ... Do you have port 135 UDP filtered? ... > The popup message never actually appeared on the proxy server itself, ... I taught that once I turned on the packet filtering, ...
      (comp.security.firewalls)
    • HOW TO: Acessing a Terminal Server when the client is behind a proxy
      ... Your computer is behind a firewall and proxy server. ... set to use a proxy server on port 8080. ... Java RDP Client: this is needed if you cannot use 2 PCs at work. ... The terminal server on the remote network must ...
      (microsoft.public.windows.terminal_services)
    • Re: Tool to find hidden web proxy server
      ... > Few smart guys have installed free proxy server running on non ... > default ports and distributed the internet access to their friends. ... BTW, if you catch one box, do a full TCP port scan of that IP to find ...
      (Pen-Test)
    • Re: stop all http traffic
      ... Regards, ... > people cannot access servers listening on port 80 on your Windows XP ... > they can see from the proxy server. ... > StopHTTP.cmd (stop all http traffic, include all browser navigation) ...
      (microsoft.public.win2000.cmdprompt.admin)
    • Re: No internet access
      ... > If I ping an external IP address or external DNS/FQDN then the ping times ... > connection to host on port 80: ... Is there a Proxy Server or other proxy in the path? ...
      (microsoft.public.win2000.dns)