Page 1 of 1

CC_ALLOW_FILTER on specific port

Posted: 31 Jan 2013, 20:55
by Nerigal
Hi,

just have a question if it is possible to CC_ALLOW_FILTER on specific port like allowing destination port 20/21 only to CA/US
so all other countries can still access to web pages etc... but stop attacking FTP access.

Thanks.

Re: CC_ALLOW_FILTER on specific port

Posted: 08 Feb 2013, 20:30
by Nerigal
this was added in the last release 5.74 and im greatfull for this... thanks a lot.
but the way CSF manage iptables rules make it very very unstable.

need to build an optimized rules tree base on the netmask blocked /8 /16/20 /22 /24 /26 etc
and think about managing from iptables-save and iptables-restore

this kind of config is very secure but with it iptables have to manage
more then 80k rules....

i know that it it possible to run even more rules then that with iptables but it need some help...
i will search and post more hit about that later on.

Re: CC_ALLOW_FILTER on specific port

Posted: 11 Feb 2013, 20:01
by Nerigal
so.. more uptades...

solutions i found to do this well is to use ipset and xtables-addons
both can be found on netfilter.org and have some very interesting features.

im not usual to perl or i would code a patch myself.

http://netfilter.org/projects/ipset/index.html
http://netfilter.org/projects/xtables-addons/index.html
http://xtables-addons.sourceforge.net/modules.php

thanks.

Re: CC_ALLOW_FILTER on specific port

Posted: 15 Feb 2013, 17:30
by Nerigal
still having trouble with CC_ALLOW_FILTER option

seams like filtering port doesn't work correctly if you do it out of both INPUT and OUTPUT chain.
csf add reference to CC_ALLOWP in LOCALINPUT and then
CC_ALLOWP hold rules that point to CC_ALLOWPLIST which hold port filtering rules depending on the CC lookup.

but this doesn't work for me.

anyone else can confirm ?



Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT tcp -- 192.168.0.1 0.0.0.0/0 tcp dpt:53
2 ACCEPT udp -- 192.168.0.1 0.0.0.0/0 udp dpt:53
3 ACCEPT tcp -- 192.168.0.1 0.0.0.0/0 tcp spt:53
4 ACCEPT udp -- 192.168.0.1 0.0.0.0/0 udp spt:53
5 LOCALINPUT all -- 0.0.0.0/0 0.0.0.0/0
6 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
7 INVALID tcp -- 0.0.0.0/0 0.0.0.0/0
8 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
9 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
10 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
11 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
12 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
13 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
14 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
15 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53
16 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
17 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110
18 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:143
19 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
20 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:587
21 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:1311
22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2222
23 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
24 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11
25 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3
26 LOGDROPIN all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP)
num target prot opt source destination
1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain OUTPUT (policy DROP)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 192.168.0.1 tcp dpt:53
2 ACCEPT udp -- 0.0.0.0/0 192.168.0.1 udp dpt:53
3 ACCEPT tcp -- 0.0.0.0/0 192.168.0.1 tcp spt:53
4 ACCEPT udp -- 0.0.0.0/0 192.168.0.1 udp spt:53
5 LOCALOUTPUT all -- 0.0.0.0/0 0.0.0.0/0
6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
7 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
8 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53
9 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53
10 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
11 INVALID tcp -- 0.0.0.0/0 0.0.0.0/0
12 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
13 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
14 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53
15 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
16 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110
17 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:113
18 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
19 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
20 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:123
21 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11
22 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3
23 LOGDROPOUT all -- 0.0.0.0/0 0.0.0.0/0

Chain ALLOWIN (1 references)
num target prot opt source destination
1 ACCEPT all -- 192.168.0.101 0.0.0.0/0

Chain ALLOWOUT (1 references)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 192.168.0.101

Chain CC_ALLOWP (1 references)
num target prot opt source destination
1 CC_ALLOWPLIST all -- 217.195.16.0/20 0.0.0.0/0
2 CC_ALLOWPLIST all -- 217.194.80.0/20 0.0.0.0/0
3 CC_ALLOWPLIST all -- 217.175.190.0/23 0.0.0.0/0
4 CC_ALLOWPLIST all -- 217.175.188.0/24 0.0.0.0/0
5 CC_ALLOWPLIST all -- 217.175.184.0/22 0.0.0.0/0
6 CC_ALLOWPLIST all -- 217.175.180.0/23 0.0.0.0/0
7 CC_ALLOWPLIST all -- 217.175.178.0/24 0.0.0.0/0
8 CC_ALLOWPLIST all -- 217.175.176.0/24 0.0.0.0/0
9 CC_ALLOWPLIST all -- 217.175.175.0/24 0.0.0.0/0
10 CC_ALLOWPLIST all -- 217.175.173.0/24 0.0.0.0/0
11 CC_ALLOWPLIST all -- 217.175.168.0/22 0.0.0.0/0
12 CC_ALLOWPLIST all -- 217.175.164.0/22 0.0.0.0/0
13 CC_ALLOWPLIST all -- 217.175.162.0/23 0.0.0.0/0
14 CC_ALLOWPLIST all -- 217.175.161.0/24 0.0.0.0/0
15 CC_ALLOWPLIST all -- 217.174.192.0/19 0.0.0.0/0
...

Chain CC_ALLOWPLIST (4024 references)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:20
2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21
3 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:20
4 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:21

Chain DENYIN (1 references)
num target prot opt source destination

Chain DENYOUT (1 references)
num target prot opt source destination

Chain DSHIELD (1 references)
num target prot opt source destination
1 DROP all -- 50.57.69.0/24 0.0.0.0/0
...
20 DROP all -- 151.25.229.0/24 0.0.0.0/0

Chain INVALID (2 references)
num target prot opt source destination
1 INVDROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
...
10 INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW

Chain INVDROP (10 references)
num target prot opt source destination
...
11 DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain LOCALINPUT (1 references)
num target prot opt source destination
1 ALLOWIN all -- 0.0.0.0/0 0.0.0.0/0
2 DENYIN all -- 0.0.0.0/0 0.0.0.0/0
3 DSHIELD all -- 0.0.0.0/0 0.0.0.0/0
4 SPAMHAUS all -- 0.0.0.0/0 0.0.0.0/0
5 CC_ALLOWP all -- 0.0.0.0/0 0.0.0.0/0

Chain LOCALOUTPUT (1 references)
num target prot opt source destination
1 ALLOWOUT all -- 0.0.0.0/0 0.0.0.0/0
2 DENYOUT all -- 0.0.0.0/0 0.0.0.0/0

Chain LOGDROPIN (1 references)
num target prot opt source destination
...
20 DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain LOGDROPOUT (1 references)
num target prot opt source destination
...
4 DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain SPAMHAUS (1 references)
num target prot opt source destination
1 DROP all -- 204.8.87.0/24 0.0.0.0/0
2 DROP all -- 195.88.230.0/23 0.0.0.0/0
3 DROP all -- 194.135.54.0/24 0.0.0.0/0
4 DROP all -- 188.247.232.0/24 0.0.0.0/0
5 DROP all -- 188.229.19.0/24 0.0.0.0/0
6 DROP all -- 162.97.244.0/22 0.0.0.0/0
7 DROP all -- 146.185.255.0/24 0.0.0.0/0
8 DROP all -- 95.64.42.0/24 0.0.0.0/0
...