Blocking Active Connections With iptables

Asked by Thomas Scarborough on 2010-11-13

At least two IP addresses appear continually in my Firestarter’s “Active Connections” box: 174.129.241.144 and 174.129.193.12 – even on boot-up. These chew up tens if not hundreds of megabytes of broadband a day – a luxury which, in Africa, I do not have. I discover that the same problem has been reported and solved with iptables at http://ubuntuforums.org/showthread.php?p=9549132 However, the solution is not posted! (I have tried to contact the originator). The IP addresses above are amazon.com. amazon.com acknowledge that their “environment” is responsible for this, yet claim that it is “unauthorized” activity. I am fairly innocent of Ubuntu’s inner workings, and would be most grateful for your help in implementing the solution.

Question information

Language:
English Edit question
Status:
Open
For:
Ubuntu firestarter Edit question
Assignee:
No assignee Edit question
Last query:
2010-11-16
Last reply:
2010-11-15
Sam_ (and-sam) said : #2

The question is assigned to Firestarter
https://help.ubuntu.com/community/Firestarter
so assume it can't handle disabling IPs, hence maybe try Ubuntu standard firewall UFW.
https://help.ubuntu.com/community/UFW#Deny%20Access

Thomas Scarborough (scarboro) said : #3

I have tried really hard to follow the leads I have received, bearing in mind that I have come from about zero knowledge at the start. I read dozens of pages, and tried for hours. I sense that the most hopeful thing I have tried is this:

   sudo -i
   gksudo gedit /etc/ufw/before.rules

Then I inserted the following lines after # drop INVALID packets:

   # Block IP
   -A ufw-before-input -s 174.129.193.12 -j DROP
   -A ufw-before-input -s 174.129.241.144 -j DROP

My intention here was to block these two IP addresses on boot-up. However, this did not work. Am I close to the answer? What am I missing? Your help would be greatly appreciated.

Sam_ (and-sam) said : #4

Wiki says:
example:To block packets from 207.46.232.182:
sudo ufw deny from 207.46.232.182

UFW has three stages.
/etc/ufw/before.rules
/var/lib/ufw/user.rules
/etc/ufw/after.rules

user.rules overwrite before.rules, after.rules overwrite user.rules

If the default rule is deny, then specifing a rule would be allow.
If default is allow, then specific rule would be deny.

Thomas Scarborough (scarboro) said : #5

I'm trying hard, but I cannot get this to work. Again, I am trying to reject 174.129.241.144 and 174.129.193.12 from Firestarter’s “Active Connections” box from boot-up, as they are chewing up my broadband as fast as it goes. I tried adding the following lines to /etc/iptables.rules:

     iptables -I INPUT 174.129.193.12 -j DROP
     iptables -I INPUT 174.129.241.144 -j DROP

This didn't work (I am re-booting my computer to test each change). Then I tried adding the following lines to /etc/ufw/before.rules, first after and then before other lines in that file:

     -A ufw-before-input -s 174.129.193.12 -j DROP
     -A ufw-before-input -s 174.129.241.144 -j DROP

None of these attempts worked.

So I tried adding these same lines to /etc/ufw/user.rules. This didn’t work either. I also tried adding these same lines to /var/lib/ufw/user.rules as suggested, but this was rejected with “Could not find the file /var/lib/ufw/user.rules.” I am stuck.

Thomas Scarborough (scarboro) said : #6

Continuing my quest, I entered these iptables lines at the terminal:

     iptables -I INPUT 174.129.193.12 -j DROP
     iptables -I INPUT 174.129.241.144 -j DROP

Then I saved them:

     iptables-save

Then I edited the interfaces file:

     gksudo gedit /etc/network/interfaces

Then I added this line:

     pre-up iptables-restore < /etc/iptables.rules

Still this does not work.

Sam_ (and-sam) said : #7

Maybe there still is a conflict between Firestarter, iptables and NetworkManager or between using them all together (incl. ufw).
However, Wiki says
<The line "post-down iptables-save > /etc/iptables.rules" will save the rules to be used on the next boot.>
Did you add this one also?

Firestarter rather isn't recommended, unless running a server I'd prefer Gufw.
https://help.ubuntu.com/community/Firestarter
http://ubuntuforums.org/showthread.php?t=823741

## Sorry, /var/lib/ufw/user.rules isn't current it's /lib/ufw/user.rules
https://wiki.ubuntu.com/UncomplicatedFirewall

Thomas Scarborough (scarboro) said : #8

I have carefully studied the suggestions, and have tried various things in addition now, each time restarting Ubuntu to test:

* I inserted the rules in a file called /etc/sysconfig/iptables. I followed an instruction that when inserting rules into iptables, one omits the preceding "iptables". It didn't work. I removed the rules again.
* I inserted the rules in a file called /etc/iptables.rules. It didn't work. I removed the rules again.
* I again inserted the rules in /etc/ufw/before.rules. I used the variant formulation required for ufw. It didn't work. I removed the rules again.
* I inserted the rules in /etc/ufw/ufw-before-input. I found this recommendation in the file /etc/ufw/before.rules. It didn't work. I removed the rules again.
* I followed a recommendation that I reject all incoming packets as follows: sudo -i / ufw logging on / ufw default deny / ufw enable / exit. It didn't work.
* In the answer above, the second link leads to a comment: "Finally a link that works!" But the link responds: "Sorry, Nothing was Found."

And still the given IP addresses chew up tens, hundreds of megabytes of my precious African broadband.

Sam_ (and-sam) said : #9

> "Finally a link that works!" But the link responds: "Sorry, Nothing was Found."

Not sure if answer #8 refers to the link of the howto from ubuntuforums or to the screenshot about gufw.
If you mean gufw (GUI for UFW) it's in the universe repository and can be installed via e.g. Synaptic or apt-get.
http://packages.ubuntu.com/search?suite=default&section=all&arch=any&searchon=names&keywords=gufw

Thomas Scarborough (scarboro) said : #10

Thank you. I was referring to the gufw screenshot. I have gufw. I have tried it. I have added the appropriate rules. It didn't work.

I don't mean to be unkind, but I am beginning to suspect that this is all they say that Linux is about. The problem seems simple: I have two IP addresses. They are big trouble. I need to block them on start-up.

Yet discussion runs into a thousand words, and a dozen attempted solutions fail. However, let's keep trying. I have no other lifeline at the moment.

Sam_ (and-sam) said : #11

Seems iptables need to add a script for upstart in order to invoke the rule after reboot.
http://upstart.ubuntu.com/
But according to bug report comment #6 ufw is already using upstart scripts.
Where this just says how to save configuration.
https://help.ubuntu.com/community/IptablesHowTo#Saving%20iptables

Maybe in the meantime test this one.
http://ubuntuforums.org/showthread.php?t=530183

Thomas Scarborough (scarboro) said : #12

OK, I continued like this:

But to begin with, something in what I describe below causes me now to be denied access to this Ubuntu Answers page, which makes this discussion difficult for me. I am unable to reply on Ubuntu pages with Ubuntu, and need to use another connection.

I believe this could be because something in the actions below wiped out my /etc/ufw/before-rules file. How therefore would I restore this? or restore whatever else might now have failed? I believe this might have happened at the point below where I followed the netadmintools.com advice.

I think one might understand that I am feeling very frustrated with Ubuntu.

So this is what I did:

* I installed Upstart as recommended, and I read the documentation. Unfortunately, I was unable to see or understand any way that this related to my problem.

* I installed IPblock as recommended, which seemed to go perfectly. However, IPblock failed to work, producing various error messages. I have described the failure in detail at the iplist Help Forum here: https://sourceforge.net/projects/iplist/forums/forum/706039/topic/3947418

* I entered the relevant iptables commands at the Terminal, then tried iptables-save and iptables-restore as recommended. iptables-restore failed to execute, with continual error messages: line x failed.

* Then I radically altered the /etc/ufw/before.rules file to hash out almost everything but my IP “exclusion” rules.

* I again went back to the /etc/iptables.rules file, and tried various things. Again this failed to produce any result.

* I followed a lead on netadmintools.com which I reached through the first recommendation on this page, and I used the command: route add -host <IP address> reject. This also failed to work.

Perhaps I might add some information, which I think I originally gave but was cast adrift when my problem was redirected:

* Firestarter’s Active Connections reports: Source:192.168.1.101 Destination: 174.129.193.12 [and similarly 174.129.241.144] Port:443 Service:HTTPS Program:python. This is what chews up my broadband with continual activity.

* Firestarter’s Blocked Connections reports: “Time:Nov 15 18:14:38 Direction: Unknown In:eth0 Out: Port:59063 Source:174.129.193.12 Destination:192.168.1.101 Length:40 TOS:0x18 Protocol:TCP Service:Unknown”. These lines at times appear in the “Blocked Connections” list ten to a second.

Can you help with this problem?

Provide an answer of your own, or ask Thomas Scarborough for more information if necessary.

To post a message you must log in.