I keep getting notices from my ISP (ATT) that I have an open port. I've
tried to block it and nothing seems to satisfy them. So far I'm not
detecting any traffic on that port, but in an abundance of caution I'm
reluctant to post too much information. So I'll try to describe what is
going on.
I have a computer running Ubuntu 18.04.6 LTS (GNU/Linux
4.4.0-109-generic i686) using Iptables to do address mapping to my block
of static IP addresses. I am also running fail2ban, this appears to be
running as expected.
In the routing section I have pairs of statements doing the Address
Translation, one pair for each ip address
-A PREROUTING -d aa.bb.cc.12/32 -j DNAT --to-destination 192.168.1.29
-A POSTROUTING -s 192.168.1.29/32 -j SNAT --to-source aa.bb.cc.12
-A POSTROUTING -o enp1s0 -j MASQUERADE
I have other ports I have blocked which seem to work. In fact I got
similar notices for those ports and added a INPUT and OUTPUT statement
for each port, both tcp and udp both general and for a specific IP
address ranges.
-A INPUT -p udp -m udp --dport <port> -j DROP
-A INPUT -p udp -m udp --dport <port> -j DROP
-A OUTPUT -p tcp -m tcp --dport <port> -j DROP
-A OUTPUT -p udp -m udp --dport <port> -j DROP
-A INPUT -s aa.bb.cc.8/29 -p tcp -m tcp --dport <port> -j DROP
-A INPUT -s aa.bb.cc.8/29 -p udp -m udp --dport <port> -j DROP
-A OUTPUT -s aa.bb.cc.8/29 -p udp -m udp --dport <port> -j DROP
-A OUTPUT -s aa.bb.cc.8/29 -p tcp -m tcp --dport <port> -j DROP
The notice I get from my ISP says the port is a udp port for a Windows
service on a Windows server (the only one we have.
With my limited understanding of IP tables this seems like it should
work, but apparently it's not.
I guess I could add an INPUT and OUTPUT statement for the specific IP
address, something like this:
-A INPUT -s aa.bb.cc.9/32 -p udp -m udp --dport <port> -j DROP
-A OUTPUT -s aa.bb.cc.9/32 -p udp -m udp --dport <port> -j DROP
--
Robert Steinmetz, AIA
Principal
Steinmetz & Associates
Signature
