[Techtalk] How to block Blaster Worm from iptables ?

perimorph perimorph at mindspring.com
Sat Aug 23 11:24:17 EST 2003


I think the best thing to do would be to block both incoming and
outgoing traffic on the two vulnerable ports.  The infected clients will
still attempt to send packets, but your firewall should silently drop
them.  That should prevent the virus from getting worse until the
infected machines can be cleaned.

When you said allowing the infected machines to use the network slowed
it down, did you mean it slowed down your LAN, or it slowed down your
internet access?  Blocking it from the firewall will only help with the
internet's speed.  Also, this will do nothing to keep the virus from
spreading across your LAN if the computers have access to each other. 
Since these are Windows machines, I'd strongly recommend asking your
clients to use a basic firewall program such as Zone Alarm to prevent
worms from spreading internally.

Try adding this to your script right after the "flush" section, but
before the "transparent proxy" section.

> #  Flush all Rules
> /sbin/iptables --flush
> /sbin/iptables --table nat --flush
> /sbin/iptables --delete-chain
> /sbin/iptables --table nat --delete-chain

# Block incoming Blaster Worm traffic on ports 153 and 707
/sbin/iptables -A INPUT -i eth0 --dport 153 -j DROP
/sbin/iptables -A INPUT -i eth0 --dport 707 -j DROP

# Block infected machines from spreading Blaster Worm on 153 and 707
/sbin/iptables -A OUTPUT -o eth0 --dport 153 -j DROP
/sbin/iptables -A OUTPUT -o eth0 --dport 707 -j DROP

> #  for transprent proxy
> /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT 
> --to-port 3128

Hope this helps!

More information about the Techtalk mailing list