Clamav Update and iptable rules
Tony Arnold
tony.arnold at manchester.ac.uk
Wed Nov 14 08:52:33 UTC 2007
Anton,
The problem is that although you allow any outbound connection, you only
allow inbound on specific ports. When an outbound connection is made,
the reply comes back on a randomly picked high number port which your
INPUT chain will block.
You need to add a rule to your INPUT chain that allows connections that
are replies to outbound connections. I can't remember the exact syntax,
but I think there is a flag called 'established' that will do this for you.
Hope this gives you a bit of a clue.
Regards,
Tony.
Anton Hofmann wrote:
> Hi all,
>
> i have a Webserver with an ubuntu 6.06 install on it.
> For security-reasons i have blocked all inbound- and outbond traffic
> with ipTables.
>
> ########My IP Tables Conf:#########
>
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> ip-62.75.187.54 all -- anywhere anywhere
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain ip-62.75.187.54 (1 references)
> target prot opt source destination
> ACCEPT tcp -- anywhere weltfremd.at tcp dpts:ftp-data:ftp
> ACCEPT tcp -- anywhere weltfremd.at tcp dpt:22022
> ACCEPT tcp -- anywhere weltfremd.at tcp dpt:smtp
> ACCEPT tcp -- anywhere weltfremd.at tcp dpt:www
> ACCEPT tcp -- anywhere weltfremd.at tcp dpt:pop3
> ACCEPT tcp -- anywhere weltfremd.at tcp dpt:https
> ACCEPT tcp -- anywhere weltfremd.at tcp dpt:ssmtp
> ACCEPT tcp -- anywhere weltfremd.at tcp dpt:pop3s
> ACCEPT tcp -- anywhere weltfremd.at tcp dpt:8443
> ACCEPT udp -- anywhere weltfremd.at udp spt:domain
> ACCEPT udp -- anywhere weltfremd.at udp spt:ntp
> ACCEPT icmp -- anywhere weltfremd.at
> ACCEPT tcp -- anywhere weltfremd.at tcp spt:smtp
> flags:!SYN,RST,ACK/SYN
> ACCEPT tcp -- ka.swsoft.com weltfremd.at tcp spt:5224
> ACCEPT udp -- anywhere weltfremd.at udp dpt:8767
> ACCEPT tcp -- mail.dynadata.at weltfremd.at tcp dpt:8987
> ACCEPT tcp -- ftp.de.debian.org weltfremd.at tcp
> flags:!SYN,RST,ACK/SYN
> ACCEPT tcp -- archive.ubuntu.com weltfremd.at tcp
> flags:!SYN,RST,ACK/SYN
> ACCEPT tcp -- anywhere weltfremd.at tcp dpt:51234
> ACCEPT tcp -- anywhere weltfremd.at tcp dpt:14534
> ACCEPT tcp -- clamav.mcs.de weltfremd.at
> DROP all -- anywhere weltfremd.at
>
> #############################
>
> Now its not possible to update clamav with freshclam
>
> i get the following error when i type freshclam in the console
>
>
> weltfremd.at:/# freshclam
> ClamAV update process started at Wed Nov 14 09:05:32 2007
> WARNING: Your ClamAV installation is OUTDATED!
> WARNING: Local version: 0.88.7 Recommended version: 0.91.2
> DON'T PANIC! Read http://www.clamav.net/faq.html
> main.cvd is up to date (version: 44, sigs: 133163, f-level: 20, builder:
> sven)
> WARNING: Your ClamAV installation is OUTDATED!
> WARNING: Current functionality level = 10, recommended = 20
> DON'T PANIC! Read http://www.clamav.net/faq.html
> Can't connect to port 80 of host db.local.clamav.net (IP: 89.149.194.18)
> Trying host db.local.clamav.net (89.238.65.14)...
> Can't connect to port 80 of host db.local.clamav.net (IP: 89.238.65.14)
> Trying host db.local.clamav.net (195.246.234.199)...
> Can't connect to port 80 of host db.local.clamav.net (IP: 195.246.234.199)
> Trying host db.local.clamav.net (212.1.60.18)...
> Can't connect to port 80 of host db.local.clamav.net (IP: 212.1.60.18)
> Trying host db.local.clamav.net (213.174.32.130)...
>
> In the freshclam.log i geht the following:
>
>
> ClamAV update process started at Wed Nov 14 09:05:32 2007
> WARNING: Your ClamAV installation is OUTDATED!
> WARNING: Local version: 0.88.7 Recommended version: 0.91.2
> DON'T PANIC! Read http://www.clamav.net/faq.html
> main.cvd is up to date (version: 44, sigs: 133163, f-level: 20, builder:
> sven)
> WARNING: Your ClamAV installation is OUTDATED!
> WARNING: Current functionality level = 10, recommended = 20
> DON'T PANIC! Read http://www.clamav.net/faq.html
> nonblock_connect: connect timing out (30 secs)
> nonblock_connect: connect timing out (30 secs)
> nonblock_connect: connect timing out (30 secs)
> nonblock_connect: connect timing out (30 secs)
> nonblock_connect: connect timing out (30 secs)
> nonblock_connect: connect timing out (30 secs)
> connect_error: getsockopt(SO_ERROR): fd=4 error=110: Connection timed out
> nonblock_connect: connect(): fd=4 errno=103: Software caused connection
> abort
> nonblock_connect: connect timing out (30 secs)
> nonblock_connect: connect timing out (30 secs)
> nonblock_connect: connect timing out (30 secs)
> nonblock_connect: connect timing out (30 secs)
> nonblock_connect: connect timing out (30 secs)
> nonblock_connect: connect timing out (30 secs)
>
>
> It looks like my iptables configuration blocks the communication with
> the update servers, any idea how to set the correct iptables chain?
>
>
> So Long...
>
>
> Anton
>
>
--
Tony Arnold, IT Security Coordinator, University of Manchester,
IT Services Division, Kilburn Building, Oxford Road, Manchester M13 9PL.
T: +44 (0)161 275 6093, F: +44 (0)870 136 1004, M: +44 (0)773 330 0039
E: tony.arnold at manchester.ac.uk, H: http://www.man.ac.uk/Tony.Arnold
More information about the ubuntu-users
mailing list