Clamav Update and iptable rules

Tony Arnold tony.arnold at manchester.ac.uk
Wed Nov 14 08:52:33 UTC 2007 

Anton,

The problem is that although you allow any outbound connection, you only
allow inbound on specific ports. When an outbound connection is made,
the reply comes back on a randomly picked high number port which your
INPUT chain will block.

You need to add a rule to your INPUT chain that allows connections that
are replies to outbound connections. I can't remember the exact syntax,
but I think there is a flag called 'established' that will do this for you.

Hope this gives you a bit of a clue.

Regards,
Tony.

Anton Hofmann wrote:
> Hi all,
> 
> i have a Webserver with an ubuntu 6.06 install on it.
> For security-reasons i have blocked all inbound- and outbond traffic
> with ipTables.
> 
> ########My IP Tables Conf:#########
> 
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> ip-62.75.187.54  all  --  anywhere             anywhere
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain ip-62.75.187.54 (1 references)
> target     prot opt source               destination
> ACCEPT     tcp  --  anywhere             weltfremd.at tcp dpts:ftp-data:ftp
> ACCEPT     tcp  --  anywhere             weltfremd.at tcp dpt:22022
> ACCEPT     tcp  --  anywhere             weltfremd.at tcp dpt:smtp
> ACCEPT     tcp  --  anywhere             weltfremd.at tcp dpt:www
> ACCEPT     tcp  --  anywhere             weltfremd.at tcp dpt:pop3
> ACCEPT     tcp  --  anywhere             weltfremd.at tcp dpt:https
> ACCEPT     tcp  --  anywhere             weltfremd.at tcp dpt:ssmtp
> ACCEPT     tcp  --  anywhere             weltfremd.at tcp dpt:pop3s
> ACCEPT     tcp  --  anywhere             weltfremd.at tcp dpt:8443
> ACCEPT     udp  --  anywhere             weltfremd.at udp spt:domain
> ACCEPT     udp  --  anywhere             weltfremd.at udp spt:ntp
> ACCEPT     icmp --  anywhere             weltfremd.at
> ACCEPT     tcp  --  anywhere             weltfremd.at tcp spt:smtp
> flags:!SYN,RST,ACK/SYN
> ACCEPT     tcp  --  ka.swsoft.com        weltfremd.at tcp spt:5224
> ACCEPT     udp  --  anywhere             weltfremd.at udp dpt:8767
> ACCEPT     tcp  --  mail.dynadata.at     weltfremd.at tcp dpt:8987
> ACCEPT     tcp  --  ftp.de.debian.org    weltfremd.at tcp
> flags:!SYN,RST,ACK/SYN
> ACCEPT     tcp  --  archive.ubuntu.com   weltfremd.at tcp
> flags:!SYN,RST,ACK/SYN
> ACCEPT     tcp  --  anywhere             weltfremd.at tcp dpt:51234
> ACCEPT     tcp  --  anywhere             weltfremd.at tcp dpt:14534
> ACCEPT     tcp  --  clamav.mcs.de        weltfremd.at
> DROP       all  --  anywhere             weltfremd.at
> 
> #############################
> 
> Now its not possible to update clamav with freshclam
> 
> i get the following error when i type freshclam in the console
> 
> 
> weltfremd.at:/# freshclam
> ClamAV update process started at Wed Nov 14 09:05:32 2007
> WARNING: Your ClamAV installation is OUTDATED!
> WARNING: Local version: 0.88.7 Recommended version: 0.91.2
> DON'T PANIC! Read http://www.clamav.net/faq.html
> main.cvd is up to date (version: 44, sigs: 133163, f-level: 20, builder:
> sven)
> WARNING: Your ClamAV installation is OUTDATED!
> WARNING: Current functionality level = 10, recommended = 20
> DON'T PANIC! Read http://www.clamav.net/faq.html
> Can't connect to port 80 of host db.local.clamav.net (IP: 89.149.194.18)
> Trying host db.local.clamav.net (89.238.65.14)...
> Can't connect to port 80 of host db.local.clamav.net (IP: 89.238.65.14)
> Trying host db.local.clamav.net (195.246.234.199)...
> Can't connect to port 80 of host db.local.clamav.net (IP: 195.246.234.199)
> Trying host db.local.clamav.net (212.1.60.18)...
> Can't connect to port 80 of host db.local.clamav.net (IP: 212.1.60.18)
> Trying host db.local.clamav.net (213.174.32.130)...
> 
> In the freshclam.log i geht the following:
> 
> 
> ClamAV update process started at Wed Nov 14 09:05:32 2007
> WARNING: Your ClamAV installation is OUTDATED!
> WARNING: Local version: 0.88.7 Recommended version: 0.91.2
> DON'T PANIC! Read http://www.clamav.net/faq.html
> main.cvd is up to date (version: 44, sigs: 133163, f-level: 20, builder:
> sven)
> WARNING: Your ClamAV installation is OUTDATED!
> WARNING: Current functionality level = 10, recommended = 20
> DON'T PANIC! Read http://www.clamav.net/faq.html
> nonblock_connect: connect timing out (30 secs)
> nonblock_connect: connect timing out (30 secs)
> nonblock_connect: connect timing out (30 secs)
> nonblock_connect: connect timing out (30 secs)
> nonblock_connect: connect timing out (30 secs)
> nonblock_connect: connect timing out (30 secs)
> connect_error: getsockopt(SO_ERROR): fd=4 error=110: Connection timed out
> nonblock_connect: connect(): fd=4 errno=103: Software caused connection
> abort
> nonblock_connect: connect timing out (30 secs)
> nonblock_connect: connect timing out (30 secs)
> nonblock_connect: connect timing out (30 secs)
> nonblock_connect: connect timing out (30 secs)
> nonblock_connect: connect timing out (30 secs)
> nonblock_connect: connect timing out (30 secs)
> 
> 
> It looks like my iptables configuration blocks the communication with
> the update servers, any idea how to set the correct iptables chain?
> 
> 
> So Long...
> 
> 
> Anton
> 
> 

-- 
Tony Arnold, IT Security Coordinator, University of Manchester,
IT Services Division, Kilburn Building, Oxford Road, Manchester M13 9PL.
T: +44 (0)161 275 6093, F: +44 (0)870 136 1004, M: +44 (0)773 330 0039
E: tony.arnold at manchester.ac.uk, H: http://www.man.ac.uk/Tony.Arnold

More information about the ubuntu-users mailing list