Centos6 iptables clamav question

General support questions
logtech
Posts: 82
Joined: 2010/04/22 18:34:34

Centos6 iptables clamav question

Post by logtech » 2018/07/01 18:20:00

experts,

having this in my iptables:

:clamav_out - [0:0]

-A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m owner --uid-owner clamav -j clamav_out
-A clamav_out -p tcp -m tcp --dport 80 -j ACCEPT
-A clamav_out -p tcp -m tcp --dport 53 -j ACCEPT
-A clamav_out -p udp -m udp --dport 53 -j ACCEPT
-A clamav_out -m limit --limit 5/min --limit-burst 20 -j LOG --log-prefix " IPv4 OUTPUT CLAM " --log-level 7


can't update data :


/usr/bin/freshclam
ClamAV update process started at Sun Jul 1 13:19:30 2018
WARNING: Can't query current.cvd.clamav.net
WARNING: Invalid DNS reply. Falling back to HTTP mode.
Reading CVD header (main.cvd): WARNING: Can't get information about db.local.clamav.net: Temporary failure in name resolution
WARNING: Can't read main.cvd header from db.local.clamav.net (IP: )
Trying again in 5 secs...

what I am missing in my iptables?

User avatar
avij
Forum Moderator
Posts: 2792
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: Centos6 iptables clamav question

Post by avij » 2018/07/01 18:34:53

That looks like a DNS problem. Does dig txt current.cvd.clamav.net work? It should return a string like 0.100.0:58:24713:1530466140:1:63:47570:322. dig is in the bind-utils rpm, if you don't have it installed yet.

logtech
Posts: 82
Joined: 2010/04/22 18:34:34

Re: Centos6 iptables clamav question

Post by logtech » 2018/07/01 20:39:24

dig txt current.cvd.clamav.net

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.5 <<>> txt current.cvd.clamav.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36669
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;current.cvd.clamav.net. IN TXT

;; ANSWER SECTION:
current.cvd.clamav.net. 1515 IN TXT "0.100.0:58:24713:1530473340:1:63:47570:322"

;; Query time: 1 msec
;; SERVER: 10.2.101.25#53(10.2.101.25)
;; WHEN: Sun Jul 1 15:38:15 2018
;; MSG SIZE rcvd: 95


I have calmav databases updated if iptables is disabled, when I enable it fails

User avatar
avij
Forum Moderator
Posts: 2792
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: Centos6 iptables clamav question

Post by avij » 2018/07/01 21:05:08

I find it's easier to read the output of iptables -L -n -v. Please provide the entire output of that command.

Also, are you sure about that clamav user? My freshclam (on CentOS 7) uses clamupdate as the username.

logtech
Posts: 82
Joined: 2010/04/22 18:34:34

Re: Centos6 iptables clamav question

Post by logtech » 2018/07/01 23:55:15

Code: Select all

iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     *       127.0.0.1            127.0.0.1           
 3846  243K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 
12061 1227K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
  824 62624 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:123 
    0     0 ACCEPT     udp  --  *      *       10.2.101.17          0.0.0.0/0           udp dpt:123 
    8   516 ACCEPT     tcp  --  *      *       10.2.0.0/16          0.0.0.0/0           tcp dpt:13660 
    0     0 ACCEPT     tcp  --  *      *       10.2.255.0/24        0.0.0.0/0           tcp dpt:13660 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:123 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:9102 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:9103 
  167 10020 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:5666 
    0     0 ACCEPT     tcp  --  *      *       10.2.101.64          0.0.0.0/0           tcp dpt:8140 
    0     0 ACCEPT     tcp  --  *      *       10.2.101.20          0.0.0.0/0           tcp dpt:9102 
    0     0 ACCEPT     tcp  --  *      *       10.2.101.20          0.0.0.0/0           tcp dpt:9103 
    0     0 ACCEPT     tcp  --  *      *       10.2.101.20          0.0.0.0/0           tcp dpt:873 
  955  201K REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 5/min burst 20 LOG flags 0 level 7 prefix ` IPv4 INPUT ' 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 5/min burst 20 LOG flags 0 level 7 prefix ` IPv4 FORWARD ' 

Chain OUTPUT (policy DROP 672 packets, 43000 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      lo      127.0.0.1            127.0.0.1           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            127.0.0.1           
 3846  243K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 0 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 
12282  874K system_out  all  --  *      *       0.0.0.0/0            0.0.0.0/0           owner UID match 0 
   25 11413 postfix_out  all  --  *      *       0.0.0.0/0            0.0.0.0/0           owner UID match 89 
 4568  511K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.2.101.20         tcp dpt:9102 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.2.101.20         tcp dpt:9103 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.2.101.20         tcp dpt:873 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.2.101.64         tcp dpt:8140 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:21 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 

Chain apache_out (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:389 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:53 
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 5/min burst 20 LOG flags 0 level 7 prefix ` IPv4 OUTPUT APACHE ' 

Chain clamav_out (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:53 
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 5/min burst 20 LOG flags 0 level 7 prefix ` IPv4 OUTPUT CLAM ' 

Chain postfix_out (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   14 10685 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53 
   11   728 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:53 
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 5/min burst 20 LOG flags 0 level 7 prefix ` IPv4 OUTPUT POSTFIX ' 

Chain system_out (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    5   427 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 
 8166  532K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:53 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:993 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53 
  373 28348 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:123 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25 
 1689  133K LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 5/min burst 20 LOG flags 0 level 7 prefix ` IPv4 OUTPUT ROOT ' 


logtech
Posts: 82
Joined: 2010/04/22 18:34:34

Re: Centos6 iptables clamav question

Post by logtech » 2018/07/02 00:54:23

is there a way to debug iptables?

logtech
Posts: 82
Joined: 2010/04/22 18:34:34

Re: Centos6 iptables clamav question

Post by logtech » 2018/07/02 01:03:31

I have this when iptables are enabled - something is blocking it

Code: Select all

PROTO=TCP SPT=13660 DPT=58666 WINDOW=495 RES=0x00 ACK PSH URGP=0 
Jul  1 20:00:05 centos22 kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
Jul  1 20:00:05 centos22 kernel: nf_conntrack version 0.5.0 (7967 buckets, 31868 max)
Jul  1 20:01:44 centos22 freshclam[2283]: ClamAV update process started at Sun Jul  1 20:01:44 2018
Jul  1 20:01:44 centos22 freshclam[2283]: Can't query current.cvd.clamav.net
Jul  1 20:01:44 centos22 freshclam[2283]: Invalid DNS reply. Falling back to HTTP mode.
Jul  1 20:01:44 centos22 freshclam[2283]: Reading CVD header (main.cvd): 
Jul  1 20:01:44 centos22 freshclam[2283]: Can't get information about db.local.clamav.net: Temporary failure in name resolution
Jul  1 20:01:44 centos22 freshclam[2283]: Can't read main.cvd header from db.local.clamav.net (IP: )
Jul  1 20:01:44 centos22 freshclam[2283]: Trying again in 5 secs...
Jul  1 20:01:49 centos22 freshclam[2283]: ClamAV update process started at Sun Jul  1 20:01:49 2018
Jul  1 20:01:49 centos22 freshclam[2283]: Can't query current.cvd.clamav.net
Jul  1 20:01:49 centos22 freshclam[2283]: Invalid DNS reply. Falling back to HTTP mode.
Jul  1 20:01:49 centos22 freshclam[2283]: Reading CVD header (main.cvd): 
Jul  1 20:01:49 centos22 freshclam[2283]: Can't get information about db.local.clamav.net: Temporary failure in name resolution
Jul  1 20:01:49 centos22 freshclam[2283]: Can't read main.cvd header from db.local.clamav.net (IP: )
Jul  1 20:01:49 centos22 freshclam[2283]: Trying again in 5 secs...
Jul  1 20:01:54 centos22 freshclam[2283]: ClamAV update process started at Sun Jul  1 20:01:54 2018
Jul  1 20:01:54 centos22 freshclam[2283]: Can't query current.cvd.clamav.net
Jul  1 20:01:54 centos22 freshclam[2283]: Invalid DNS reply. Falling back to HTTP mode.
Jul  1 20:01:54 centos22 freshclam[2283]: Reading CVD header (main.cvd): 
Jul  1 20:01:54 centos22 freshclam[2283]: Can't get information about db.local.clamav.net: Temporary failure in name resolution
Jul  1 20:01:54 centos22 freshclam[2283]: Can't read main.cvd header from db.local.clamav.net (IP: )
Jul  1 20:01:54 centos22 freshclam[2283]: Giving up on db.local.clamav.net...
Jul  1 20:01:54 centos22 freshclam[2283]: ClamAV update process started at Sun Jul  1 20:01:54 2018
Jul  1 20:01:54 centos22 freshclam[2283]: Can't query current.cvd.clamav.net
Jul  1 20:01:54 centos22 freshclam[2283]: Invalid DNS reply. Falling back to HTTP mode.
Jul  1 20:01:54 centos22 freshclam[2283]: Reading CVD header (main.cvd): 
Jul  1 20:01:54 centos22 freshclam[2283]: Can't get information about db.local.clamav.net: Temporary failure in name resolution
Jul  1 20:01:54 centos22 freshclam[2283]: Can't read main.cvd header from db.local.clamav.net (IP: )
Jul  1 20:01:54 centos22 freshclam[2283]: Giving up on db.local.clamav.net...
Jul  1 20:01:54 centos22 freshclam[2283]: Update failed. Your network may be down or none of the mirrors listed in /etc/freshclam.conf is working. Check https://www.clamav.net/documents/official-mirror-faq for possible reasons.


User avatar
avij
Forum Moderator
Posts: 2792
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: Centos6 iptables clamav question

Post by avij » 2018/07/02 04:29:16

You have a clamav_out chain, but it is not referenced at all in the OUTPUT chain, so it never gets used.

logtech
Posts: 82
Joined: 2010/04/22 18:34:34

Re: Centos6 iptables clamav question

Post by logtech » 2018/07/02 11:48:13

ok make sence why updating database did not recognise DNS:

Chain clamav_out (0 references)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
3 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53

when changed to:

-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT

all works, but how can I reference start working ??????

User avatar
avij
Forum Moderator
Posts: 2792
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: Centos6 iptables clamav question

Post by avij » 2018/07/06 12:38:39

Sorry, I missed this message. See how you've added postfix_out to your OUTPUT chain and do the same for the clamav_out chain.

Post Reply