Centos6 iptables clamav question

General support questions
User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Centos6 iptables clamav question

Post by TrevorH » 2018/07/06 13:11:44

It already existed in the initial iptables-save output
-A OUTPUT -m owner --uid-owner clamav -j clamav_out
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
avij
Retired Moderator
Posts: 3046
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: Centos6 iptables clamav question

Post by avij » 2018/07/06 13:49:47

Yes, but not in the iptables -L -n -v output, which shows the actual running configuration.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Centos6 iptables clamav question

Post by TrevorH » 2018/07/06 13:56:01

iptables-save shows the same info in a different better format. It's easier to read, includes all the tables and chains in one go.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
avij
Retired Moderator
Posts: 3046
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: Centos6 iptables clamav question

Post by avij » 2018/07/06 14:27:44

iptables -L -n -v is guaranteed to show the actual running configuration, along with some debugging information on which rules have triggered, which may also be useful in certain situations.

Some people confuse executing iptables-save (which would not show that clamav rule in the OUTPUT chain either) to the file /etc/sysconfig/iptables.save (which may or may not match the rules that are actually in use). For this reason I preferred seeing the iptables output.

logtech
Posts: 88
Joined: 2010/04/22 18:34:34

Re: Centos6 iptables clamav question

Post by logtech » 2018/07/06 14:55:11

thats exatly what I have and with that it does not work:

Code: Select all

filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:apache_out - [0:0]
:clamav_out - [0:0]
:postfix_out - [0:0]
:system_out - [0:0]
-N LOGGING
-A INPUT -j LOGGING
-A FORWARD -j LOGGING
-A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT
-A INPUT -s 10.2.101.17 -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -s 10.2.0.0/16 -p tcp -m tcp --dport 13660 -j ACCEPT
-A INPUT -s 10.2.255.0/24 -p tcp -m tcp --dport 13660 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 123 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 9102 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 9103 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 5666 -j ACCEPT
-A INPUT -s 10.2.101.64 -p tcp -m tcp --dport 8140 -j ACCEPT
-A INPUT -s 10.2.101.20/32 -p tcp -m tcp --dport 9102 -j ACCEPT
-A INPUT -s 10.2.101.20/32 -p tcp -m tcp --dport 9103 -j ACCEPT
-A INPUT -s 10.2.101.20/32 -p tcp -m tcp --dport 873 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -m limit --limit 5/m --limit-burst 20 -j LOG --log-prefix " IPv4 INPUT " --log-level debug
-A FORWARD -m limit --limit 5/m --limit-burst 20 -j LOG --log-prefix " IPv4 FORWARD " --log-level debug
-A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -o lo -j ACCEPT
-A OUTPUT -d 127.0.0.1/32 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -m owner --uid-owner root -j system_out
-A OUTPUT -m owner --uid-owner postfix -j postfix_out

#-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
#-A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
#-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT


-A OUTPUT -m owner --uid-owner clamav -j clamav_out


-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -d 10.2.101.20/32 -p tcp -m tcp --dport 9102 -j ACCEPT
-A OUTPUT -d 10.2.101.20/32 -p tcp -m tcp --dport 9103 -j ACCEPT
-A OUTPUT -d 10.2.101.20/32 -p tcp -m tcp --dport 873 -j ACCEPT
-A OUTPUT -d 10.2.101.64/32 -p tcp -m tcp --dport 8140 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A system_out -p tcp -m tcp --dport 80 -j ACCEPT
-A system_out -p tcp -m tcp --dport 443 -j ACCEPT
-A apache_out -p tcp -m tcp --dport 80 -j ACCEPT
-A apache_out -p tcp -m tcp --dport 443 -j ACCEPT
-A apache_out -p tcp -m tcp --dport 389 -j ACCEPT
-A apache_out -p udp -m udp --dport 53 -j ACCEPT
-A apache_out -m limit --limit 5/min --limit-burst 20 -j LOG --log-prefix " IPv4 OUTPUT APACHE " --log-level 7
-A postfix_out -p tcp -m tcp --dport 25 -j ACCEPT
-A postfix_out -p tcp -m tcp --dport 53 -j ACCEPT
-A postfix_out -p udp -m udp --dport 53 -j ACCEPT
-A postfix_out -m limit --limit 5/min --limit-burst 20 -j LOG --log-prefix " IPv4 OUTPUT POSTFIX " --log-level 7

-A clamav_out -p tcp -m tcp --dport 80 -j ACCEPT 
-A clamav_out -p tcp -m tcp --dport 53 -j ACCEPT 
-A clamav_out -p udp -m udp --dport 53 -j ACCEPT 
#-A clamav_out -m limit --limit 5/min --limit-burst 20 -j LOG --log-prefix " IPv4 OUTPUT CLAM " --log-level 7

-A system_out -p udp -m udp --dport 53 -j ACCEPT
-A system_out -p tcp -m tcp --dport 993 -j ACCEPT
-A system_out -p tcp -m tcp --dport 53 -j ACCEPT
-A system_out -p udp -m udp --dport 123 -j ACCEPT
-A system_out -p tcp -m tcp --dport 25 -j ACCEPT
-A system_out -m limit --limit 5/min --limit-burst 20 -j LOG --log-prefix " IPv4 OUTPUT ROOT " --log-level 7
COMMIT


when I take # from:

#-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
#-A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
#-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT

all works fine: but with only:

-A clamav_out -p tcp -m tcp --dport 80 -j ACCEPT
-A clamav_out -p tcp -m tcp --dport 53 -j ACCEPT
-A clamav_out -p udp -m udp --dport 53 -j ACCEPT
#-A clamav_out -m limit --limit 5/min --limit-burst 20 -j LOG --log-prefix " IPv4 OUTPUT CLAM " --log-level 7

I have dns errors when trying to update clamav antivrus database:

ClamAV update process started at Fri Jul 6 09:54:03 2018
WARNING: Can't query current.cvd.clamav.net
WARNING: Invalid DNS reply. Falling back to HTTP mode.
Reading CVD header (main.cvd): WARNING: Can't get information about db.local.clamav.net: Temporary failure in name resolution
WARNING: Can't read main.cvd header from db.local.clamav.net (IP: )
Trying again in 5 secs...
ClamAV update process started at Fri Jul 6 09:54:08 2018
WARNING: Can't query current.cvd.clamav.net
WARNING: Invalid DNS reply. Falling back to HTTP mode.
Reading CVD header (main.cvd): WARNING: Can't get information about db.local.clamav.net: Temporary failure in name resolution
WARNING: Can't read main.cvd header from db.local.clamav.net (IP: )

what am I missing?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Centos6 iptables clamav question

Post by TrevorH » 2018/07/06 15:06:22

Some people confuse executing iptables-save (which would not show that clamav rule in the OUTPUT chain either) to the file /etc/sysconfig/iptables.save (which may or may not match the rules that are actually in use). For this reason I preferred seeing the iptables output.
Sorry avij, but this is not correct. The iptables-save command gives you everything (except packet/byte counts and hits) that iptables -L -n -v does and also dumps the running rules exactly the same as iptables does. You can see that it includes the -j clamav_out line (I quoted it earlier). To get the full list of iptables rules using iptables -L -n -v you need to also then add -t [nat|raw|mangle|security|filter] with the default being -t filter.

Which one is easier to read is down to personal preference but iptables-save includes all rules, all tables in one go where iptables would need several invocations using different -t options to get the full list.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Centos6 iptables clamav question

Post by TrevorH » 2018/07/06 15:11:16

logtech what makes you think that the clamav update process runs as user clamav? I'm using the clam* packages from EPEL and all my /var/lib/clamav directory/files are owned by a user called clamupdate.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
avij
Retired Moderator
Posts: 3046
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: Centos6 iptables clamav question

Post by avij » 2018/07/06 15:25:38

TrevorH: He never said that that would be the output of iptables-save. Although you probably diagnose firewall problems by running iptables-save, not everyone does it that way. Yes, iptables does not show the other tables without -t options, I give you that. However, I did not think those would be relevant here.

In any case, I believe the problem is that there is no "clamav" user in your system. That is why iptables won't add that -A OUTPUT -m owner --uid-owner clamav -j clamav_out rule, because the user does not exist. Try changing --uid-owner clamav to --uid-owner clamupdate. Perhaps that way the rule would get inserted properly.

I also queried about the username earlier, but it seems that question was missed.

logtech
Posts: 88
Joined: 2010/04/22 18:34:34

Re: Centos6 iptables clamav question

Post by logtech » 2018/07/06 15:58:33

dang it Trevor ---- you are right !!!!!!! Jeeeeezzzzzz I overlooked that:
drwxr-xr-x. 2 clam clam 4096 Jul 6 10:54 .
drwxr-xr-x. 30 root root 4096 Jun 2 16:42 ..
-rw-r--r--. 1 clam clam 947712 Jun 27 08:14 bytecode.cld
-rw-r--r--. 1 clam clam 143630848 Jul 6 09:46 daily.cld
-rw-r--r--. 1 clam clam 47243350 May 28 16:49 daily.cvd.rpmnew
-rw-r--r--. 1 clam clam 7112758 Jul 6 05:14 junk.ndb
-rw-r--r--. 1 clam clam 1594235 Jul 6 10:13 jurlbl.ndb

in my case user is clam !!!!!! me stupid so easy and overlooked that ..... now I have after changing user owner:
Chain clamav_out (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
1 68 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 20 LOG flags 0 level 7 prefix ` IPv4 OUTPUT CLAM '

and of course, all works as expected - thank you gentlemen for helping here !!!!! have a nice weekend

Post Reply