Centos6 iptables clamav question
Centos6 iptables clamav question
experts,
having this in my iptables:
:clamav_out - [0:0]
-A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m owner --uid-owner clamav -j clamav_out
-A clamav_out -p tcp -m tcp --dport 80 -j ACCEPT
-A clamav_out -p tcp -m tcp --dport 53 -j ACCEPT
-A clamav_out -p udp -m udp --dport 53 -j ACCEPT
-A clamav_out -m limit --limit 5/min --limit-burst 20 -j LOG --log-prefix " IPv4 OUTPUT CLAM " --log-level 7
can't update data :
/usr/bin/freshclam
ClamAV update process started at Sun Jul 1 13:19:30 2018
WARNING: Can't query current.cvd.clamav.net
WARNING: Invalid DNS reply. Falling back to HTTP mode.
Reading CVD header (main.cvd): WARNING: Can't get information about db.local.clamav.net: Temporary failure in name resolution
WARNING: Can't read main.cvd header from db.local.clamav.net (IP: )
Trying again in 5 secs...
what I am missing in my iptables?
having this in my iptables:
:clamav_out - [0:0]
-A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m owner --uid-owner clamav -j clamav_out
-A clamav_out -p tcp -m tcp --dport 80 -j ACCEPT
-A clamav_out -p tcp -m tcp --dport 53 -j ACCEPT
-A clamav_out -p udp -m udp --dport 53 -j ACCEPT
-A clamav_out -m limit --limit 5/min --limit-burst 20 -j LOG --log-prefix " IPv4 OUTPUT CLAM " --log-level 7
can't update data :
/usr/bin/freshclam
ClamAV update process started at Sun Jul 1 13:19:30 2018
WARNING: Can't query current.cvd.clamav.net
WARNING: Invalid DNS reply. Falling back to HTTP mode.
Reading CVD header (main.cvd): WARNING: Can't get information about db.local.clamav.net: Temporary failure in name resolution
WARNING: Can't read main.cvd header from db.local.clamav.net (IP: )
Trying again in 5 secs...
what I am missing in my iptables?
Re: Centos6 iptables clamav question
That looks like a DNS problem. Does dig txt current.cvd.clamav.net work? It should return a string like 0.100.0:58:24713:1530466140:1:63:47570:322. dig is in the bind-utils rpm, if you don't have it installed yet.
Re: Centos6 iptables clamav question
dig txt current.cvd.clamav.net
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.5 <<>> txt current.cvd.clamav.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36669
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;current.cvd.clamav.net. IN TXT
;; ANSWER SECTION:
current.cvd.clamav.net. 1515 IN TXT "0.100.0:58:24713:1530473340:1:63:47570:322"
;; Query time: 1 msec
;; SERVER: 10.2.101.25#53(10.2.101.25)
;; WHEN: Sun Jul 1 15:38:15 2018
;; MSG SIZE rcvd: 95
I have calmav databases updated if iptables is disabled, when I enable it fails
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.5 <<>> txt current.cvd.clamav.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36669
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;current.cvd.clamav.net. IN TXT
;; ANSWER SECTION:
current.cvd.clamav.net. 1515 IN TXT "0.100.0:58:24713:1530473340:1:63:47570:322"
;; Query time: 1 msec
;; SERVER: 10.2.101.25#53(10.2.101.25)
;; WHEN: Sun Jul 1 15:38:15 2018
;; MSG SIZE rcvd: 95
I have calmav databases updated if iptables is disabled, when I enable it fails
Re: Centos6 iptables clamav question
I find it's easier to read the output of iptables -L -n -v. Please provide the entire output of that command.
Also, are you sure about that clamav user? My freshclam (on CentOS 7) uses clamupdate as the username.
Also, are you sure about that clamav user? My freshclam (on CentOS 7) uses clamupdate as the username.
Re: Centos6 iptables clamav question
Code: Select all
iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 127.0.0.1 127.0.0.1
3846 243K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
12061 1227K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
824 62624 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:123
0 0 ACCEPT udp -- * * 10.2.101.17 0.0.0.0/0 udp dpt:123
8 516 ACCEPT tcp -- * * 10.2.0.0/16 0.0.0.0/0 tcp dpt:13660
0 0 ACCEPT tcp -- * * 10.2.255.0/24 0.0.0.0/0 tcp dpt:13660
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:123
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:9102
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:9103
167 10020 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:5666
0 0 ACCEPT tcp -- * * 10.2.101.64 0.0.0.0/0 tcp dpt:8140
0 0 ACCEPT tcp -- * * 10.2.101.20 0.0.0.0/0 tcp dpt:9102
0 0 ACCEPT tcp -- * * 10.2.101.20 0.0.0.0/0 tcp dpt:9103
0 0 ACCEPT tcp -- * * 10.2.101.20 0.0.0.0/0 tcp dpt:873
955 201K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 20 LOG flags 0 level 7 prefix ` IPv4 INPUT '
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 20 LOG flags 0 level 7 prefix ` IPv4 FORWARD '
Chain OUTPUT (policy DROP 672 packets, 43000 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 127.0.0.1 127.0.0.1
0 0 ACCEPT all -- * * 0.0.0.0/0 127.0.0.1
3846 243K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
12282 874K system_out all -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 0
25 11413 postfix_out all -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 89
4568 511K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.2.101.20 tcp dpt:9102
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.2.101.20 tcp dpt:9103
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.2.101.20 tcp dpt:873
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.2.101.64 tcp dpt:8140
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain apache_out (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:389
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 20 LOG flags 0 level 7 prefix ` IPv4 OUTPUT APACHE '
Chain clamav_out (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 20 LOG flags 0 level 7 prefix ` IPv4 OUTPUT CLAM '
Chain postfix_out (1 references)
pkts bytes target prot opt in out source destination
14 10685 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
11 728 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 20 LOG flags 0 level 7 prefix ` IPv4 OUTPUT POSTFIX '
Chain system_out (1 references)
pkts bytes target prot opt in out source destination
5 427 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
8166 532K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:993
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
373 28348 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
1689 133K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 20 LOG flags 0 level 7 prefix ` IPv4 OUTPUT ROOT '
Re: Centos6 iptables clamav question
is there a way to debug iptables?
Re: Centos6 iptables clamav question
I have this when iptables are enabled - something is blocking it
Code: Select all
PROTO=TCP SPT=13660 DPT=58666 WINDOW=495 RES=0x00 ACK PSH URGP=0
Jul 1 20:00:05 centos22 kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
Jul 1 20:00:05 centos22 kernel: nf_conntrack version 0.5.0 (7967 buckets, 31868 max)
Jul 1 20:01:44 centos22 freshclam[2283]: ClamAV update process started at Sun Jul 1 20:01:44 2018
Jul 1 20:01:44 centos22 freshclam[2283]: Can't query current.cvd.clamav.net
Jul 1 20:01:44 centos22 freshclam[2283]: Invalid DNS reply. Falling back to HTTP mode.
Jul 1 20:01:44 centos22 freshclam[2283]: Reading CVD header (main.cvd):
Jul 1 20:01:44 centos22 freshclam[2283]: Can't get information about db.local.clamav.net: Temporary failure in name resolution
Jul 1 20:01:44 centos22 freshclam[2283]: Can't read main.cvd header from db.local.clamav.net (IP: )
Jul 1 20:01:44 centos22 freshclam[2283]: Trying again in 5 secs...
Jul 1 20:01:49 centos22 freshclam[2283]: ClamAV update process started at Sun Jul 1 20:01:49 2018
Jul 1 20:01:49 centos22 freshclam[2283]: Can't query current.cvd.clamav.net
Jul 1 20:01:49 centos22 freshclam[2283]: Invalid DNS reply. Falling back to HTTP mode.
Jul 1 20:01:49 centos22 freshclam[2283]: Reading CVD header (main.cvd):
Jul 1 20:01:49 centos22 freshclam[2283]: Can't get information about db.local.clamav.net: Temporary failure in name resolution
Jul 1 20:01:49 centos22 freshclam[2283]: Can't read main.cvd header from db.local.clamav.net (IP: )
Jul 1 20:01:49 centos22 freshclam[2283]: Trying again in 5 secs...
Jul 1 20:01:54 centos22 freshclam[2283]: ClamAV update process started at Sun Jul 1 20:01:54 2018
Jul 1 20:01:54 centos22 freshclam[2283]: Can't query current.cvd.clamav.net
Jul 1 20:01:54 centos22 freshclam[2283]: Invalid DNS reply. Falling back to HTTP mode.
Jul 1 20:01:54 centos22 freshclam[2283]: Reading CVD header (main.cvd):
Jul 1 20:01:54 centos22 freshclam[2283]: Can't get information about db.local.clamav.net: Temporary failure in name resolution
Jul 1 20:01:54 centos22 freshclam[2283]: Can't read main.cvd header from db.local.clamav.net (IP: )
Jul 1 20:01:54 centos22 freshclam[2283]: Giving up on db.local.clamav.net...
Jul 1 20:01:54 centos22 freshclam[2283]: ClamAV update process started at Sun Jul 1 20:01:54 2018
Jul 1 20:01:54 centos22 freshclam[2283]: Can't query current.cvd.clamav.net
Jul 1 20:01:54 centos22 freshclam[2283]: Invalid DNS reply. Falling back to HTTP mode.
Jul 1 20:01:54 centos22 freshclam[2283]: Reading CVD header (main.cvd):
Jul 1 20:01:54 centos22 freshclam[2283]: Can't get information about db.local.clamav.net: Temporary failure in name resolution
Jul 1 20:01:54 centos22 freshclam[2283]: Can't read main.cvd header from db.local.clamav.net (IP: )
Jul 1 20:01:54 centos22 freshclam[2283]: Giving up on db.local.clamav.net...
Jul 1 20:01:54 centos22 freshclam[2283]: Update failed. Your network may be down or none of the mirrors listed in /etc/freshclam.conf is working. Check https://www.clamav.net/documents/official-mirror-faq for possible reasons.
Re: Centos6 iptables clamav question
You have a clamav_out chain, but it is not referenced at all in the OUTPUT chain, so it never gets used.
Re: Centos6 iptables clamav question
ok make sence why updating database did not recognise DNS:
Chain clamav_out (0 references)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
3 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
when changed to:
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
all works, but how can I reference start working ??????
Chain clamav_out (0 references)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
3 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
when changed to:
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
all works, but how can I reference start working ??????
Re: Centos6 iptables clamav question
Sorry, I missed this message. See how you've added postfix_out to your OUTPUT chain and do the same for the clamav_out chain.