One of the two remaining windows machines on our network has been infected with a spambot trojan. Our ISP has warned us they'll cut off our access unless we bring them proof "our network is clean".
So, I sighed and cursed and put a shitload of work on hold to fix the problem. I've done quite some pc repair work (virii, malware, unpatched windows installs, etc), but I've never come across anything this nasty. This spambot is untraceable: *AVG Antivirus*, *AVG Antispyware*, *DrWeb*, *Spybot*, *Adaware*, *PcCilin*, *ClamWin*,... not a single anti-malware app can find this thing.
I do know it is there, though. The traffic logs on my *linksys WRT54GL*, running the linux based replacement firmware DD-WRT, clearly shows a massive amount of SMTP connections per second, originating from the windows machine.
So, a windows reinstall being out of the question (no time to reinstall and configure all the apps), I decided it's time for an external *firewall*. I'm planning to replace the windows machines with Ubuntu anyhow, and I can't spend any more time hunting for the trojan. Since I already have a router with firewall capabilities, why not figure out how to configure it? Here goes: *installing a firewall on a linksys WRT54GL*
As it turns out, it is easy as hell!
Linux comes with a firewall called iptables. All you have to do is add specific rules for incoming or outgoing traffic. You can start with some basic, easy rules and work your way up to very intricate rules that involve blacklists, whitelists, packet timing, QOS (quality of service), attack signatures, etc.
For my problem, I need to be able to send e-mail (SMTP) through several e-mail servers, but I want to block all other outgoing SMTP-traffic.
As the order of your firewall rules is very important, you want to start by allowing certain traffic and end with disallowing all the other traffic. This is how it's done:
/usr/sbin/iptables -I FORWARD 1 -p tcp -d safe.server1.com --dport 25 -j logaccept
/usr/sbin/iptables -I FORWARD 2 -p tcp -d safe.server2.com --dport 25 -j logaccept
/usr/sbin/iptables -I FORWARD 3 -p tcp --dport 25 -j logdrop
Digging deep into the guts of iptables rules is beyond the scope of this article. You just have to understand that:
1. all tcp traffic on port 25 (smtp) from any machine on the network to two specific machines on the internet, is accepted and logged.
2. All other tcp traffic on port 25 is dropped and logged.
*6 steps to transform a clean linksys WRT54G into a firewalled DD-WRT router*
1. download the DD-WRT replacement firmware (latest version: v23 SP3 at the time of writing)
2. go to your linksys WRT54G's admin page
3. install the firmware through [Administration] > [firmware upgrade]
4. go to [Administration] > [commands]
5. click  in the firewall window
6. enter the iptables the above iptables rules in the [commands] window and click [save firewall]
VoilÃ , all done. Test by doing:
<br></br>telnet safe.server.com 25<br></br>
If you can connect: great, the firewall let you through. Test if all the other outgoing smtp traffic is rejected by doing:
<br></br>telnet smtp.some-other-server.com 25<br></br>
You should not be able to connect. After a while, your connection attempt should time out.
And that's it. There's nothing more to it. You've got yourself a home grown linux based firewall. Geeky delight.