tcp-reset not working for some ports?

tcp-reset not working for some ports?

[Tarmo Lehtpuu]

Hi,

I'm having problems properly closing all ports (I don't want a
"stealthy" firewall).

When doing a portscan with nmap the following ports show up
as being filtered:
1:13, 135:139, 445, 1080, 444 (tcp)


I've tried explicitly closing those ports, but that doesn't help either.
Here's the output of iptables-save:

# Generated by iptables-save v1.2.8 on Thu Oct 30 04:09:24 2003
*nat
:PREROUTING ACCEPT [11298:684613]
:POSTROUTING ACCEPT [22074:1005976]
:OUTPUT ACCEPT [11166:569656]
COMMIT
# Completed on Thu Oct 30 04:09:24 2003
# Generated by iptables-save v1.2.8 on Thu Oct 30 04:09:24 2003
*mangle
:PREROUTING ACCEPT [172068:190774880]
:INPUT ACCEPT [172068:190774880]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [119261:7507204]
:POSTROUTING ACCEPT [119261:7507204]
COMMIT
# Completed on Thu Oct 30 04:09:24 2003
# Generated by iptables-save v1.2.8 on Thu Oct 30 04:09:24 2003
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [68119:4428955]
:DUMP - [0:0]
:STATEFUL - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 127.0.0.0/255.0.0.0 -i eth0 -j DUMP
-A INPUT -s 192.168.0.0/255.255.0.0 -i eth0 -j DUMP
-A INPUT -s 172.16.0.0/255.240.0.0 -i eth0 -j DUMP
-A INPUT -s 10.0.0.0/255.0.0.0 -i eth0 -j DUMP
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -d XXX.XXX.XXX.XXX -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -d XXX.XXX.XXX.XXX -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -d XXX.XXX.XXX.XXX -p tcp -m tcp --dport 2401 -j ACCEPT
-A INPUT -d XXX.XXX.XXX.XXX -p tcp -m tcp --dport 20:21 -j ACCEPT
-A INPUT -d XXX.XXX.XXX.XXX -p tcp -m tcp --dport 49000:49010 -j ACCEPT
-A INPUT -j STATEFUL
-A OUTPUT -o lo -j ACCEPT
-A DUMP -p tcp -j LOG
-A DUMP -p udp -j LOG
-A DUMP -p tcp -j REJECT --reject-with tcp-reset
-A DUMP -p udp -j REJECT --reject-with icmp-port-unreachable
-A DUMP -j DROP
-A STATEFUL -m state --state RELATED,ESTABLISHED -j ACCEPT
-A STATEFUL -i ! eth0 -m state --state NEW -j ACCEPT
-A STATEFUL -j DUMP
COMMIT
# Completed on Thu Oct 30 04:09:24 2003


I'm using Slackware 9.1.0, kernel 2.4.22 with the following modules loaded:

ipt_state
ipt_REJECT
ipt_LOG
iptable_nat
ip_conntrack
iptable_mangle
iptable_filter
ip_tables
ble_mangle


I've googled around quite a bit and looked at the FAQ, but I just couldn't find
an answer to my problem. 
Also I have a fried who has a similar problem, but he claims that random ports show up as filtered every time.
Does anyone have an idea what I might be doing wrong here?
Let me know if you need to know anything else about my setup.


Oh and please cc me on all replies, I'm not subscribed to netfilter.

Thanks,
Tarmo

Re: tcp-reset not working for some ports?

[Chris Brenton]

On Wed, 2003-10-29 at 21:50, Tarmo Lehtpuu wrote:
> 
> I'm having problems properly closing all ports (I don't want a
> "stealthy" firewall).

"Stealthy" is a myth, but we will not start that flame war. ;-)

> When doing a portscan with nmap the following ports show up
> as being filtered:
> 1:13, 135:139, 445, 1080, 444 (tcp)

I've run into this myself. Make sure you have:
CONFIG_IP_NF_TARGET_REJECT

enabled within the kernel. You might also wish to sniff outside the
firewall (right on the nmap system is OK) to ensure that you are
actually sending back TCP resets.

> -A INPUT -i eth0 -p icmp -m icmp --icmp-type 3 -j ACCEPT
> -A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
> -A INPUT -i eth0 -p icmp -m icmp --icmp-type 0 -j ACCEPT

As a side note, the above lines are not needed as you are accepting back
"RELATED" traffic. The above lines will let in _all_ type 0's, 3's &
11's, even bogus ones. The RELATED specification will only let in
legitimate ICMP errors so you are better off removing these lines.

HTH,
C