* Newbie iptables question
@ 2004-12-09 15:47 Bernardo Vieira
0 siblings, 0 replies; 4+ messages in thread
From: Bernardo Vieira @ 2004-12-09 15:47 UTC (permalink / raw)
To: Netfilter
Hi all,
Sorry for the lame post but I'm really stuck with this and got nowhere
to turn. Anyway, here's my problem:
I need to close all external traffic (eth0:0) to my server from execpt
on a few ports (smtp, http, ping, echo, etc) and for my local network I
need, in addition to those ports, SMB. So, as a test I came up with the
following tables (for now I'm allowing all local traffic):
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
15521 3812K ACCEPT all -- !eth0:0 * !192.168.1.3
!192.168.1.3
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x10/0x10
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:53 dpts:1024:65535
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 0
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 12
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:113
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:10000
0 0 SMB all -- * * 192.168.1.0/24
192.168.1.0/24
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 SMB all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 20416 packets, 20M bytes)
pkts bytes target prot opt in out source
destination
15938 16M SMB all -- * * 192.168.1.0/24
192.168.1.0/24
Chain SMB (3 references)
pkts bytes target prot opt in out source
destination
10 1111 ACCEPT tcp -- * * !192.168.1.3
!192.168.1.3 tcp multiport dports 135,136,137,138,139,445
4 499 ACCEPT udp -- * * !192.168.1.3
!192.168.1.3 udp multiport sports 135,136,137,138,139,445
However, when I run a portscan I get the following, I'm particularly
worried about ports 139 and 3306 being open:
21 ftp File Transfer [Control]
22 ssh Secure Shell Login
25 smtp Simple Mail Transfer
37 time timserver
80 http World Wide Web HTTP
111 sunrpc portmapper, rpcbind
139 netbios-ssn NETBIOS Session Service
143 imap2 Interim Mail Access Protocol v2
443 https secure http (SSL)
587 submission -
3306 mysql mySQL
10000 snet-sensor-mgmt SecureNet Pro Sensor https management server
Can anyone shed some light on this?
Thanx.
---
avast! Antivirus: Outbound message clean.
Virus Database (VPS): 0450-1, 09/12/2004
Tested on: 9/12/2004 13:47:30
avast! - copyright (c) 2000-2004 ALWIL Software.
http://www.avast.com
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: Newbie iptables question
@ 2004-12-09 16:32 Gary W. Smith
2004-12-09 17:29 ` Bernardo Vieira
0 siblings, 1 reply; 4+ messages in thread
From: Gary W. Smith @ 2004-12-09 16:32 UTC (permalink / raw)
To: Bernardo Vieira, Netfilter
Bernardo,
Where are you performing the scan from? You need to do it externally if
you want to see how it's operating. Also, if you're not port forwarding
the you can just do default DROP but allow related back in, which would
drop you down to about 6 rules on this list.
Also, it's more readable if you do a iptables-save and send that output
(IMHO).
Gary
> Can anyone shed some light on this?
>
> Thanx.
>
>
>
>
> ---
> avast! Antivirus: Outbound message clean.
> Virus Database (VPS): 0450-1, 09/12/2004
> Tested on: 9/12/2004 13:47:30
> avast! - copyright (c) 2000-2004 ALWIL Software.
> http://www.avast.com
>
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Newbie iptables question
2004-12-09 16:32 Gary W. Smith
@ 2004-12-09 17:29 ` Bernardo Vieira
0 siblings, 0 replies; 4+ messages in thread
From: Bernardo Vieira @ 2004-12-09 17:29 UTC (permalink / raw)
To: Netfilter
Gary,
Thank you for your reply, turns out the problem I was having was with
the virtual interface, that out of the way I realised I
forgot a couple of things (FTP for everyone and LDAP for local folks),
anyway I followed your advice and changed FORWARD policy to drop as well
as allowing related traffic. Now a port scan from the outside world
looks a lot nicer:
Thank you again,
Bernardo
21 ftp File Transfer [Control]
22 ssh Secure Shell Login
25 smtp Simple Mail Transfer
80 http World Wide Web HTTP
10000 snet-sensor-mgmt SecureNet Pro Sensor https management server
# Generated by iptables-save v1.2.7a on Thu Dec 9 15:09:33 2004
*filter
:INPUT DROP [22:2426]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [699:339758]
:SMB - [0:0]
# Openwebmail uses lo to send emails
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp -m state --state RELATED -j ACCEPT
# DNS, traceroute
-A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT
# ping, echo, etc...
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
# FTP
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
# SSH
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# SMTP
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
# HTTP
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
# Webmin
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
# Samba on local network only
-A INPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -j SMB
-A OUTPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -j SMB
# SMB Chain
-A SMB -s ! 192.168.1.3 -d ! 192.168.1.3 -p tcp -m tcp -m multiport
--dports loc-srv,profile,netbios-ns,netbios-dgm,netbios-ssn,microsoft-ds
-j ACCEPT
-A SMB -s ! 192.168.1.3 -d ! 192.168.1.3 -p udp -m udp -m multiport
--sports loc-srv,profile,netbios-ns,netbios-dgm,netbios-ssn,microsoft-ds
-j ACCEPT
-A SMB -s ! 192.168.1.3 -d ! 192.168.1.3 -p tcp -m tcp --dport 489 -j
ACCEPT
COMMIT
# Completed on Thu Dec 9 15:09:33 2004
# Generated by iptables-save v1.2.7a on Thu Dec 9 15:09:33 2004
*mangle
:PREROUTING ACCEPT [9015:2497990]
:INPUT ACCEPT [9015:2497990]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [11144:9023879]
:POSTROUTING ACCEPT [11187:9029227]
COMMIT
# Completed on Thu Dec 9 15:09:33 2004
# Generated by iptables-save v1.2.7a on Thu Dec 9 15:09:33 2004
*nat
:PREROUTING ACCEPT [354:37372]
:POSTROUTING ACCEPT [55:3972]
:OUTPUT ACCEPT [55:3972]
COMMIT
# Completed on Thu Dec 9 15:09:33 2004
Gary W. Smith wrote:
>Bernardo,
>
>Where are you performing the scan from? You need to do it externally if
>you want to see how it's operating. Also, if you're not port forwarding
>the you can just do default DROP but allow related back in, which would
>drop you down to about 6 rules on this list.
>
>Also, it's more readable if you do a iptables-save and send that output
>(IMHO).
>
>Gary
>
>
>
>
>>Can anyone shed some light on this?
>>
>>Thanx.
>>
>>
>>
>>
>>---
>>avast! Antivirus: Outbound message clean.
>>Virus Database (VPS): 0450-1, 09/12/2004
>>Tested on: 9/12/2004 13:47:30
>>avast! - copyright (c) 2000-2004 ALWIL Software.
>>http://www.avast.com
>>
>>
>>
>>
>>
>
>
>Esta mensagem foi verificada pelo E-mail Protegido Terra.
>Scan engine: McAfee VirusScan / Atualizado em 09/12/2004 / Versão: 4.4.00 - Dat 4413
>Proteja o seu e-mail Terra: http://www.emailprotegido.terra.com.br/
>
>E-mail classificado pelo Identificador de Spam Inteligente Terra.
>Para alterar a categoria classificada, visite
>http://www.terra.com.br/centralunificada/emailprotegido/imail/imail.cgi?+_u=bernardo.vieira&_l=1,1102609970.605061.3486.mongu.terra.com.br,1958,Des15,Des15
>
>
>
>
>---
>avast! Antivirus: Inbound message clean.
>Virus Database (VPS): 0450-1, 09/12/2004
>Tested on: 9/12/2004 14:38:45
>avast! - copyright (c) 2000-2004 ALWIL Software.
>http://www.avast.com
>
>
>
>
>
>
---
avast! Antivirus: Outbound message clean.
Virus Database (VPS): 0450-1, 09/12/2004
Tested on: 9/12/2004 15:29:43
avast! - copyright (c) 2000-2004 ALWIL Software.
http://www.avast.com
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: Newbie iptables question
@ 2004-12-09 17:34 Hudson Delbert J Contr 61 CS/SCBN
0 siblings, 0 replies; 4+ messages in thread
From: Hudson Delbert J Contr 61 CS/SCBN @ 2004-12-09 17:34 UTC (permalink / raw)
To: Bernardo Vieira, Netfilter
no ftp access on port 20 ?
make sure you arent allowing port fwding via ssh.
its not a best practice to do so unless you like your life complicated.
-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org]On Behalf Of Bernardo
Vieira
Sent: Thursday, December 09, 2004 9:30 AM
To: Netfilter
Subject: Re: Newbie iptables question
Gary,
Thank you for your reply, turns out the problem I was having was with
the virtual interface, that out of the way I realised I
forgot a couple of things (FTP for everyone and LDAP for local folks),
anyway I followed your advice and changed FORWARD policy to drop as well
as allowing related traffic. Now a port scan from the outside world
looks a lot nicer:
Thank you again,
Bernardo
21 ftp File Transfer [Control]
22 ssh Secure Shell Login
25 smtp Simple Mail Transfer
80 http World Wide Web HTTP
10000 snet-sensor-mgmt SecureNet Pro Sensor https management server
# Generated by iptables-save v1.2.7a on Thu Dec 9 15:09:33 2004
*filter
:INPUT DROP [22:2426]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [699:339758]
:SMB - [0:0]
# Openwebmail uses lo to send emails
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp -m state --state RELATED -j ACCEPT
# DNS, traceroute
-A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT
# ping, echo, etc...
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
# FTP
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
# SSH
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# SMTP
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
# HTTP
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
# Webmin
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
# Samba on local network only
-A INPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -j SMB
-A OUTPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -j SMB
# SMB Chain
-A SMB -s ! 192.168.1.3 -d ! 192.168.1.3 -p tcp -m tcp -m multiport
--dports loc-srv,profile,netbios-ns,netbios-dgm,netbios-ssn,microsoft-ds
-j ACCEPT
-A SMB -s ! 192.168.1.3 -d ! 192.168.1.3 -p udp -m udp -m multiport
--sports loc-srv,profile,netbios-ns,netbios-dgm,netbios-ssn,microsoft-ds
-j ACCEPT
-A SMB -s ! 192.168.1.3 -d ! 192.168.1.3 -p tcp -m tcp --dport 489 -j
ACCEPT
COMMIT
# Completed on Thu Dec 9 15:09:33 2004
# Generated by iptables-save v1.2.7a on Thu Dec 9 15:09:33 2004
*mangle
:PREROUTING ACCEPT [9015:2497990]
:INPUT ACCEPT [9015:2497990]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [11144:9023879]
:POSTROUTING ACCEPT [11187:9029227]
COMMIT
# Completed on Thu Dec 9 15:09:33 2004
# Generated by iptables-save v1.2.7a on Thu Dec 9 15:09:33 2004
*nat
:PREROUTING ACCEPT [354:37372]
:POSTROUTING ACCEPT [55:3972]
:OUTPUT ACCEPT [55:3972]
COMMIT
# Completed on Thu Dec 9 15:09:33 2004
Gary W. Smith wrote:
>Bernardo,
>
>Where are you performing the scan from? You need to do it externally if
>you want to see how it's operating. Also, if you're not port forwarding
>the you can just do default DROP but allow related back in, which would
>drop you down to about 6 rules on this list.
>
>Also, it's more readable if you do a iptables-save and send that output
>(IMHO).
>
>Gary
>
>
>
>
>>Can anyone shed some light on this?
>>
>>Thanx.
>>
>>
>>
>>
>>---
>>avast! Antivirus: Outbound message clean.
>>Virus Database (VPS): 0450-1, 09/12/2004
>>Tested on: 9/12/2004 13:47:30
>>avast! - copyright (c) 2000-2004 ALWIL Software.
>>http://www.avast.com
>>
>>
>>
>>
>>
>
>
>Esta mensagem foi verificada pelo E-mail Protegido Terra.
>Scan engine: McAfee VirusScan / Atualizado em 09/12/2004 / Versão: 4.4.00 - Dat 4413
>Proteja o seu e-mail Terra: http://www.emailprotegido.terra.com.br/
>
>E-mail classificado pelo Identificador de Spam Inteligente Terra.
>Para alterar a categoria classificada, visite
>http://www.terra.com.br/centralunificada/emailprotegido/imail/imail.cgi?+_u=bernardo.vieira&_l=1,1102609970.605061.3486.mongu.terra.com.br,1958,Des15,Des15
>
>
>
>
>---
>avast! Antivirus: Inbound message clean.
>Virus Database (VPS): 0450-1, 09/12/2004
>Tested on: 9/12/2004 14:38:45
>avast! - copyright (c) 2000-2004 ALWIL Software.
>http://www.avast.com
>
>
>
>
>
>
---
avast! Antivirus: Outbound message clean.
Virus Database (VPS): 0450-1, 09/12/2004
Tested on: 9/12/2004 15:29:43
avast! - copyright (c) 2000-2004 ALWIL Software.
http://www.avast.com
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2004-12-09 17:34 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-12-09 15:47 Newbie iptables question Bernardo Vieira
-- strict thread matches above, loose matches on Subject: below --
2004-12-09 16:32 Gary W. Smith
2004-12-09 17:29 ` Bernardo Vieira
2004-12-09 17:34 Hudson Delbert J Contr 61 CS/SCBN
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.