From: Bernardo Vieira <bernardo.vieira@terra.com.br>
To: Netfilter <netfilter@lists.netfilter.org>
Subject: Re: Newbie iptables question
Date: Thu, 09 Dec 2004 15:29:41 -0200 [thread overview]
Message-ID: <41B88B85.5050602@terra.com.br> (raw)
In-Reply-To: <27594E8BA9D5CA458F5EF87D88B6B48F019829@pxtvjoexd01.pxt.primeexalia.com>
Gary,
Thank you for your reply, turns out the problem I was having was with
the virtual interface, that out of the way I realised I
forgot a couple of things (FTP for everyone and LDAP for local folks),
anyway I followed your advice and changed FORWARD policy to drop as well
as allowing related traffic. Now a port scan from the outside world
looks a lot nicer:
Thank you again,
Bernardo
21 ftp File Transfer [Control]
22 ssh Secure Shell Login
25 smtp Simple Mail Transfer
80 http World Wide Web HTTP
10000 snet-sensor-mgmt SecureNet Pro Sensor https management server
# Generated by iptables-save v1.2.7a on Thu Dec 9 15:09:33 2004
*filter
:INPUT DROP [22:2426]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [699:339758]
:SMB - [0:0]
# Openwebmail uses lo to send emails
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp -m state --state RELATED -j ACCEPT
# DNS, traceroute
-A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT
# ping, echo, etc...
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
# FTP
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
# SSH
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# SMTP
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
# HTTP
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
# Webmin
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
# Samba on local network only
-A INPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -j SMB
-A OUTPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -j SMB
# SMB Chain
-A SMB -s ! 192.168.1.3 -d ! 192.168.1.3 -p tcp -m tcp -m multiport
--dports loc-srv,profile,netbios-ns,netbios-dgm,netbios-ssn,microsoft-ds
-j ACCEPT
-A SMB -s ! 192.168.1.3 -d ! 192.168.1.3 -p udp -m udp -m multiport
--sports loc-srv,profile,netbios-ns,netbios-dgm,netbios-ssn,microsoft-ds
-j ACCEPT
-A SMB -s ! 192.168.1.3 -d ! 192.168.1.3 -p tcp -m tcp --dport 489 -j
ACCEPT
COMMIT
# Completed on Thu Dec 9 15:09:33 2004
# Generated by iptables-save v1.2.7a on Thu Dec 9 15:09:33 2004
*mangle
:PREROUTING ACCEPT [9015:2497990]
:INPUT ACCEPT [9015:2497990]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [11144:9023879]
:POSTROUTING ACCEPT [11187:9029227]
COMMIT
# Completed on Thu Dec 9 15:09:33 2004
# Generated by iptables-save v1.2.7a on Thu Dec 9 15:09:33 2004
*nat
:PREROUTING ACCEPT [354:37372]
:POSTROUTING ACCEPT [55:3972]
:OUTPUT ACCEPT [55:3972]
COMMIT
# Completed on Thu Dec 9 15:09:33 2004
Gary W. Smith wrote:
>Bernardo,
>
>Where are you performing the scan from? You need to do it externally if
>you want to see how it's operating. Also, if you're not port forwarding
>the you can just do default DROP but allow related back in, which would
>drop you down to about 6 rules on this list.
>
>Also, it's more readable if you do a iptables-save and send that output
>(IMHO).
>
>Gary
>
>
>
>
>>Can anyone shed some light on this?
>>
>>Thanx.
>>
>>
>>
>>
>>---
>>avast! Antivirus: Outbound message clean.
>>Virus Database (VPS): 0450-1, 09/12/2004
>>Tested on: 9/12/2004 13:47:30
>>avast! - copyright (c) 2000-2004 ALWIL Software.
>>http://www.avast.com
>>
>>
>>
>>
>>
>
>
>Esta mensagem foi verificada pelo E-mail Protegido Terra.
>Scan engine: McAfee VirusScan / Atualizado em 09/12/2004 / Versão: 4.4.00 - Dat 4413
>Proteja o seu e-mail Terra: http://www.emailprotegido.terra.com.br/
>
>E-mail classificado pelo Identificador de Spam Inteligente Terra.
>Para alterar a categoria classificada, visite
>http://www.terra.com.br/centralunificada/emailprotegido/imail/imail.cgi?+_u=bernardo.vieira&_l=1,1102609970.605061.3486.mongu.terra.com.br,1958,Des15,Des15
>
>
>
>
>---
>avast! Antivirus: Inbound message clean.
>Virus Database (VPS): 0450-1, 09/12/2004
>Tested on: 9/12/2004 14:38:45
>avast! - copyright (c) 2000-2004 ALWIL Software.
>http://www.avast.com
>
>
>
>
>
>
---
avast! Antivirus: Outbound message clean.
Virus Database (VPS): 0450-1, 09/12/2004
Tested on: 9/12/2004 15:29:43
avast! - copyright (c) 2000-2004 ALWIL Software.
http://www.avast.com
next prev parent reply other threads:[~2004-12-09 17:29 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-12-09 16:32 Newbie iptables question Gary W. Smith
2004-12-09 17:29 ` Bernardo Vieira [this message]
-- strict thread matches above, loose matches on Subject: below --
2004-12-09 17:34 Hudson Delbert J Contr 61 CS/SCBN
2004-12-09 15:47 Bernardo Vieira
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=41B88B85.5050602@terra.com.br \
--to=bernardo.vieira@terra.com.br \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.