From mboxrd@z Thu Jan 1 00:00:00 1970 From: Bernardo Vieira Subject: Re: Newbie iptables question Date: Thu, 09 Dec 2004 15:29:41 -0200 Message-ID: <41B88B85.5050602@terra.com.br> References: <27594E8BA9D5CA458F5EF87D88B6B48F019829@pxtvjoexd01.pxt.primeexalia.com> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <27594E8BA9D5CA458F5EF87D88B6B48F019829@pxtvjoexd01.pxt.primeexalia.com> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="iso-8859-1"; format="flowed" To: Netfilter Gary, Thank you for your reply, turns out the problem I was having was with=20 the virtual interface, that out of the way I realised I forgot a couple of things (FTP for everyone and LDAP for local folks),=20 anyway I followed your advice and changed FORWARD policy to drop as well=20 as allowing related traffic. Now a port scan from the outside world=20 looks a lot nicer: Thank you again, Bernardo 21 ftp File Transfer [Control] =20 22 ssh Secure Shell Login =20 25 smtp Simple Mail Transfer =20 80 http World Wide Web HTTP =20 10000 snet-sensor-mgmt SecureNet Pro Sensor https management server=20 # Generated by iptables-save v1.2.7a on Thu Dec 9 15:09:33 2004 *filter :INPUT DROP [22:2426] :FORWARD DROP [0:0] :OUTPUT ACCEPT [699:339758] :SMB - [0:0] # Openwebmail uses lo to send emails -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp -m state --state ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp -m state --state RELATED -j ACCEPT # DNS, traceroute -A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT # ping, echo, etc... -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT # FTP -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT # SSH -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT # SMTP -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT # HTTP -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT # Webmin -A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT # Samba on local network only -A INPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -j SMB -A OUTPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -j SMB # SMB Chain -A SMB -s ! 192.168.1.3 -d ! 192.168.1.3 -p tcp -m tcp -m multiport=20 --dports loc-srv,profile,netbios-ns,netbios-dgm,netbios-ssn,microsoft-ds=20 -j ACCEPT -A SMB -s ! 192.168.1.3 -d ! 192.168.1.3 -p udp -m udp -m multiport=20 --sports loc-srv,profile,netbios-ns,netbios-dgm,netbios-ssn,microsoft-ds=20 -j ACCEPT -A SMB -s ! 192.168.1.3 -d ! 192.168.1.3 -p tcp -m tcp --dport 489 -j=20 ACCEPT COMMIT # Completed on Thu Dec 9 15:09:33 2004 # Generated by iptables-save v1.2.7a on Thu Dec 9 15:09:33 2004 *mangle :PREROUTING ACCEPT [9015:2497990] :INPUT ACCEPT [9015:2497990] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [11144:9023879] :POSTROUTING ACCEPT [11187:9029227] COMMIT # Completed on Thu Dec 9 15:09:33 2004 # Generated by iptables-save v1.2.7a on Thu Dec 9 15:09:33 2004 *nat :PREROUTING ACCEPT [354:37372] :POSTROUTING ACCEPT [55:3972] :OUTPUT ACCEPT [55:3972] COMMIT # Completed on Thu Dec 9 15:09:33 2004 Gary W. Smith wrote: >Bernardo,=20 > >Where are you performing the scan from? You need to do it externally if >you want to see how it's operating. Also, if you're not port forwarding >the you can just do default DROP but allow related back in, which would >drop you down to about 6 rules on this list. > >Also, it's more readable if you do a iptables-save and send that output >(IMHO). =20 > >Gary > >=20 > =20 > >>Can anyone shed some light on this? >> >>Thanx. >> >> >> >> >>--- >>avast! Antivirus: Outbound message clean. >>Virus Database (VPS): 0450-1, 09/12/2004 >>Tested on: 9/12/2004 13:47:30 >>avast! - copyright (c) 2000-2004 ALWIL Software. >>http://www.avast.com >> >> >> >> =20 >> > > >Esta mensagem foi verificada pelo E-mail Protegido Terra. >Scan engine: McAfee VirusScan / Atualizado em 09/12/2004 / Vers=E3o: 4.4.0= 0 - Dat 4413 >Proteja o seu e-mail Terra: http://www.emailprotegido.terra.com.br/ > >E-mail classificado pelo Identificador de Spam Inteligente Terra. >Para alterar a categoria classificada, visite >http://www.terra.com.br/centralunificada/emailprotegido/imail/imail.cgi?+_= u=3Dbernardo.vieira&_l=3D1,1102609970.605061.3486.mongu.terra.com.br,1958,D= es15,Des15 > > > > >--- >avast! Antivirus: Inbound message clean. >Virus Database (VPS): 0450-1, 09/12/2004 >Tested on: 9/12/2004 14:38:45 >avast! - copyright (c) 2000-2004 ALWIL Software. >http://www.avast.com > > > > > =20 > --- avast! Antivirus: Outbound message clean. Virus Database (VPS): 0450-1, 09/12/2004 Tested on: 9/12/2004 15:29:43 avast! - copyright (c) 2000-2004 ALWIL Software. http://www.avast.com