From: Bernardo Vieira <bernardo.vieira@terra.com.br>
To: Netfilter <netfilter@lists.netfilter.org>
Subject: Re: Newbie iptables question
Date: Thu, 09 Dec 2004 15:29:41 -0200 [thread overview]
Message-ID: <41B88B85.5050602@terra.com.br> (raw)
In-Reply-To: <27594E8BA9D5CA458F5EF87D88B6B48F019829@pxtvjoexd01.pxt.primeexalia.com>
Gary,
Thank you for your reply, turns out the problem I was having was with
the virtual interface, that out of the way I realised I
forgot a couple of things (FTP for everyone and LDAP for local folks),
anyway I followed your advice and changed FORWARD policy to drop as well
as allowing related traffic. Now a port scan from the outside world
looks a lot nicer:
Thank you again,
Bernardo
21 ftp File Transfer [Control]
22 ssh Secure Shell Login
25 smtp Simple Mail Transfer
80 http World Wide Web HTTP
10000 snet-sensor-mgmt SecureNet Pro Sensor https management server
# Generated by iptables-save v1.2.7a on Thu Dec 9 15:09:33 2004
*filter
:INPUT DROP [22:2426]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [699:339758]
:SMB - [0:0]
# Openwebmail uses lo to send emails
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp -m state --state RELATED -j ACCEPT
# DNS, traceroute
-A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT
# ping, echo, etc...
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
# FTP
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
# SSH
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# SMTP
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
# HTTP
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
# Webmin
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
# Samba on local network only
-A INPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -j SMB
-A OUTPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -j SMB
# SMB Chain
-A SMB -s ! 192.168.1.3 -d ! 192.168.1.3 -p tcp -m tcp -m multiport
--dports loc-srv,profile,netbios-ns,netbios-dgm,netbios-ssn,microsoft-ds
-j ACCEPT
-A SMB -s ! 192.168.1.3 -d ! 192.168.1.3 -p udp -m udp -m multiport
--sports loc-srv,profile,netbios-ns,netbios-dgm,netbios-ssn,microsoft-ds
-j ACCEPT
-A SMB -s ! 192.168.1.3 -d ! 192.168.1.3 -p tcp -m tcp --dport 489 -j
ACCEPT
COMMIT
# Completed on Thu Dec 9 15:09:33 2004
# Generated by iptables-save v1.2.7a on Thu Dec 9 15:09:33 2004
*mangle
:PREROUTING ACCEPT [9015:2497990]
:INPUT ACCEPT [9015:2497990]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [11144:9023879]
:POSTROUTING ACCEPT [11187:9029227]
COMMIT
# Completed on Thu Dec 9 15:09:33 2004
# Generated by iptables-save v1.2.7a on Thu Dec 9 15:09:33 2004
*nat
:PREROUTING ACCEPT [354:37372]
:POSTROUTING ACCEPT [55:3972]
:OUTPUT ACCEPT [55:3972]
COMMIT
# Completed on Thu Dec 9 15:09:33 2004
Gary W. Smith wrote:
>Bernardo,
>
>Where are you performing the scan from? You need to do it externally if
>you want to see how it's operating. Also, if you're not port forwarding
>the you can just do default DROP but allow related back in, which would
>drop you down to about 6 rules on this list.
>
>Also, it's more readable if you do a iptables-save and send that output
>(IMHO).
>
>Gary
>
>
>
>
>>Can anyone shed some light on this?
>>
>>Thanx.
>>
>>
>>
>>
>>---
>>avast! Antivirus: Outbound message clean.
>>Virus Database (VPS): 0450-1, 09/12/2004
>>Tested on: 9/12/2004 13:47:30
>>avast! - copyright (c) 2000-2004 ALWIL Software.
>>http://www.avast.com
>>
>>
>>
>>
>>
>
>
>Esta mensagem foi verificada pelo E-mail Protegido Terra.
>Scan engine: McAfee VirusScan / Atualizado em 09/12/2004 / Versão: 4.4.00 - Dat 4413
>Proteja o seu e-mail Terra: http://www.emailprotegido.terra.com.br/
>
>E-mail classificado pelo Identificador de Spam Inteligente Terra.
>Para alterar a categoria classificada, visite
>http://www.terra.com.br/centralunificada/emailprotegido/imail/imail.cgi?+_u=bernardo.vieira&_l=1,1102609970.605061.3486.mongu.terra.com.br,1958,Des15,Des15
>
>
>
>
>---
>avast! Antivirus: Inbound message clean.
>Virus Database (VPS): 0450-1, 09/12/2004
>Tested on: 9/12/2004 14:38:45
>avast! - copyright (c) 2000-2004 ALWIL Software.
>http://www.avast.com
>
>
>
>
>
>
---
avast! Antivirus: Outbound message clean.
Virus Database (VPS): 0450-1, 09/12/2004
Tested on: 9/12/2004 15:29:43
avast! - copyright (c) 2000-2004 ALWIL Software.
http://www.avast.com
next prev parent reply other threads:[~2004-12-09 17:29 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-12-09 16:32 Newbie iptables question Gary W. Smith
2004-12-09 17:29 ` Bernardo Vieira [this message]
-- strict thread matches above, loose matches on Subject: below --
2004-12-09 17:34 Hudson Delbert J Contr 61 CS/SCBN
2004-12-09 15:47 Bernardo Vieira
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=41B88B85.5050602@terra.com.br \
--to=bernardo.vieira@terra.com.br \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox