LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 09-29-2006, 11:10 PM   #1
glorsplitz
Member
 
Registered: Dec 2002
Distribution: slackware!
Posts: 244

Rep: Reputation: 26
how to close open ports


i'm trying to learn iptables, firewall is forwarding and blocking, i'm testing this out
behind an smc router before i connect the internet to the firewall pc

i'd like to have ssh and samba available over the lan but not the wan

netstat --proto=inet,inet6 -pnl, shows

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:37 0.0.0.0:* LISTEN 1279/inetd
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 1304/smbd
tcp 0 0 0.0.0.0:113 0.0.0.0:* LISTEN 1279/inetd
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 1304/smbd
tcp 0 0 :::22 :::* LISTEN 1288/sshd
udp 0 0 0.0.0.0:512 0.0.0.0:* 1279/inetd
udp 0 0 192.168.0.196:137 0.0.0.0:* 1307/nmbd
udp 0 0 192.168.1.196:137 0.0.0.0:* 1307/nmbd
udp 0 0 0.0.0.0:137 0.0.0.0:* 1307/nmbd
udp 0 0 192.168.0.196:138 0.0.0.0:* 1307/nmbd
udp 0 0 192.168.1.196:138 0.0.0.0:* 1307/nmbd
udp 0 0 0.0.0.0:138 0.0.0.0:* 1307/nmbd
udp 0 0 0.0.0.0:37 0.0.0.0:* 1279/inetd

192.168.0.196 is the wan ip, 192.168.1.196 is the lan ip

with the firewall up, if i do the following for any one of the ports

iptables -A INPUT -p TCP -s 192.168.0.196 --dport 139 -j DROP (or REJECT)

netstat --proto=inet,inet6 -pnl, still shows them as listen as above

nmap -sS -p- -P0 -vv 192.168.0.196, says

Starting nmap 3.93 ( http://www.insecure.org/nmap/ ) at 2006-09-30 00:03 EDT
Initiating SYN Stealth Scan against 192.168.0.196 [65535 ports] at 00:03
Discovered open port 113/tcp on 192.168.0.196
Discovered open port 22/tcp on 192.168.0.196
Discovered open port 445/tcp on 192.168.0.196
Discovered open port 139/tcp on 192.168.0.196
Discovered open port 37/tcp on 192.168.0.196
The SYN Stealth Scan took 6.34s to scan 65535 total ports.
Host 192.168.0.196 appears to be up ... good.
Interesting ports on 192.168.0.196:
(The 65530 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
22/tcp open ssh
37/tcp open time
113/tcp open auth
139/tcp open netbios-ssn
445/tcp open microsoft-ds

Nmap finished: 1 IP address (1 host up) scanned in 7.011 seconds
Raw packets sent: 65542 (2.62MB) | Rcvd: 65535 (3.01MB)

what can i do to close the open ports to the wan ? thank you
 
Old 09-30-2006, 12:15 AM   #2
macemoneta
Senior Member
 
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
Blog Entries: 2

Rep: Reputation: 326Reputation: 326Reputation: 326Reputation: 326
Your IPTABLES configuration should be dropping anything not specifically authorized by default:

-A INPUT -p tcp -m tcp --syn -j REJECT
-A INPUT -p udp -m udp -j REJECT

So all you need is to accept the traffic from the LAN subnet. For example:

-A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 22 --syn -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --syn -j REJECT
-A INPUT -p udp -m udp -j REJECT

Last edited by macemoneta; 09-30-2006 at 12:17 AM.
 
Old 09-30-2006, 02:21 AM   #3
amitsharma_26
Member
 
Registered: Sep 2005
Location: New delhi
Distribution: RHEL 3.0/4.0
Posts: 777

Rep: Reputation: 31
Quote:
Originally Posted by glorsplitz
iptables -A INPUT -p TCP -s 192.168.0.196 --dport 139 -j DROP (or REJECT)
I still wonder why do you have that rule.
With that rule.. it will effect packets which has a SOURCE ADDRESS of 192.168.0.196(WAN-interface) & a DESTINATION PORT of 139. Anyways tell me one good reason that how can you protect your own samba with that ?

& AFAIK, a firewall doesnt actually close ports... it just filter/block the traffic at them.
 
Old 09-30-2006, 10:10 AM   #4
glorsplitz
Member
 
Registered: Dec 2002
Distribution: slackware!
Posts: 244

Original Poster
Rep: Reputation: 26
thanks for helping amitsharma_26, as i've said a couple times, i'm trying to learn iptables, i got rc.firewall from easy firewall generator web site, after changing ip addresses it works fine, looking through other posts about making sure a firewall is secure, i found nmap and netstat which showed the open ports

iptables -A INPUT -p TCP -s 192.168.0.196 --dport 139 -j DROP (or REJECT) is not part of the firewall, with the firewall up i did that from the command to see if the port would then be not available, iptables -L INPUT shows the rule i added, i think i see what you mean, the ports are open but the rule blocks access

after i posted i thought i'm only allowing lan traffic in samba anyway, shouldn't that be enough?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How do I close open ports ??? apache Linux - Security 2 07-20-2004 07:44 PM
how to close open ports mayagenesis Linux - Networking 1 07-31-2003 12:47 AM
How do i close my open ports??? Synth218 Slackware 10 07-06-2003 02:31 PM
open ports... how do i close them? prodigius Linux - Security 3 01-18-2002 08:35 AM
how to close open ports zyan Linux - Security 3 08-04-2001 08:11 PM


All times are GMT -5. The time now is 10:29 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration