LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 10-23-2002, 01:11 PM   #1
closer
LQ Newbie
 
Registered: Oct 2002
Location: Cedar Lake, IN
Distribution: Redhat 7.3
Posts: 21

Rep: Reputation: 15
Thumbs up IPTABLES script help


Lets just say im new to iptables and i need to setup a new firewall script using it. I found this script on the internet and made some changes so it works for me. The problem is that when i run it, all connections are dropped (due to the NEW SYN packets rule, that is fine) and i can not reconnect to the box via SSH and none of the other allowed ports work (80, 21, etc). Stuff that does work though is the MASQ rules, and the port forwarding rules. I know if i comment the last 2 lines out (the DROP rules) it does work. So im guessing that the ALLOW rules are not functioning correctly. Can anyone help me out?

Thanks for your help,
Scott

SCRIPT TO FOLLOW:
-----------------------------------------------------------------------------------
#!/bin/sh

IPTABLES="//sbin/iptables"

echo "--Starting the firewall--"

echo ":Flushing rules..."
$IPTABLES -F
$IPTABLES -X

#Set default policies to DROP
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP

echo "-Done..."

LOOP_IF="lo"


###########################################################################
#----Set network sysctl options-----#
echo "--Setting sysctl options--"

echo ":Enabling packet forwarding"
echo 1 > /proc/sys/net/ipv4/ip_forward

echo ":Disabling IP Spoofing attacks"
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter

echo ":Disabling respond to broadcast pings"
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo ":Blocking source routing"
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

echo ":Kill timestamps"
echo 0 > /proc/sys/net/ipv4/tcp_timestamps

echo ":Enable SYN Cookies"
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

echo ":Kill redirects"
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

echo ":Enabling bad error message protection"
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

echo ":Logging martians (packets with impossible addresses)"
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

echo ":Reducing DoS'ing ability by reducing timeouts"
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo "-Done..."

#########################################################################
echo "--Setting up standard rules--"

echo ":Setting up forwarding rules"
$IPTABLES -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 10.0.0.4:8080
$IPTABLES -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 8083 -j DNAT --to-destination 10.0.0.4:80
$IPTABLES -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 8082 -j DNAT --to-destination 10.0.0.3:5913
$IPTABLES -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 8081 -j DNAT --to-destination 10.0.0.3:80
$IPTABLES -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 8085 -j DNAT --to-destination 10.0.0.3:8085
$IPTABLES -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 9000:9001 -j DNAT --to-destination 10.0.0.4
$IPTABLES -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 9002:9003 -j DNAT --to-destination 10.0.0.3

echo ":Enabling Masquerading"
$IPTABLES -t nat -A POSTROUTING -o eth1 -j MASQUERADE
$IPTABLES -A FORWARD -i eth0 -j ACCEPT

echo ":Allow unlimited traffic on the loopback interface"
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

echo ":Enabling SYN-FLOODING protection"
$IPTABLES -N syn-flood
$IPTABLES -A INPUT -p tcp --syn -j syn-flood
$IPTABLES -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPTABLES -A syn-flood -j DROP

echo ":Making sure NEW tcp connections are SYN packets"
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

echo ":Refusing unclean and invalid"
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A INPUT -m unclean -j DROP
$IPTABLES -A FORWARD -m unclean -j DROP

echo ":Logging fragments caught"
$IPTABLES -N fragments
$IPTABLES -A INPUT -f -j fragments
$IPTABLES -A fragments -j LOG --log-prefix "IPTABLES FRAGMENTS:"
$IPTABLES -A fragments -j DROP

echo ":Refusing spoofed packets pretending to be from my IP address"
$IPTABLES -A INPUT -s xxx.xxx.xxx.xxx -j DROP
echo "-Done..."

##########################################################################
echo "--Setting up defined chains--"

echo ":Allow forwarded ports"
$IPTABLES -A INPUT -p tcp --dport 8080 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 8081 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 8082 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 8083 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 9000:9001 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 8080 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 8081 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 8082 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 8083 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 9000:9001 -j ACCEPT

echo ":Allow SSH(22/tcp)"
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 22 -j ACCEPT

echo ":Allow ftp"
$IPTABLES -A INPUT -p tcp --dport 21 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 21 -m state --state NEW,ESTABLISHED -j ACCEPT

echo ":Active ftp"
$IPTABLES -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT

echo ":Allow HTTP(80) to the internet"
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 80 -j ACCEPT

echo ":Rejecting all internet connections to 137:139"
$IPTABLES -N NETBIOS
$IPTABLES -A INPUT -i eth1 -p udp --sport 137:139 -j NETBIOS
$IPTABLES -A NETBIOS -i eth1 -j LOG --log-prefix "IPTABLES NETBIOS: "
$IPTABLES -A NETBIOS -i eth1 -j DROP

echo ":Rejecting all other packets except local"
#$IPTABLES -A INPUT -j DROP
#$IPTABLES -A OUTPUT -j DROP

echo "-Done..."

#################################################################################
echo "--Firewall construction completed--"

Last edited by closer; 10-27-2002 at 07:50 PM.
 
Old 10-23-2002, 02:11 PM   #2
Mara
Moderator
 
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,539

Rep: Reputation: 149Reputation: 149
I'd change
Code:
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
to
Code:
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
and delete last 2 lines. If you just remove them, nearly all connections are allowed.

Last edited by Mara; 10-23-2002 at 02:12 PM.
 
Old 10-23-2002, 06:26 PM   #3
closer
LQ Newbie
 
Registered: Oct 2002
Location: Cedar Lake, IN
Distribution: Redhat 7.3
Posts: 21

Original Poster
Rep: Reputation: 15
Okay, I made those changes and now it just disconnects me right after it gets to that part of the script. Still can not reconnect (via SSH). Any more suggestions are very welcome.

- Scott
 
Old 10-24-2002, 01:40 PM   #4
Mara
Moderator
 
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,539

Rep: Reputation: 149Reputation: 149
I guess I'm missing something obviuos... Do you have nmpa installed on any other machine (not the one with firewall)? Could you scan the firewalled machine and see which ports are open?
 
Old 10-24-2002, 07:35 PM   #5
closer
LQ Newbie
 
Registered: Oct 2002
Location: Cedar Lake, IN
Distribution: Redhat 7.3
Posts: 21

Original Poster
Rep: Reputation: 15
Ok, with my normal chains running I get connections to many ports (21,22,80,139,1024,3306). The sockets donít stay open and everything goes quick.

With after I run this script, I donít get a single port connect. The sockets build up until they timeout (no reply from my box at all). Even simple pings timeout

When I run the script with the changes you suggested, I get the same thing as above. No port connections, no reply from my computer.

Thanks for continuing your help.

-Scott
 
Old 10-25-2002, 05:19 AM   #6
Mara
Moderator
 
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,539

Rep: Reputation: 149Reputation: 149
When you don't have the script running you have all ports open,so every connection is possible. The script uses "DROP" so the firewall don't send any message back (works like a black hole), that's why there's no error message. Have you tried nmap?
 
Old 10-25-2002, 07:09 AM   #7
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 47
For services inside that box, you must remember what the server is doing.

It will be accepting packets which have a destination of your ip AND port.

Your INPUT and OUTPUT rules have the -s & -d back to front.

For INPUT you want ACCEPT packets going TO your server port eg -dport 22
And in the OUTPUT to ACCEPT packets coming FROM your server port -sport 22.

Also, you have very little control in the FORWARD chain. Default POLICY is ACCEPT after flushing and you only have 1 restriction for unclean...

These rules are treating both networks as safe... Any one could set your eth1 interface as a gateway and pass packets freely into eth0

Is this what you want?

Regards,
Peter
 
Old 10-25-2002, 05:56 PM   #8
closer
LQ Newbie
 
Registered: Oct 2002
Location: Cedar Lake, IN
Distribution: Redhat 7.3
Posts: 21

Original Poster
Rep: Reputation: 15
Mara:

No i did not use nmap. I do not have a linux box connected inside my lan. I used some cheep portscan program for windows. Ive used it in situations like this before with ipchains and it has helped me.

peter_robb:
So basically what you suggest is that i change the lines (for example):
$IPTABLES -A INPUT -p tcp --sport 22 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 22 -j ACCEPT

to look like this?
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 22 -j ACCEPT

Im at work right now, so if i test it i will not be able to reconnect to it. Ill try that when i get home. Also, I kinda wanted my internal network to be unrestricted for now. I do plan on making it more secure in the future but for what I have right now it isnt that big of a deal. Im more interested in securing my linux box.

Thanks for everything,
Scott
 
Old 10-25-2002, 07:10 PM   #9
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 47
Yeah, that's the change you need to make...

The security side of things is usually to keep the external world out while also allowing yourself the freedom to get out whenever you wish.

There isn't enough of a wall there to keep anything out...
Have a look at this tutorial for some deeper knowledge.

Regards,
Peter

Last edited by peter_robb; 10-25-2002 at 07:13 PM.
 
Old 10-27-2002, 07:49 PM   #10
closer
LQ Newbie
 
Registered: Oct 2002
Location: Cedar Lake, IN
Distribution: Redhat 7.3
Posts: 21

Original Poster
Rep: Reputation: 15
Okay, I figured I would leave you guys alone and try to figure it out myself. Yea, Im going nuts here.

I made all those changes and what happens now is I run the script, and I stay connected. Thinking everything was good, I disconected and tried to reconnect. No go. I can not reconnect through SSH. Port 80 works and my redirects work. Thats about it though. I used an external linux box to nmap my box.

/usr/local/nmap/bin/nmap -p 20-25 -v xxx.xxx.xxx.xxx

Just to do a quick scan. Here are my results:

Interesting ports on xxxxxxxxxxxxxxxxxxxxxxxxxx:
Port State Service
20/tcp filtered ftp-data
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp filtered telnet
24/tcp filtered priv-mail
25/tcp filtered smtp

I am confused as why 23,24, and 25 show up as filtered. I was thinking they would just say closed. So I did another scan with another range of 6 ports (80-85) and I get the same thing. I really appreciate all the help. I am going to update the first post to show what the file currently looks like. Thanks again for all the help.

-Scott
 
Old 10-28-2002, 08:33 AM   #11
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 47
To get an accurate reading, nmap needs one open and one closed port to compare against.

To avoid thousands of questions, I suggested this to another post earlier...

Do "service iptables save" and then change the "/etc/sysconfig/iptables" file to say iptables.old, remove your ip address from it and please post that file here.
These big scripts are ok for setting up rules, but the saved version is MUCH clearer to read.

Change the SYN_flood settings to 40/s
Comment out the OUTPUT rules. You can trust what your box sends from itself, for the moment....
And have a look in /var/log/messages for the dropped packet descriptions. This helps identify which rule dropped them.

Regards,
Peter
 
Old 10-29-2002, 08:41 PM   #12
closer
LQ Newbie
 
Registered: Oct 2002
Location: Cedar Lake, IN
Distribution: Redhat 7.3
Posts: 21

Original Poster
Rep: Reputation: 15
Okay, my results with nmap were compared against one open port and one closed. port 23 should have said closed with the script running. It is with my normal rules in place. I did a larger scan (1-100) and all ports showed filtered.

---------
Changed SYN_flood rule to 40/s and tried again, no go (FTP,SSH)

---------
Commented out the main DROP rule at the top of the script and for the SSH rule, reloaded the script, no connection.

---------
checked my messages, nothing in there. Checked my secure log and i had the following:

Oct 29 19:37:02 closer sshd[10173]: refused connect from xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx)

with my normal rules in place i get this message in secure:

Oct 29 19:39:40 closer sshd[10263]: Accepted password for closer from xxx.xxx.xxx.xxx port 58686 ssh2

---------

Below is my normal rules. I know that they are not pretty, but they work.

# Generated by iptables-save v1.2.6a on Sun Oct 27 18:15:04 2002
*nat
:PREROUTING ACCEPT [30609:1502426]
:POSTROUTING ACCEPT [675:88550]
:OUTPUT ACCEPT [1676:280934]
[0:0] -A PREROUTING -i eth1 -p udp -m udp --dport 7000:8000 -j DNAT --to-destination 10.0.0.4:7000
[13:696] -A PREROUTING -i eth1 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 10.0.0.4:8080
[14:744] -A PREROUTING -i eth1 -p tcp -m tcp --dport 9000:9001 -j DNAT --to-destination 10.0.0.4:9000
[9:424] -A PREROUTING -i eth1 -p tcp -m tcp --dport 8081 -j DNAT --to-destination 10.0.0.3:80
[11:532] -A PREROUTING -i eth1 -p tcp -m tcp --dport 8082 -j DNAT --to-destination xxx.xxx.xxx.xxx:80
[32:1536] -A PREROUTING -i eth1 -p tcp -m tcp --dport 8083 -j DNAT --to-destination 10.0.0.3:5913
[0:0] -A PREROUTING -i eth1 -p tcp -m tcp --dport 8084 -j DNAT --to-destination 10.0.0.4:80
[0:0] -A PREROUTING -i eth1 -p tcp -m tcp --dport 8085 -j DNAT --to-destination 10.0.0.3:8085
[0:0] -A PREROUTING -i eth1 -p tcp -m tcp --dport 9002:9003 -j DNAT --to-destination 10.0.0.3:9002
[27297:1072179] -A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Sun Oct 27 18:15:04 2002
# Generated by iptables-save v1.2.6a on Sun Oct 27 18:15:04 2002
*filter
:INPUT ACCEPT [3556632:2126028005]
:FORWARD ACCEPT [272008:220116301]
:OUTPUT ACCEPT [3488041:2194855319]
[183:14317] -A INPUT -i lo -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 2049 -j DROP
[0:0] -A INPUT -p udp -m udp --dport 2049 -j DROP
[0:0] -A INPUT -p tcp -m tcp --dport 6000:6063 -j DROP
[0:0] -A INPUT -p tcp -m tcp --dport 7100 -j DROP
[2:120] -A INPUT -p tcp -m tcp --dport 515 -j DROP
[0:0] -A INPUT -p udp -m udp --dport 515 -j DROP
[3:180] -A INPUT -p tcp -m tcp --dport 111 -j DROP
[0:0] -A INPUT -p udp -m udp --dport 111 -j DROP
[40:2256] -A INPUT -m state --state INVALID -j DROP
[0:0] -A INPUT -s 127.0.0.1 -i eth0 -j DROP
[20:816] -A INPUT -m unclean -j DROP
[1208:58248] -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 5/sec -j ACCEPT
[1:1209] -A FORWARD -m unclean -j DROP
[0:0] -A FORWARD -s 10.0.0.0/255.255.255.0 -p icmp -m icmp --icmp-type 11 -j DROP
[208486:15252780] -A FORWARD -i eth0 -j ACCEPT
[0:0] -A OUTPUT -p icmp -m icmp --icmp-type 11 -j DROP
[183:14317] -A OUTPUT -o lo -j ACCEPT
COMMIT
# Completed on Sun Oct 27 18:15:04 2002

--------
Below are the saved rules after I run the firewall script. I think that port 22 shows traffic is because i am still connected after i run the firewall script. I just can not reconnect.

# Completed on Tue Oct 29 19:49:36 2002
# Generated by iptables-save v1.2.6a on Tue Oct 29 19:49:36 2002
*filter
:INPUT DROP [2:118]
:FORWARD ACCEPT [8:864]
:OUTPUT DROP [12:8632]
:NETBIOS - [0:0]
:fragments - [0:0]
:syn-flood - [0:0]
[0:0] -A INPUT -i lo -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j syn-flood
[0:0] -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
[0:0] -A INPUT -m state --state INVALID -j DROP
[0:0] -A INPUT -m unclean -j DROP
[0:0] -A INPUT -f -j fragments
[0:0] -A INPUT -s 216.176.156.98 -j DROP
[0:0] -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 8081 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 8082 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 8083 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 9000:9001 -j ACCEPT
[14:680] -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 21 -m state --state ESTABLISHED -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
[0:0] -A INPUT -i eth1 -p udp -m udp --sport 137:139 -j NETBIOS
[4:201] -A FORWARD -i eth0 -j ACCEPT
[0:0] -A FORWARD -m unclean -j DROP
[0:0] -A OUTPUT -o lo -j ACCEPT
[0:0] -A OUTPUT -p tcp -m tcp --sport 8080 -j ACCEPT
[0:0] -A OUTPUT -p tcp -m tcp --sport 8081 -j ACCEPT
[0:0] -A OUTPUT -p tcp -m tcp --sport 8082 -j ACCEPT
[0:0] -A OUTPUT -p tcp -m tcp --sport 8083 -j ACCEPT
[0:0] -A OUTPUT -p tcp -m tcp --sport 9000:9001 -j ACCEPT
[11:3312] -A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
[0:0] -A OUTPUT -p tcp -m tcp --sport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -p tcp -m tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT
[0:0] -A NETBIOS -i eth1 -j LOG --log-prefix "IPTABLES NETBIOS: "
[0:0] -A NETBIOS -i eth1 -j DROP
[0:0] -A fragments -j LOG --log-prefix "IPTABLES FRAGMENTS:"
[0:0] -A fragments -j DROP
[0:0] -A syn-flood -m limit --limit 40/sec --limit-burst 4 -j RETURN
[0:0] -A syn-flood -j DROP
COMMIT
# Completed on Tue Oct 29 19:49:36 2002

Thank you for your continued help. This is why i love linux so much, so many helphul people in such a large community. Again, thank you.

-Scott

Last edited by closer; 10-29-2002 at 08:47 PM.
 
Old 10-30-2002, 12:06 PM   #13
Mara
Moderator
 
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,539

Rep: Reputation: 149Reputation: 149
Please coment out the flooding protection ($IPTABLES -N syn-flood etc) and try again. It worked perfectly and didn't allow to make a scan.... The results are incorrect.
 
Old 10-30-2002, 12:48 PM   #14
sewer_monkey
Member
 
Registered: May 2002
Location: Toronto, ON, Canada
Distribution: Ubuntu, Debian, RedHat/CentOS
Posts: 624

Rep: Reputation: 31
If you're new to iptables, you may want to consider gShield. It generates the rules automatically and is extensively configurable.
 
Old 10-30-2002, 05:39 PM   #15
closer
LQ Newbie
 
Registered: Oct 2002
Location: Cedar Lake, IN
Distribution: Redhat 7.3
Posts: 21

Original Poster
Rep: Reputation: 15
Okay, I uncommented the SYN-flood rules and it did not work. Here are some test results:

results from /usr/local/nmap/bin/nmap -p 20-25 -v xxx.xxx.xxx.xxx

Interesting ports on xxxxxxxxxxxxxxxx (xxx.xxx.xxx.xxx):
Port State Service
20/tcp filtered ftp-data
21/tcp filtered ftp
22/tcp open ssh
23/tcp filtered telnet
24/tcp filtered priv-mail
25/tcp filtered smtp

I was happy to see that port 22 shows open this time (as opposed to filtered as in the last scan). I quickly tried to SSH into the box. Sadly heres what I got:

ssh_exchange_identification: Connection closed by remote host

I did save the iptables rules for you to look at:

# Generated by iptables-save v1.2.6a on Wed Oct 30 17:34:48 2002
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
[0:0] -A PREROUTING -i eth1 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 10.0.0.4:8080
[0:0] -A PREROUTING -i eth1 -p tcp -m tcp --dport 8083 -j DNAT --to-destination 10.0.0.4:80
[0:0] -A PREROUTING -i eth1 -p tcp -m tcp --dport 8082 -j DNAT --to-destination 10.0.0.3:5913
[0:0] -A PREROUTING -i eth1 -p tcp -m tcp --dport 8081 -j DNAT --to-destination 10.0.0.3:80
[0:0] -A PREROUTING -i eth1 -p tcp -m tcp --dport 8085 -j DNAT --to-destination 10.0.0.3:8085
[0:0] -A PREROUTING -i eth1 -p tcp -m tcp --dport 9000:9001 -j DNAT --to-destination 10.0.0.4
[0:0] -A PREROUTING -i eth1 -p tcp -m tcp --dport 9002:9003 -j DNAT --to-destination 10.0.0.3
[0:0] -A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Wed Oct 30 17:34:48 2002
# Generated by iptables-save v1.2.6a on Wed Oct 30 17:34:48 2002
*filter
:INPUT DROP [1:40]
:FORWARD ACCEPT [1:48]
:OUTPUT DROP [10:7172]
:NETBIOS - [0:0]
:fragments - [0:0]
[0:0] -A INPUT -i lo -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
[0:0] -A INPUT -m state --state INVALID -j DROP
[0:0] -A INPUT -m unclean -j DROP
[0:0] -A INPUT -f -j fragments
[0:0] -A INPUT -s **MY EXT IP ADDRESS** -j DROP
[0:0] -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 8081 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 8082 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 8083 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 9000:9001 -j ACCEPT
[15:740] -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 21 -m state --state ESTABLISHED -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
[0:0] -A INPUT -i eth1 -p udp -m udp --sport 137:139 -j NETBIOS
[1:48] -A FORWARD -i eth0 -j ACCEPT
[0:0] -A FORWARD -m unclean -j DROP
[0:0] -A OUTPUT -o lo -j ACCEPT
[0:0] -A OUTPUT -p tcp -m tcp --sport 8080 -j ACCEPT
[0:0] -A OUTPUT -p tcp -m tcp --sport 8081 -j ACCEPT
[0:0] -A OUTPUT -p tcp -m tcp --sport 8082 -j ACCEPT
[0:0] -A OUTPUT -p tcp -m tcp --sport 8083 -j ACCEPT
[0:0] -A OUTPUT -p tcp -m tcp --sport 9000:9001 -j ACCEPT
[11:3076] -A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
[0:0] -A OUTPUT -p tcp -m tcp --sport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -p tcp -m tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT
[0:0] -A NETBIOS -i eth1 -j LOG --log-prefix "IPTABLES NETBIOS: "
[0:0] -A NETBIOS -i eth1 -j DROP
[0:0] -A fragments -j LOG --log-prefix "IPTABLES FRAGMENTS:"
[0:0] -A fragments -j DROP
COMMIT
# Completed on Wed Oct 30 17:34:48 2002

Thank you for your continued help. I really do appreciate it. I am thinking now that maybe using firestarter or gShield to do this for me wouldnt be that bad of an idea. Back to reading iptables how-tos

-Scott
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables (with masq) troubleshooting, very simple script attached script and logs. xinu Linux - Networking 13 11-01-2007 05:19 AM
iptables script tomsasse Linux - Networking 3 09-17-2005 06:25 PM
Yet another iptables script Cron Linux - Networking 0 03-12-2005 12:11 PM
my first iptables script sh1ft Linux - Security 1 02-24-2005 05:17 PM
My iptables script is /etc/sysconfig/iptables. How do i make this baby execute on boo ForumKid Linux - General 3 01-22-2002 08:36 AM


All times are GMT -5. The time now is 01:50 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration