Applying iptables rules / don't seem to work once I change them
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
well thanks but that doesn't help. i still have no idea what that hosting company has...
and i also have no idea why this has been moved to a newbie section. it is a question about security and iptables after all.
Sorry, but my question was coming from th angle that I see some funny nmap results from machines with multiple NICs. Not sure why.
Can I suggest - and this is totally up to you - that you email me you external IP and I'll run nmap from here. I don't see how I can do any damage that way. You can send me a message by clicking on my name to the left and select send email to...
billymayday, I appreciate your effort to help and all your suggestions, but I think I am just gonna carefully revise my iptables rules, because it's obvious I don't have all those hundreds of processes listening on those ports, and it's probably just something wrong with the rules...
Plus I can't just trust a stranger with my expensive playbox (Even though you've probably helped tons of ppl with 4K+ posts )
Thank you for all the troubles of helping me once again...
If this is a virtual host, it might be the case that you are in fact port-scanning the *real* host that your virtual host is running on. (I don't know if that is so, but it's a thought.)
But regardless of what iptables is configured for, a port shouldn't be accessible if there's nothing listening there. So it's kind of puzzling... it seems to be an issue besides iptables itself. It's also odd that netstat doesn't think anything's listening.
Maybe I'm being kind of paranoid, but are you sure that the box hasn't been compromised?
nope, not sure. with all this weird crap happening there's a good chance it has and i have no idea about it. but i don't even know how to check really, does anybody? lol. there's not much of a website there, and i've looked in different folders, and checked running processes, and looked at iptables rules for backdoors, and cron jobs and stuff like that. didn't see anything out of the ordinary.
scanning the host itself is probably impossible (at least i hope) because they gave me a unique ip. really don't know what's going on. the crappy part is they refuse to help because they say it's not their problem, and keep sending me stupid links on how to configure my webserver...
Hey, wait a minute... looking back over your nmap output:
SYN Stealth Scan Timing: About 33.59% done; ETC: 22:17 (0:02:12 remaining)
Increasing send delay for xx.xx.xx.xx from 0 to 5 due to 13 out of 32 dropped probes since last increase.
Discovered open port 7201/tcp on xx.xx.xx.xx
Discovered open port 1364/tcp on xx.xx.xx.xx
Increasing send delay for xx.xx.xx.xx from 5 to 10 due to 11 out of 11 dropped probes since last increase.
Discovered open port 1472/tcp on xx.xx.xx.xx
It looks like some sort of adaptive firewall is in place: Notice that nmap's probes are being dropped: First about 40% of them and then 100%. So I'm guessing that nmap is not reporting the correct output due to firewall rules. It's probably not your virtual box's iptables rules but rather something either on the real host or on another intermediate firewall that's making the results inaccurate. At least that's my guess... seems that nmap's output indicates that *every* port is open -- and even if the box was cracked, that is a little difficult to believe... not impossible, but it seems a little surprising.
hmmm, but how can this be? shouldn't i be able to manipulate my rules on the server the way i want them to? lol. i just don't know where this "magical" thing might come from... the thing is, i scanned this server from three different ip's from two different networks, and it all shows the same thing: tons of ports open - waaaay too many of them. so i am guessing its nothing on my end (nmap computers), and rather something either with mediahost, or with my own misconfiguration of the server. the problem is i don't even understand how these rules show up in nmap. telnet seems to connect to a few of them, but not all (and i don't even know if that means much anyway)...
okay this is the weirdest thing. i finally managed to get a guy on the line that actually helped and explained what was happening, or at least what he thinks is happening. he says mediatemple has a firewall that covers all the servers it has, including the hosted websites and their own individual firewalls. so if i understood him correctly, he's saying nmap gets through some firewall rules, but not through mine (if i set them up correctly).
he recommended checking listening ports, and my own iptables rules. he said if somebody would have tried an attack through a port, they would know about it because of their firewall that blankets everybody else's.
it's just still a little puzzling to me why i am seeing hundreds and hundreds of these ports open. what's the purpose? plus it feels uncomfortable when you work on your iptables rules, and can't really check them thoroughly anyway to see if they work the way you want them to. and to make sure that you do have at least some level of security. but this way it looks like anything and everything is possible...