LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 07-31-2004, 05:45 AM   #1
windz
Member
 
Registered: Jan 2004
Distribution: Gentoo, Ubuntu (Edgy Eft)
Posts: 59

Rep: Reputation: 15
Question Firewall fails port scan test


Hi,

I'm just starting to learn how to use iptables. I have written a very simple script just to enable internet access to my computer. However when I scanned my computer using 'Shields UP!!' from www.grc.com, it is said that most of my ports are closed (not stealthed) and also my system replied to 'solicited TCP packets' and 'PING reply'. Can someone take a look at my iptables script and tell me what's wrong?

I'm using Fedora Core 2 which is connected to a hardware router. I only have one NIC (eth0) which is connected to the router.

Here's my iptables script:
--------------------------------------------------------------------------------------------

#Firewall configuration started 31 July 2004

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

#1 Drop all incoming fragments
-A INPUT -i eth0 -f -j DROP

#2 Drop outside packets with localhost address - anti-spoofing measure
-A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j DROP

#3 allow local loopback connections
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

#4 Prevent PING
-A OUTPUT -p icmp -d 0/0 -j DROP

#5 Allow connections DNS server (router)
-A OUTPUT -d 192.168.2.1 -m state --state NEW,ESTABLISHED,RELATED -p udp --dport 53 --sport 1024:65535 -o eth0 -j ACCEPT
-A INPUT -s 192.168.2.1 -m state --state NEW,ESTABLISHED,RELATED -p udp --dport 1024:65535 --sport 53 -i eth0 -j ACCEPT

#6 Allow outgoing connections to web servers
-A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport http --sport 1024:65535 -o eth0 -j ACCEPT
-A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport https --sport 1024:65535 -o eth0 -j ACCEPT

#7 allow all established and related
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#8 log all other attempted outgoing and incoming connections
-A OUTPUT -o eth0 -j LOG
-A INPUT -i eth0 -j LOG

COMMIT
---------------------------------------------------------------------------------------------------------------------
I hope someone can explain this to me. I'm still very much a beginner and still grappling with the basics of iptables.

Thanks
 
Old 07-31-2004, 09:28 AM   #2
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 46
Please follow the Total Stealthing posts. I am sure your query will be addressed here.
 
Old 07-31-2004, 11:23 PM   #3
windz
Member
 
Registered: Jan 2004
Distribution: Gentoo, Ubuntu (Edgy Eft)
Posts: 59

Original Poster
Rep: Reputation: 15
Thanks ppuru for the reply.

I did read the posts from the link you provided, but the ports on my com are still not stealthed and the com is still replying to Ping. Anyway I think I found out what was wrong. I didn't enable my hardware router's firewall. After I enabled it, everything was stealthed according to the test.

But I don't quite understand why the iptables cannot block PING/ stealth ports when the router's firewall is not enabled.

windz
 
Old 08-01-2004, 12:05 AM   #4
/bin/bash
Senior Member
 
Registered: Jul 2003
Location: Indiana
Distribution: Mandrake Slackware-current QNX4.25
Posts: 1,802

Rep: Reputation: 46
All you did was to hide your firewall behind another firewall. The closed ports and ICMP replies are actually not a security risk. Here is a short Port security for newbies tutorial which explains away alot of the myths and hype about stealth ports.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Reverse Firewall Port Scan wwnexc Linux - Networking 2 12-02-2005 08:52 AM
port scan. bruse Linux - Networking 1 10-23-2005 05:41 PM
mysqld running and reading for connections on port 3306, no port 3306 found from scan darkenigmaa Linux - Networking 7 09-21-2005 10:10 AM
Microsoft ISA Firewall Returns Port Scan Warnings From Linux BIND DNS Servers. ramram29 Linux - Security 4 01-26-2004 10:09 PM
Port scan luser Linux - Networking 4 10-11-2002 01:37 PM


All times are GMT -5. The time now is 02:45 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration