LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page Firewall not blocking ports...
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-09-2003, 11:40 AM   #1
bfloeagle
Member
 
Registered: Jun 2000
Location: Upstate New York
Distribution: Ubuntu
Posts: 158

Rep: Reputation: 30
Unhappy Firewall not blocking ports...

I'm using gShield to generate an IPTables firewall on my Linux box. Unfortunately, even though the specific ports are blocked, I can still access the daemons on my server remotely...

IE: I have a SSH server running. I am blocking port 22. A port scan shows port 22 is open and I can connect to the SSH server.

I thought it was because I ran the firewall before I activated the daemons, but then I ran the script (which flushed all the rules and made new ones) after they were all up and running and it made no difference...

Any pointers???

Andy
 
Old 05-09-2003, 01:54 PM   #2
Mara
Moderator
 
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,696

Rep: Reputation: 232Reputation: 232Reputation: 232
Are you sure the rules block the right interface(s)? If you've got 2 or more NICs, you need to be careful and choose the right ones.
 
Old 05-09-2003, 03:32 PM   #3
bfloeagle
Member
 
Registered: Jun 2000
Location: Upstate New York
Distribution: Ubuntu
Posts: 158

Original Poster
Rep: Reputation: 30
Yes they are. I do have two NIC's and I know the script works...

The difference is that I am running Debain now and not RedHat... :\ This did not happen with RH...
 
Old 05-09-2003, 04:35 PM   #4
Crashed_Again
Senior Member
 
Registered: Dec 2002
Location: Atlantic City, NJ
Distribution: Ubuntu & Arch
Posts: 3,503

Rep: Reputation: 57
Question: If you are blocking access to ssh in the firewall then why do you have the service running? Are you using it on the LAN only?

Also, when you run:

iptables -L

what do you get? And finally, is the iptables service turned on?

P.S. Please do not take offense to these questions. Some people get mad when I ask questions like this.
 
Old 05-09-2003, 06:47 PM   #5
bfloeagle
Member
 
Registered: Jun 2000
Location: Upstate New York
Distribution: Ubuntu
Posts: 158

Original Poster
Rep: Reputation: 30
The ssh was just an example... And to prove that my firewall is not working.

I did a port scan and found a bunch of ports open by services that I never used (but I have never heard of them so I didn't know how to turn them off). I tried rebooting and then starting the firewall and when that didn't work, I just blocked the ssh port to see what would happen...

I took no offense. You are trying to help, why would I complain?

Code:
voyager:/# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
loopback   all  --  anywhere             anywhere           
ACCEPT     all  --  192.168.0.0/24       192.168.0.0/24     
RESERVED   all  --  10.0.0.0/8           anywhere           
RESERVED   all  --  172.16.0.0/12        anywhere           
RESERVED   all  --  192.168.0.0/16       anywhere           
RESERVED   all  --  ALL-SYSTEMS.MCAST.NET  anywhere           
RESERVED   all  --  ALL-ROUTERS.MCAST.NET  anywhere           
RESERVED   all  --  DVMRP.MCAST.NET      anywhere           
RESERVED   all  --  OSPF-ALL.MCAST.NET   anywhere           
RESERVED   all  --  OSPF-DSIG.MCAST.NET  anywhere           
RESERVED   all  --  RIP2-ROUTERS.MCAST.NET  anywhere           
RESERVED   all  --  PIM-ROUTERS.MCAST.NET  anywhere           
RESERVED   all  --  ALL-CBT-ROUTERS.MCAST.NET  anywhere           
MULTICAST  all  --  ALL-SYSTEMS.MCAST.NET  anywhere           
MULTICAST  all  --  ALL-ROUTERS.MCAST.NET  anywhere           
MULTICAST  all  --  DVMRP.MCAST.NET      anywhere           
MULTICAST  all  --  OSPF-ALL.MCAST.NET   anywhere           
MULTICAST  all  --  OSPF-DSIG.MCAST.NET  anywhere           
MULTICAST  all  --  RIP2-ROUTERS.MCAST.NET  anywhere           
MULTICAST  all  --  PIM-ROUTERS.MCAST.NET  anywhere           
MULTICAST  all  --  ALL-CBT-ROUTERS.MCAST.NET  anywhere           
ACCEPT     icmp --  anywhere             anywhere           icmp destination-unreachable 
ACCEPT     icmp --  anywhere             anywhere           icmp time-exceeded 
ACCEPT     icmp --  anywhere             anywhere           icmp echo-reply 
DROPICMP   icmp --  anywhere             anywhere           
DHCP       udp  --  208.246.218.2        anywhere           udp spt:bootps dpt:bootpc 
ACCEPT     udp  --  132.163.135.130      anywhere           udp spt:ntp dpts:1024:65535 
ACCEPT     udp  --  otc2.psu.edu         anywhere           udp spt:ntp dpts:1024:65535 
ACCEPT     udp  --  time-nw.nist.gov     anywhere           udp spt:ntp dpts:1024:65535 
DNS        udp  --  rochny-dns-cac-01-dmfe0.nyroc.rr.com  anywhere           udp spt:domain 
DNS        udp  --  rochny-dns-cac-02-dmfe1.nyroc.rr.com  anywhere           udp spt:domain 
DNS        udp  --  rochny-dns-cac-03-dmfe0.nyroc.rr.com  anywhere           udp spt:domain 
DNS        udp  --  dns-cac-01-eri3.nyroc.rr.com  anywhere           udp spt:domain 
PUBLIC     tcp  --  anywhere             xx.rochester.rr.comtcp dpt:ssh 
PUBLIC     udp  --  anywhere             xx.rochester.rr.comudp dpt:ssh 
PUBLIC     tcp  --  anywhere             xx.rochester.rr.comtcp dpt:auth 
PUBLIC     udp  --  anywhere             xx.rochester.rr.comudp dpt:113 
CLOSED     tcp  --  anywhere             xx.rochester.rr.comtcp dpt:daytime 
CLOSED     udp  --  anywhere             xx.rochester.rr.comudp dpt:daytime 
CLOSED     tcp  --  anywhere             xx.rochester.rr.comtcp dpt:14 
CLOSED     udp  --  anywhere             xx.rochester.rr.comudp dpt:14 
CLOSED     tcp  --  anywhere             xx.rochester.rr.comtcp dpt:bootps 
CLOSED     udp  --  anywhere             xx.rochester.rr.comudp dpt:bootps 
CLOSED     tcp  --  anywhere             xx.rochester.rr.comtcp dpt:bootpc 
CLOSED     udp  --  anywhere             xx.rochester.rr.comudp dpt:bootpc 
CLOSED     tcp  --  anywhere             xx.rochester.rr.comtcp dpt:domain 
CLOSED     udp  --  anywhere             xx.rochester.rr.comudp dpt:domain 
CLOSED     tcp  --  anywhere             xx.rochester.rr.comtcp dpt:ntp 
CLOSED     udp  --  anywhere             xx.rochester.rr.comudp dpt:ntp 
CLOSED     tcp  --  anywhere             xx.rochester.rr.comtcp dpts:netbios-ns:netbios-ssn 
CLOSED     udp  --  anywhere             xx.rochester.rr.comudp dpts:netbios-ns:netbios-ssn 
CLOSED     tcp  --  anywhere             xx.rochester.rr.comtcp dpt:printer 
CLOSED     udp  --  anywhere             xx.rochester.rr.comudp dpt:515 
CLOSED     tcp  --  anywhere             xx.rochester.rr.comtcp dpt:swat 
CLOSED     udp  --  anywhere             xx.rochester.rr.comudp dpt:901 
CLOSED     tcp  --  anywhere             xx.rochester.rr.comtcp dpts:x11:6009 
CLOSED     udp  --  anywhere             xx.rochester.rr.comudp dpts:x11:6009 
HIGHPORT   tcp  --  anywhere             anywhere           tcp dpts:1024:65535 
HIGHPORT   udp  --  anywhere             anywhere           udp dpts:1024:65535 
OPENPORT   tcp  --  anywhere             anywhere           tcp dpt:ssh 
OPENPORT   udp  --  anywhere             anywhere           udp dpt:ssh 
STATEFUL   all  --  anywhere             anywhere           

Chain FORWARD (policy DROP)
target     prot opt source               destination         
BLOCK_OUT  tcp  --  anywhere             anywhere           tcp dpt:swat 
BLOCK_OUT  udp  --  anywhere             anywhere           udp dpt:901 
BLOCK_OUT  tcp  --  anywhere             anywhere           tcp dpts:x11:6009 
BLOCK_OUT  udp  --  anywhere             anywhere           udp dpts:x11:6009 
BLOCK_OUT  tcp  --  anywhere             anywhere           tcp dpt:netbios-ns 
BLOCK_OUT  udp  --  anywhere             anywhere           udp dpt:netbios-ns 
BLOCK_OUT  tcp  --  anywhere             anywhere           tcp dpt:netbios-dgm 
BLOCK_OUT  udp  --  anywhere             anywhere           udp dpt:netbios-dgm 
BLOCK_OUT  tcp  --  anywhere             anywhere           tcp dpt:netbios-ssn 
BLOCK_OUT  udp  --  anywhere             anywhere           udp dpt:netbios-ssn 
STATEFUL   all  --  anywhere             anywhere           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
loopback   all  --  anywhere             anywhere           
DROP       icmp --  anywhere             anywhere           state INVALID 
BLOCK_OUT  tcp  --  anywhere             anywhere           tcp dpt:swat 
BLOCK_OUT  udp  --  anywhere             anywhere           udp dpt:901 
BLOCK_OUT  tcp  --  anywhere             anywhere           tcp dpts:x11:6009 
BLOCK_OUT  udp  --  anywhere             anywhere           udp dpts:x11:6009 
BLOCK_OUT  tcp  --  anywhere             anywhere           tcp dpt:netbios-ns 
BLOCK_OUT  udp  --  anywhere             anywhere           udp dpt:netbios-ns 
BLOCK_OUT  tcp  --  anywhere             anywhere           tcp dpt:netbios-dgm 
BLOCK_OUT  udp  --  anywhere             anywhere           udp dpt:netbios-dgm 
BLOCK_OUT  tcp  --  anywhere             anywhere           tcp dpt:netbios-ssn 
BLOCK_OUT  udp  --  anywhere             anywhere           udp dpt:netbios-ssn 

Chain ACCEPTnLOG (0 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere           LOG level warning prefix `gShield (accept) ' 
ACCEPT     all  --  anywhere             anywhere           

Chain BLACKLIST (0 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere           LOG level warning prefix `gShield (blacklisted drop) ' 
DROP       all  --  anywhere             anywhere           

Chain BLOCK_OUT (20 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere           

Chain CLIENT (0 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           

Chain CLOSED (20 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere           LOG level warning prefix `gShield (closed port drop) ' 
DROP       tcp  --  anywhere             anywhere           
DROP       udp  --  anywhere             anywhere           
DROP       all  --  anywhere             anywhere           

Chain DHCP (1 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere           LOG level warning prefix `gShield (DHCP accept) ' 
ACCEPT     all  --  anywhere             anywhere           

Chain DMZ (0 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere           LOG level warning prefix `gShield (DMZ drop) ' 
DROP       all  --  anywhere             anywhere           

Chain DNS (4 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           

Chain DROPICMP (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere           

Chain DROPnLOG (1 references)
target     prot opt source               destination         
DROP       udp  --  anywhere             anywhere           udp dpts:netbios-ns:netbios-ssn 
ACCEPT     tcp  --  anywhere             anywhere           tcp spt:www dpts:1024:65535 flags:!SYN,RST,ACK/SYN 
DROP       udp  --  anywhere             255.255.255.255    udp spt:bootps dpt:bootpc 
DROP       udp  --  anywhere             255.255.255.255    udp spt:bootpc dpt:bootps 
DROP       tcp  --  anywhere             anywhere           
DROP       udp  --  anywhere             anywhere           
DROP       all  --  anywhere             anywhere           

Chain HIGHPORT (2 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           

Chain MON_OUT (0 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           

Chain MULTICAST (8 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere           

Chain OPENPORT (2 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           

Chain PUBLIC (4 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           

Chain RESERVED (11 references)
target     prot opt source               destination         
DROP       tcp  --  anywhere             anywhere           
DROP       udp  --  anywhere             anywhere           
DROP       all  --  anywhere             anywhere           

Chain SCAN (0 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere           LOG level warning prefix `gShield (possible port scan) ' 
DROP       all  --  anywhere             anywhere           

Chain SERVICEDROP (0 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere           LOG level warning prefix `gShield (service drop) ' 
DROP       tcp  --  anywhere             anywhere           
DROP       udp  --  anywhere             anywhere           
DROP       all  --  anywhere             anywhere           

Chain STATEFUL (2 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED 
ACCEPT     all  --  anywhere             anywhere           state NEW 
DROPnLOG   all  --  anywhere             anywhere           

Chain loopback (2 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           
voyager:/# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
loopback   all  --  anywhere             anywhere           
ACCEPT     all  --  192.168.0.0/24       192.168.0.0/24     
RESERVED   all  --  10.0.0.0/8           anywhere           
RESERVED   all  --  172.16.0.0/12        anywhere           
RESERVED   all  --  192.168.0.0/16       anywhere           
RESERVED   all  --  ALL-SYSTEMS.MCAST.NET  anywhere           
RESERVED   all  --  ALL-ROUTERS.MCAST.NET  anywhere           
RESERVED   all  --  DVMRP.MCAST.NET      anywhere           
RESERVED   all  --  OSPF-ALL.MCAST.NET   anywhere           
RESERVED   all  --  OSPF-DSIG.MCAST.NET  anywhere           
RESERVED   all  --  RIP2-ROUTERS.MCAST.NET  anywhere           
RESERVED   all  --  PIM-ROUTERS.MCAST.NET  anywhere           
RESERVED   all  --  ALL-CBT-ROUTERS.MCAST.NET  anywhere           
MULTICAST  all  --  ALL-SYSTEMS.MCAST.NET  anywhere           
MULTICAST  all  --  ALL-ROUTERS.MCAST.NET  anywhere           
MULTICAST  all  --  DVMRP.MCAST.NET      anywhere           
MULTICAST  all  --  OSPF-ALL.MCAST.NET   anywhere           
MULTICAST  all  --  OSPF-DSIG.MCAST.NET  anywhere           
MULTICAST  all  --  RIP2-ROUTERS.MCAST.NET  anywhere           
MULTICAST  all  --  PIM-ROUTERS.MCAST.NET  anywhere           
MULTICAST  all  --  ALL-CBT-ROUTERS.MCAST.NET  anywhere           
ACCEPT     icmp --  anywhere             anywhere           icmp destination-unreachable 
ACCEPT     icmp --  anywhere             anywhere           icmp time-exceeded 
ACCEPT     icmp --  anywhere             anywhere           icmp echo-reply 
DROPICMP   icmp --  anywhere             anywhere           
DHCP       udp  --  208.246.218.2        anywhere           udp spt:bootps dpt:bootpc 
ACCEPT     udp  --  132.163.135.130      anywhere           udp spt:ntp dpts:1024:65535 
ACCEPT     udp  --  otc2.psu.edu         anywhere           udp spt:ntp dpts:1024:65535 
ACCEPT     udp  --  time-nw.nist.gov     anywhere           udp spt:ntp dpts:1024:65535 
DNS        udp  --  rochny-dns-cac-01-dmfe0.nyroc.rr.com  anywhere           udp spt:domain 
DNS        udp  --  rochny-dns-cac-02-dmfe1.nyroc.rr.com  anywhere           udp spt:domain 
DNS        udp  --  rochny-dns-cac-03-dmfe0.nyroc.rr.com  anywhere           udp spt:domain 
DNS        udp  --  dns-cac-01-eri3.nyroc.rr.com  anywhere           udp spt:domain 
PUBLIC     tcp  --  anywhere             xx.rochester.rr.comtcp dpt:ssh 
PUBLIC     udp  --  anywhere             xx.rochester.rr.comudp dpt:ssh 
PUBLIC     tcp  --  anywhere             xx.rochester.rr.comtcp dpt:auth 
PUBLIC     udp  --  anywhere             xx.rochester.rr.comudp dpt:113 
CLOSED     tcp  --  anywhere             xx.rochester.rr.comtcp dpt:daytime 
CLOSED     udp  --  anywhere             xx.rochester.rr.comudp dpt:daytime 
CLOSED     tcp  --  anywhere             xx.rochester.rr.comtcp dpt:14 
CLOSED     udp  --  anywhere             xx.rochester.rr.comudp dpt:14 
CLOSED     tcp  --  anywhere             xx.rochester.rr.comtcp dpt:bootps 
CLOSED     udp  --  anywhere             xx.rochester.rr.comudp dpt:bootps 
CLOSED     tcp  --  anywhere             xx.rochester.rr.comtcp dpt:bootpc 
CLOSED     udp  --  anywhere             xx.rochester.rr.comudp dpt:bootpc 
CLOSED     tcp  --  anywhere             xx.rochester.rr.comtcp dpt:domain 
CLOSED     udp  --  anywhere             xx.rochester.rr.comudp dpt:domain 
CLOSED     tcp  --  anywhere             xx.rochester.rr.comtcp dpt:ntp 
CLOSED     udp  --  anywhere             xx.rochester.rr.comudp dpt:ntp 
CLOSED     tcp  --  anywhere             xx.rochester.rr.comtcp dpts:netbios-ns:netbios-ssn 
CLOSED     udp  --  anywhere             xx.rochester.rr.comudp dpts:netbios-ns:netbios-ssn 
CLOSED     tcp  --  anywhere             xx.rochester.rr.comtcp dpt:printer 
CLOSED     udp  --  anywhere             xx.rochester.rr.comudp dpt:515 
CLOSED     tcp  --  anywhere             xx.rochester.rr.comtcp dpt:swat 
CLOSED     udp  --  anywhere             xx.rochester.rr.comudp dpt:901 
CLOSED     tcp  --  anywhere             xx.rochester.rr.comtcp dpts:x11:6009 
CLOSED     udp  --  anywhere             xx.rochester.rr.comudp dpts:x11:6009 
HIGHPORT   tcp  --  anywhere             anywhere           tcp dpts:1024:65535 
HIGHPORT   udp  --  anywhere             anywhere           udp dpts:1024:65535 
OPENPORT   tcp  --  anywhere             anywhere           tcp dpt:ssh 
OPENPORT   udp  --  anywhere             anywhere           udp dpt:ssh 
STATEFUL   all  --  anywhere             anywhere           

Chain FORWARD (policy DROP)
target     prot opt source               destination         
BLOCK_OUT  tcp  --  anywhere             anywhere           tcp dpt:swat 
BLOCK_OUT  udp  --  anywhere             anywhere           udp dpt:901 
BLOCK_OUT  tcp  --  anywhere             anywhere           tcp dpts:x11:6009 
BLOCK_OUT  udp  --  anywhere             anywhere           udp dpts:x11:6009 
BLOCK_OUT  tcp  --  anywhere             anywhere           tcp dpt:netbios-ns 
BLOCK_OUT  udp  --  anywhere             anywhere           udp dpt:netbios-ns 
BLOCK_OUT  tcp  --  anywhere             anywhere           tcp dpt:netbios-dgm 
BLOCK_OUT  udp  --  anywhere             anywhere           udp dpt:netbios-dgm 
BLOCK_OUT  tcp  --  anywhere             anywhere           tcp dpt:netbios-ssn 
BLOCK_OUT  udp  --  anywhere             anywhere           udp dpt:netbios-ssn 
STATEFUL   all  --  anywhere             anywhere           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
loopback   all  --  anywhere             anywhere           
DROP       icmp --  anywhere             anywhere           state INVALID 
BLOCK_OUT  tcp  --  anywhere             anywhere           tcp dpt:swat 
BLOCK_OUT  udp  --  anywhere             anywhere           udp dpt:901 
BLOCK_OUT  tcp  --  anywhere             anywhere           tcp dpts:x11:6009 
BLOCK_OUT  udp  --  anywhere             anywhere           udp dpts:x11:6009 
BLOCK_OUT  tcp  --  anywhere             anywhere           tcp dpt:netbios-ns 
BLOCK_OUT  udp  --  anywhere             anywhere           udp dpt:netbios-ns 
BLOCK_OUT  tcp  --  anywhere             anywhere           tcp dpt:netbios-dgm 
BLOCK_OUT  udp  --  anywhere             anywhere           udp dpt:netbios-dgm 
BLOCK_OUT  tcp  --  anywhere             anywhere           tcp dpt:netbios-ssn 
BLOCK_OUT  udp  --  anywhere             anywhere           udp dpt:netbios-ssn 

Chain ACCEPTnLOG (0 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere           LOG level warning prefix `gShield (accept) ' 
ACCEPT     all  --  anywhere             anywhere           

Chain BLACKLIST (0 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere           LOG level warning prefix `gShield (blacklisted drop) ' 
DROP       all  --  anywhere             anywhere           

Chain BLOCK_OUT (20 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere           

Chain CLIENT (0 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           

Chain CLOSED (20 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere           LOG level warning prefix `gShield (closed port drop) ' 
DROP       tcp  --  anywhere             anywhere           
DROP       udp  --  anywhere             anywhere           
DROP       all  --  anywhere             anywhere           

Chain DHCP (1 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere           LOG level warning prefix `gShield (DHCP accept) ' 
ACCEPT     all  --  anywhere             anywhere           

Chain DMZ (0 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere           LOG level warning prefix `gShield (DMZ drop) ' 
DROP       all  --  anywhere             anywhere           

Chain DNS (4 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           

Chain DROPICMP (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere           

Chain DROPnLOG (1 references)
target     prot opt source               destination         
DROP       udp  --  anywhere             anywhere           udp dpts:netbios-ns:netbios-ssn 
ACCEPT     tcp  --  anywhere             anywhere           tcp spt:www dpts:1024:65535 flags:!SYN,RST,ACK/SYN 
DROP       udp  --  anywhere             255.255.255.255    udp spt:bootps dpt:bootpc 
DROP       udp  --  anywhere             255.255.255.255    udp spt:bootpc dpt:bootps 
DROP       tcp  --  anywhere             anywhere           
DROP       udp  --  anywhere             anywhere           
DROP       all  --  anywhere             anywhere           

Chain HIGHPORT (2 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           

Chain MON_OUT (0 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           

Chain MULTICAST (8 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere           

Chain OPENPORT (2 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           

Chain PUBLIC (4 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           

Chain RESERVED (11 references)
target     prot opt source               destination         
DROP       tcp  --  anywhere             anywhere           
DROP       udp  --  anywhere             anywhere           
DROP       all  --  anywhere             anywhere           

Chain SCAN (0 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere           LOG level warning prefix `gShield (possible port scan) ' 
DROP       all  --  anywhere             anywhere           

Chain SERVICEDROP (0 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere           LOG level warning prefix `gShield (service drop) ' 
DROP       tcp  --  anywhere             anywhere           
DROP       udp  --  anywhere             anywhere           
DROP       all  --  anywhere             anywhere           

Chain STATEFUL (2 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED 
ACCEPT     all  --  anywhere             anywhere           state NEW 
DROPnLOG   all  --  anywhere             anywhere           

Chain loopback (2 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere
xx is my host, fyi...

As far as I know the iptables service is turned on. I mean, nothing is shown at bootup that displays iptables, but if all this is being spit out by iptables, something must be working, right???

Andy
 
Old 05-09-2003, 07:23 PM   #6
Crashed_Again
Senior Member
 
Registered: Dec 2002
Location: Atlantic City, NJ
Distribution: Ubuntu & Arch
Posts: 3,503

Rep: Reputation: 57
Quote:
Originally posted by bfloeagle
As far as I know the iptables service is turned on. I mean, nothing is shown at bootup that displays iptables, but if all this is being spit out by iptables, something must be working, right???
Well, I think you have the rules loaded here but the service itself is not running. I see your doing this on debian so I'm not sure about this but I think you should try:

/etc/init.d/iptables restart

If it says something like:

Stopping iptables: [FAILED]

then iptables was never turned on.
 
Old 05-10-2003, 09:16 AM   #7
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
I don't think anything in that firewall is actually blocking ssh. The only references I see to ssh send the packets to either the PUBLIC or OPENPORT tables, both of which just accept everything. I'm not familiar with gShield, but it looks to me like it isn't doing the trick.

If iptables appears to be running, you could try insterting a rule that would specifically block port 22

iptables -I 1 INPUT -p tcp --dport 22 -j DROP

That inserts a rule at the first position of the INPUT table (so it can't be missed) and should block all access to port 22. If that rule blocks ssh, then you need to revisit what gShield is doing.
 
Old 05-10-2003, 02:47 PM   #8
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Rep: Reputation: 46
Quote:
voyager:/# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
...
OPENPORT tcp -- anywhere anywhere tcp dpt:ssh
OPENPORT udp -- anywhere anywhere udp dpt:ssh
STATEFUL all -- anywhere anywhere
Well you jump here to the OPENPORT chain and in the OPENPORT chain you allow EVERYTHING. So this is the first problem.
Quote:
Chain STATEFUL (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
DROPnLOG all -- anywhere anywhere
You want to accept EVERYTHING ? Well your last INPUT CHAIN rule jumps to the STATEFUL chain and here as you accept everything (NEW). You do NOT need that. All you need is ESTABLISHED here, anything other is not required. Kick off RELATED and NEW.

I did not fully check your firewall since this is very time consuming. I just noticed these 2 things. I'm running a pretty nailed down firewall. My firewall script:
Code:
#!/bin/sh
# /------------------------------------------------------------------\
# | netfilter firewall for Linux 2.4+ built by Markus Welsch         |
# |                                                                  |
# |                                                                  |
# | This firewall is not intended to be used by newbies. I give no   |
# | warranty of any kind that using it protects your box.            |
# | Personally I suggest using a OpenBSD box as firewall :-)         |
# |                                                                  |
# | If you agree to all of the above and also dislike M$ you may     |
# | continue reading. Have fun ;-)                                   |
# \------------------------------------------------------------------/



# --------------------------------------------------------------------
# 1. definitions
# --------------------------------------------------------------------
IPTABLES="/sbin/iptables"
LOG_LEVEL="notice"
LOOPBACK_IF="lo"
# --------------------------------------------------------------------



# --------------------------------------------------------------------
# 2. removing current rulesets
# --------------------------------------------------------------------
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F FORWARD
$IPTABLES -F OUTPUT
$IPTABLES -X
# --------------------------------------------------------------------



# --------------------------------------------------------------------
# 3. enforcing default policy as drop
# --------------------------------------------------------------------
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
# --------------------------------------------------------------------



# --------------------------------------------------------------------
# 4. setting up user-defined chains
# --------------------------------------------------------------------

	# 4.1 - LOG_DROP
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	$IPTABLES -N LOG_DROP
	$IPTABLES -F LOG_DROP

	$IPTABLES -A LOG_DROP -m limit --limit 5/minute \
		-j LOG --log-level $LOG_LEVEL
	$IPTABLES -A LOG_DROP -j DROP
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


	# 4.2 - CHECK_ICMP_ACCESS
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	$IPTABLES -N CHECK_ICMP_ACCESS
	$IPTABLES -F CHECK_ICMP_ACCESS

	$IPTABLES -A CHECK_ICMP_ACCESS -p icmp \
		--icmp-type destination-unreachable -j ACCEPT

	$IPTABLES -A CHECK_ICMP_ACCESS -p icmp \
		--icmp-type echo-reply -j ACCEPT

	$IPTABLES -A CHECK_ICMP_ACCESS -p icmp \
		--icmp-type time-exceeded -j ACCEPT

	$IPTABLES -A CHECK_ICMP_ACCESS -j DROP
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


	# 4.3 - CHECK_PROBES
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	$IPTABLES -N CHECK_PROBES
	$IPTABLES -F CHECK_PROBES

	# os fingerprinting
	$IPTABLES -A CHECK_PROBES -p tcp -s 0.0.0.0 --dport 0 \
		-j LOG_DROP
	$IPTABLES -A CHECK_PROBES -p udp -s 0.0.0.0 --dport 0 \
		-j LOG_DROP

	# tcpmux scanning
	$IPTABLES -A CHECK_PROBES -p tcp --dport 1 -j LOG_DROP
	$IPTABLES -A CHECK_PROBES -p udp --dport 1 -j LOG_DROP

	# sscan
	$IPTABLES -A CHECK_PROBES -p tcp -m multiport \
		--sports 1,2,3,4,5 -j LOG_DROP

	# sysstat scan
	$IPTABLES -A CHECK_PROBES -p tcp --dport 11 -j LOG_DROP
	$IPTABLES -A CHECK_PROBES -p udp --dport 11 -j LOG_DROP

	# finger scan
	$IPTABLES -A CHECK_PROBES -p tcp --dport 79 -j LOG_DROP
	$IPTABLES -A CHECK_PROBES -p udp --dport 79 -j LOG_DROP

	# linuxconf scan
	$IPTABLES -A CHECK_PROBES -p tcp --dport 98 -j LOG_DROP
	$IPTABLES -A CHECK_PROBES -p udp --dport 98 -j LOG_DROP

	# mountd scan
	$IPTABLES -A CHECK_PROBES -p tcp --dport 635 -j LOG_DROP
	$IPTABLES -A CHECK_PROBES -p udp --dport 635 -j LOG_DROP

	# proxy scan
	$IPTABLES -A CHECK_PROBES -p tcp --dport 1080 -j LOG_DROP
	$IPTABLES -A CHECK_PROBES -p udp --dport 1080 -j LOG_DROP

	# proxy scan
	$IPTABLES -A CHECK_PROBES -p tcp --dport 3128 -j LOG_DROP
	$IPTABLES -A CHECK_PROBES -p udp --dport 3128 -j LOG_DROP
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


	# 4.4 - CHECK_TCP_FLAGS
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	$IPTABLES -N CHECK_TCP_FLAGS
	$IPTABLES -F CHECK_TCP_FLAGS

	# stealth FIN scan
	$IPTABLES -A CHECK_TCP_FLAGS -p tcp --tcp-flags ALL FIN \
		-j LOG_DROP

	# stealth NULL scan
	$IPTABLES -A CHECK_TCP_FLAGS -p tcp --tcp-flags ALL NONE \
		-j LOG_DROP

	# stealth SYN/FIN (probably)
	$IPTABLES -A CHECK_TCP_FLAGS -p tcp \
		--tcp-flags SYN,FIN SYN,FIN -j LOG_DROP

	# stealth SYN/RST scan
	$IPTABLES -A CHECK_TCP_FLAGS -p tcp \
		--tcp-flags SYN,RST SYN,RST -j LOG_DROP

	# stealth xmas-scan
	$IPTABLES -A CHECK_TCP_FLAGS -p tcp \
		--tcp-flags ALL FIN,URG,PSH -j LOG_DROP

	# stealth xmas-all-scan
	$IPTABLES -A CHECK_TCP_FLAGS -p tcp \
		--tcp-flags ALL ALL -j LOG_DROP

	# stealth xmas-PSH-scan
	$IPTABLES -A CHECK_TCP_FLAGS -p tcp \
		--tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG_DROP
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


	# 4.5 - EXTERNAL_SERVICES_INPUT
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	$IPTABLES -N EXTERNAL_SERVICES_INPUT
	$IPTABLES -F EXTERNAL_SERVICES_INPUT

	# SSH
	$IPTABLES -A EXTERNAL_SERVICES_INPUT -p tcp \
		--dport 22 -j ACCEPT
	$IPTABLES -A EXTERNAL_SERVICES_INPUT -p udp \
		--dport 22 -j ACCEPT
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

# --------------------------------------------------------------------



# --------------------------------------------------------------------
# 5. setting up base chains
# --------------------------------------------------------------------

	# 5.1 - INPUT
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	$IPTABLES -A INPUT -i $LOOPBACK_IF -j ACCEPT
	$IPTABLES -A INPUT -m state --state INVALID -j DROP
	$IPTABLES -A INPUT -p icmp -j CHECK_ICMP_ACCESS
	$IPTABLES -A INPUT -p tcp -j CHECK_TCP_FLAGS
	$IPTABLES -A INPUT -m state --state ESTABLISHED -j ACCEPT
	$IPTABLES -A INPUT -j EXTERNAL_SERVICES_INPUT
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


	# 5.2 - FORWARD
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


	# 5.3 - OUTPUT
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	$IPTABLES -A OUTPUT -m state --state ! INVALID -j ACCEPT
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# --------------------------------------------------------------------
Note: I've SSH open though (I use public key authentification with 2048 bit ... that's secure IMHO). I have 1 ethernet interface only, but it shouldn't be that much of a problem converting it to 2 interfaces. I will need to do that also soon BTW ...
 
Old 05-10-2003, 02:52 PM   #9
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Rep: Reputation: 46
Quote:
Well, I think you have the rules loaded here but the service itself is not running. I see your doing this on debian...
Well first of all do not load any iptables rules and save this as inactive using
Code:
/etc/init.d/iptables save inactive
afterwards load your firewall script (after you checked it again carefully) and
Code:
/etc/init.d/iptables save active
After you did that configure iptables to load on bootup (dpkg --reconfigure iptables).
 
Old 05-20-2003, 02:53 PM   #10
bfloeagle
Member
 
Registered: Jun 2000
Location: Upstate New York
Distribution: Ubuntu
Posts: 158

Original Poster
Rep: Reputation: 30
I really can't explain why, but after screwing around with my system (and actually reinstalling it), I don't get this kind of behavior anymore...

So thanks to all you guys for trying to help me.

Even after 3 years...

Now I have another problem: Here
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Firewall blocking NFS even though ports are open OmnipotentOscar Linux - Security 13 01-25-2010 12:47 PM
COMCAST blocking ports? fatman Linux - Networking 1 09-06-2004 04:44 PM
blocking ports rocketgo Linux - Software 3 11-11-2003 06:50 PM
SuSE 7.2 Firewall (IPChains) Blocking Ports Led*Zep Linux - Networking 1 04-01-2003 02:06 AM
Blocking ports for a specific IP Shrimpy Linux - Networking 1 12-23-2002 11:48 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:01 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration