How to check if iptables is working
I have this policy on my iptables
Chain INPUT (policy DROP) target prot opt source destination DROP icmp -- anywhere anywhere DROP udp -- anywhere anywhere udp dpts:0:1023 DROP tcp -- anywhere anywhere tcp dpts:0:1023 ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination DROP icmp -- anywhere anywhere So basically to me this says, do not allow any icmp packets in, do not allow any udp or tcp packets on ports 0 - 1023, accept all traffic from the loopback device, and accept all related/established traffic. Also, drop any icmp output. Why then, do I still get nearly every single port open in my first 1056 on ShieldsUp!??!? (www.grc.com) I've spent hours and hours trying to write a simple friggen firewall, I want to know if it works or not....leaving half of my first 1056 ports open is not working for me.... Shouldn't my policy, in theory, stealth or close ports 0 - 1023? |
Nope,
ACCEPT all -- anywhere anywhere Post the actual firewall script. http://www.linuxquestions.org/questi...ewall+iptables |
Oh....so what do I do about that line? I had it in there because that's what in told me to do....to put an ACCEPT policy on all traffic going to the loopback device - what should I do instead? do I not need that line?
I don't really use a script per se, I just go in and add these lines manually into the terminal, and then save them...it goes to /etc/sysconfig/iptables which is this: # Generated by iptables-save v1.2.9 on Mon Sep 20 16:41:59 2004 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [1:46] -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT COMMIT # Completed on Mon Sep 20 16:41:59 2004 I changed it to match the given one from the other thread It didn't help at all.....ALL PORTS FROM 0 - 1056 ARE OPEN EXCEPT FOR 21, 23, 179, and 443.....Am i retarded or something? |
Post the output of: iptables -vnL
Also how are you entering the rules? Btw, please don't start anymore threads on this topic. Keeping them all in one thread will make things much easier. Having numerous threads all discussing the same thing is redundant and going to get confusing. |
The output of iptables -vnL is
Chain INPUT (policy DROP 9 packets, 468 bytes) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 2337 2482K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 1595 packets, 108K bytes) pkts bytes target prot opt in out source destination 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 I am entering rules like this (for example the first one) cd /sbin ./iptables -A INPUT -p tcp -m tcp --syn -j DROP Then it gets added onto my policy, and i go to cd /etc/rc.d/init.d ./iptables status (to see if what I want happened) ./iptables save (if it did) sorry for all the new threads I've made....When I know this for myself I will make sure to explain it to everyone I know |
That set of rules will close all ports (I actually just tried them on my test LAN and all ports come back as filtered, not open). In fact, those rules are actually too restrictive and will cause X to freeze because you're not allowing any loopback traffic. So the problem isn't with the rules...
First try using a different security scanner just to make sure this isn't something on their end or some kind of network funkiness with your ISP. Ideally if you have a second system, you can nmap it directly, but that might not be an option for you. Off the top of my head, I think sygate and firewalls.com offer free online security scans as well. Make sure that the IP address being scanned is actually yours. In one of your other threads, you said you were using guarddog. If you're not going to use it, then remove it entirely just to be sure it isn't causing any problems. Probably a good idea to do a reboot as well. Make sure the iptables service is running and that the iptables modules are loaded (lsmod). Normally you'd get errors with either if those 2 problems, but it's worth checking. |
Btw, what does the GRC report actually say? Are the ports reported as "open" , "filtered" or "closed" ? Having almost everything "open" from ports 0-1056 is virtually impossible. You'd need to have a server/daemon listening for connections on every single one of those ports. I'm pretty sure that FC2 doesn't even come with that many daemons on the installation disks, so I'm fairly sure this is an artifact of some sort.
|
firewalls.com lists all ports as being closed
HOWEVER....sygate reports that they are all open BUT they use different IP addresses....how do I determine which IP address is correct? By the way, UDP does not get through this firewall, only TCP if that makes any difference..... |
I've made a discovery.....I think that the scan is scanning the IP address of my modem, and not my computer......ifconfig gives me an IP starting with 192.168 while the scans are all scanning a number that starts with 66 or 67 - comments?
|
I've made a discovery.....I think that the scan is scanning the IP address of my modem, and not my computer......ifconfig gives me an IP starting with 192.168 while the scans are all scanning a number that starts with 66 or 67 - comments?
I have a DW6000 Satellite modem (all the configuration software and everything is right on the modem) that connects to a wireless router and eth1 is my wireless card that I use to go online. |
Normally the 192.168 address is the internal (LAN) address that the wireless router will assign to your linux box. The 66. address is the external IP that is being assigned as the external interface of the router by your ISP. When one of these scans is preformed, it will be scanning the router.
Depending on the type of router you're using, some have built in packet filter capability and will block these scans. Make sure that any firewall or similar option (like "block WAN requests" on a Linksys) is selected. If your router is misconfigured or is simply forwarding traffic into the LAN that might be causing problems, though it still shouldn't be reporting ports as "open". |
All times are GMT -5. The time now is 06:39 AM. |