LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-20-2004, 10:00 AM   #1
borrrden
Member
 
Registered: May 2004
Location: Philadelphia
Distribution: Fedora Core 3
Posts: 98

Rep: Reputation: 15
How to check if iptables is working


I have this policy on my iptables

Chain INPUT (policy DROP)
target prot opt source destination
DROP icmp -- anywhere anywhere
DROP udp -- anywhere anywhere udp dpts:0:1023
DROP tcp -- anywhere anywhere tcp dpts:0:1023
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- anywhere anywhere

So basically to me this says, do not allow any icmp packets in, do not allow any udp or tcp packets on ports 0 - 1023, accept all traffic from the loopback device, and accept all related/established traffic. Also, drop any icmp output.

Why then, do I still get nearly every single port open in my first 1056 on ShieldsUp!??!? (www.grc.com)

I've spent hours and hours trying to write a simple friggen firewall, I want to know if it works or not....leaving half of my first 1056 ports open is not working for me....

Shouldn't my policy, in theory, stealth or close ports 0 - 1023?

Last edited by borrrden; 09-20-2004 at 10:03 AM.
 
Old 09-20-2004, 10:48 AM   #2
michaelk
Moderator
 
Registered: Aug 2002
Posts: 25,592

Rep: Reputation: 5880Reputation: 5880Reputation: 5880Reputation: 5880Reputation: 5880Reputation: 5880Reputation: 5880Reputation: 5880Reputation: 5880Reputation: 5880Reputation: 5880
Nope,
ACCEPT all -- anywhere anywhere
Post the actual firewall script.

http://www.linuxquestions.org/questi...ewall+iptables
 
Old 09-20-2004, 03:26 PM   #3
borrrden
Member
 
Registered: May 2004
Location: Philadelphia
Distribution: Fedora Core 3
Posts: 98

Original Poster
Rep: Reputation: 15
Oh....so what do I do about that line? I had it in there because that's what in told me to do....to put an ACCEPT policy on all traffic going to the loopback device - what should I do instead? do I not need that line?

I don't really use a script per se, I just go in and add these lines manually into the terminal, and then save them...it goes to /etc/sysconfig/iptables which is this:

# Generated by iptables-save v1.2.9 on Mon Sep 20 16:41:59 2004
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1:46]
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Mon Sep 20 16:41:59 2004

I changed it to match the given one from the other thread

It didn't help at all.....ALL PORTS FROM 0 - 1056 ARE OPEN EXCEPT FOR 21, 23, 179, and 443.....Am i retarded or something?

Last edited by borrrden; 09-20-2004 at 03:55 PM.
 
Old 09-20-2004, 04:15 PM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Post the output of: iptables -vnL
Also how are you entering the rules?

Btw, please don't start anymore threads on this topic. Keeping them all in one thread will make things much easier. Having numerous threads all discussing the same thing is redundant and going to get confusing.
 
Old 09-20-2004, 04:32 PM   #5
borrrden
Member
 
Registered: May 2004
Location: Philadelphia
Distribution: Fedora Core 3
Posts: 98

Original Poster
Rep: Reputation: 15
The output of iptables -vnL is

Chain INPUT (policy DROP 9 packets, 468 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0
2337 2482K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 1595 packets, 108K bytes)
pkts bytes target prot opt in out source destination
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0

I am entering rules like this (for example the first one)

cd /sbin
./iptables -A INPUT -p tcp -m tcp --syn -j DROP

Then it gets added onto my policy, and i go to
cd /etc/rc.d/init.d
./iptables status (to see if what I want happened)
./iptables save (if it did)

sorry for all the new threads I've made....When I know this for myself I will make sure to explain it to everyone I know
 
Old 09-20-2004, 05:32 PM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
That set of rules will close all ports (I actually just tried them on my test LAN and all ports come back as filtered, not open). In fact, those rules are actually too restrictive and will cause X to freeze because you're not allowing any loopback traffic. So the problem isn't with the rules...

First try using a different security scanner just to make sure this isn't something on their end or some kind of network funkiness with your ISP. Ideally if you have a second system, you can nmap it directly, but that might not be an option for you. Off the top of my head, I think sygate and firewalls.com offer free online security scans as well. Make sure that the IP address being scanned is actually yours.

In one of your other threads, you said you were using guarddog. If you're not going to use it, then remove it entirely just to be sure it isn't causing any problems. Probably a good idea to do a reboot as well. Make sure the iptables service is running and that the iptables modules are loaded (lsmod). Normally you'd get errors with either if those 2 problems, but it's worth checking.
 
Old 09-20-2004, 05:41 PM   #7
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Btw, what does the GRC report actually say? Are the ports reported as "open" , "filtered" or "closed" ? Having almost everything "open" from ports 0-1056 is virtually impossible. You'd need to have a server/daemon listening for connections on every single one of those ports. I'm pretty sure that FC2 doesn't even come with that many daemons on the installation disks, so I'm fairly sure this is an artifact of some sort.
 
Old 09-20-2004, 07:35 PM   #8
borrrden
Member
 
Registered: May 2004
Location: Philadelphia
Distribution: Fedora Core 3
Posts: 98

Original Poster
Rep: Reputation: 15
firewalls.com lists all ports as being closed

HOWEVER....sygate reports that they are all open

BUT they use different IP addresses....how do I determine which IP address is correct?

By the way, UDP does not get through this firewall, only TCP if that makes any difference.....

Last edited by borrrden; 09-20-2004 at 07:47 PM.
 
Old 09-20-2004, 08:30 PM   #9
borrrden
Member
 
Registered: May 2004
Location: Philadelphia
Distribution: Fedora Core 3
Posts: 98

Original Poster
Rep: Reputation: 15
I've made a discovery.....I think that the scan is scanning the IP address of my modem, and not my computer......ifconfig gives me an IP starting with 192.168 while the scans are all scanning a number that starts with 66 or 67 - comments?
 
Old 09-20-2004, 08:32 PM   #10
borrrden
Member
 
Registered: May 2004
Location: Philadelphia
Distribution: Fedora Core 3
Posts: 98

Original Poster
Rep: Reputation: 15
I've made a discovery.....I think that the scan is scanning the IP address of my modem, and not my computer......ifconfig gives me an IP starting with 192.168 while the scans are all scanning a number that starts with 66 or 67 - comments?

I have a DW6000 Satellite modem (all the configuration software and everything is right on the modem) that connects to a wireless router and eth1 is my wireless card that I use to go online.
 
Old 09-20-2004, 08:55 PM   #11
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Normally the 192.168 address is the internal (LAN) address that the wireless router will assign to your linux box. The 66. address is the external IP that is being assigned as the external interface of the router by your ISP. When one of these scans is preformed, it will be scanning the router.

Depending on the type of router you're using, some have built in packet filter capability and will block these scans. Make sure that any firewall or similar option (like "block WAN requests" on a Linksys) is selected. If your router is misconfigured or is simply forwarding traffic into the LAN that might be causing problems, though it still shouldn't be reporting ports as "open".
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Can someone check my Iptables script fotoguy Linux - Security 2 01-25-2005 12:32 AM
How can I check for iptables? imsam Linux - Newbie 5 11-02-2004 03:55 PM
check my iptables iqbal Linux - Networking 7 08-30-2004 06:53 AM
iptables won't let packets in - check please? Simon Bridge Linux - Security 3 01-26-2004 01:49 PM
iptables won't let packets in - check please? Simon Bridge Linux - Security 1 01-23-2004 09:26 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:55 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration