Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Starting nmap 3.50 at 2004-10-03 02:20 CDT
sendto in send_tcp_raw: sendto(3, packet, 40, 0, xxx.xxx.xxx.xxx, 16) => Operation not permitted
Interesting ports on xxx.xxx.xxx.xxx.lem-bsr1.chi-lem.il.cable.rcn.com (xxx.xxx.xxx.xxx):
(The 1654 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
20/tcp filtered ftp-data
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
80/tcp open http
FIrst of all what does this mean:
sendto in send_tcp_raw: sendto(3, packet, 40, 0, xxx.xxx.xxx.xxx, 16) => Operation not permitted
its repeats about 30 times and then finally displays the open ports....
I tried to run the follow command:
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
and ran service iptables save
then ran nmap again to see if port 25 would show but it doesnt..
nmap only shown ports as "open" when (1) iptables allows traffic to that port and (2) some server program is actually listening on that port -- so to see if port 25 is reachable you should first run the qmail server and only then run nmap to see if it can reach the port. Then it will show either "open" or "filtered".
cheers,
nukkel
P.S. those sendto errors -- I get them too sometimes, don't know exectly what triggers them though.
In a working environment with iptables, it is supposed that
there are rules to accept traffic, and last rule to deny all.
If that is your case, by adding a new rule with -A,
what you do is to put the new rule AFTER the 'denyying all' rule, so it is never checked.
iptables -I INPUT -p tcp --dport 25 -j ACCEPT
Then, you can save rules as the new rule is in the correct place.
Another problem appears if the firewalling machine is also doing NAT. Then, to make ftp work, an iptables module must be loaded, as ftp (active) is an stateful protocol.
If not, make clients to use passive ftp.
In a working environment with iptables, it is supposed that
there are rules to accept traffic, and last rule to deny all.
If that is your case, by adding a new rule with -A,
what you do is to put the new rule AFTER the 'denyying all' rule, so it is never checked.
iptables -I INPUT -p tcp --dport 25 -j ACCEPT
Then, you can save rules as the new rule is in the correct place.
Another problem appears if the firewalling machine is also doing NAT. Then, to make ftp work, an iptables module must be loaded, as ftp (active) is an stateful protocol.
If not, make clients to use passive ftp.
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
CentOS has an extremely powerful firewall built in, commonly referred to as iptables, but more accurately is iptables/netfilter. Iptables is the userspace module, the bit that you, the user, interact with at the command line to enter firewall rules into predefined tables. Netfilter is a kernel module, built into the kernel, that actually does the filtering. There are many GUI front ends for iptables that allow users to add or define rules based on a point and click user interface, but these often lack the flexibility of using the command line interface and limit the users understanding of what's really happening.
You can insert a rule by mentioning position instead of appending by using -I instead of -A.
From Fedoraproject:
Code:
Inserting Rules
Create a Rule at the top (first) position:
[root@server ~]# iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT
[root@server ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
The number given after the chain name indicates the position before an existing Rule. So, for example, if you want to insert a Rule before the third rule you specify the number 3. Afterward, the existing Rule will then be in the fourth position in the chain.
i have been using linux for many years now, 15 i think. i used to use iptables and was always very frustrated. one thing i would seriously consider it changing to shorewall. it is so, SO much easier to configure and still uses ipchains for protection. once i switched and took a few minutes to understand it, i have never had firewall issues since!!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.