LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 05-20-2003, 05:29 PM   #1
Misteree
Member
 
Registered: Jan 2003
Posts: 74

Rep: Reputation: 15
iptables weirdness


Many months ago, when I installed Mandrake 9, I configured iptables with a really nice set of rules.

Friends tested my box for security, and it was iron-clad solid.

Every once in a while, I go to Gibson's site for a firewall test and a port scan. Always ok.

Today I was back at Gibson's site for a regular check, and out of curiosity I programmed my iptables to be wide open:
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT

I then went through the firewall test and port scan test, and guess what? I was STILL impregnable, and my ports were still stealth.

I'm thinking: "What the ... ???"
So, off I go to sygate and a bunch of other firewall testing sites, and they all show me rock solid.

Anybody knows what this is all about?
I'm wondering if there isn't some kind of default Linux kernel, built-in firewall still working in the background that I'm not aware of ? ? ?
 
Old 05-20-2003, 05:52 PM   #2
manthram
Member
 
Registered: Feb 2002
Location: Fairfax, VA
Distribution: RedHat 8, Mandrake9.1, Slack9
Posts: 456

Rep: Reputation: 31
try 'iptables -L' it will show all the rules that are working.

i think by default when iptables is running it drops everything.

to allow everything stop the iptables

'/etc/rc.d/init.d/iptables stop'
 
Old 05-20-2003, 06:12 PM   #3
Misteree
Member
 
Registered: Jan 2003
Posts: 74

Original Poster
Rep: Reputation: 15
Yep! But...

When I have it running normal, an "iptables -L" will show me all the rules, with this at the top of the INPUT rules:
Chain INPUT (policy DROP)

and this at the top of the OUTPUT rules:
Chain OUTPUT (policy DROP)

Now, "iptables -L" shows ACCEPT instead of DROP policies.

So technically, if the policies are ACCEPT, netfilter should be wide open, regardless of how many rules there are.
If the policies are ACCEPT, then any "dropping" rule becomes useless, like having no firewall.

At least, that's my understanding of it.

[ edit ]

I tried the stop command, and iptables wanted nothing to do with it.
It refused to execute it. "Bad argument" it says.
And then it reset the policies to DROP, without my approval.



Last edited by Misteree; 05-20-2003 at 06:19 PM.
 
Old 05-20-2003, 07:27 PM   #4
Crashed_Again
Senior Member
 
Registered: Dec 2002
Location: Atlantic City, NJ
Distribution: Ubuntu & Arch
Posts: 3,503

Rep: Reputation: 57
Try:

/etc/init.d/iptables stop
 
Old 05-20-2003, 10:35 PM   #5
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,791
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
Quote:
So technically, if the policies are ACCEPT, netfilter should be wide open, regardless of how many rules there are.
I'm not sure that is correct. I think the table defaults are there for when you run out of rules, not as a replacement for them. So when you set the tables to ACCEPT, iptables still follows all the rules and if the packet makes it through them all, then is accepts it.

As evidence, I offer the following from the iptables tutorial on the -P flag
Quote:
This command tells the kernel to set a specified default target, or policy, on a chain. All packets that don't match any rule will then be forced to use the policy of the chain. Legal targets are DROP and ACCEPT

If you set all your policies to ACCEPT and flush all your rules, THEN you have a wide open system
 
Old 05-21-2003, 12:27 PM   #6
Misteree
Member
 
Registered: Jan 2003
Posts: 74

Original Poster
Rep: Reputation: 15
Yep. Now I see that.

Where's that iptables tutorial you mention?
 
Old 05-21-2003, 03:14 PM   #7
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,791
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
You can find it at Frozentux.net
 
Old 05-23-2003, 08:35 AM   #8
Misteree
Member
 
Registered: Jan 2003
Posts: 74

Original Poster
Rep: Reputation: 15
Thanks.
 
Old 05-27-2003, 05:13 PM   #9
Pcghost
Senior Member
 
Registered: Feb 2003
Location: The Real Washington
Distribution: Ubuntu, Debian, SuSE, UnSlung, Android
Posts: 1,819

Rep: Reputation: 46
The other thing to consider is that a machine that is not running any services like ftp or apache, or sendmail, won't show any open ports either. It usually takes a service running on a port to be considered open. Otherwise what is the hacker supposed to connect to?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables Weirdness... paleogryph Linux - Security 2 06-25-2005 07:15 PM
Iptables DNAT weirdness matta Linux - Networking 3 04-07-2004 04:11 AM
Bash weirdness guygriffiths Linux - Software 1 10-01-2003 11:39 AM
du error? weirdness. llimllib Linux - Software 0 07-24-2003 11:19 AM
DNS weirdness snowdog12 Linux - Newbie 5 02-13-2003 08:45 PM


All times are GMT -5. The time now is 07:59 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration