I ran a web scan from Derkeiler.com and it came up with these results on my firewall:

Starting nmap 3.77 ( http://www.insecure.org/nmap/ ) at 2006-03-31 20:24 CEST
Initiating Connect() Scan against xx-xxx-xx-xx.ashbva.mindyourbizz.net (xx.xxx.xx.xx) [1663 ports] at 20:24
Discovered open port 443/tcp on xx.xxx.xx.xx
Discovered open port 23/tcp on xx.xxx.xx.xx
Discovered open port 513/tcp on xx.xxx.xx.xx
The Connect() Scan took 18.82s to scan 1663 total ports.
Host xx-xxx-xx-xx.ashbva.mindyourbizz.net (xx.xxx.xx.xx) appears to be up ... good.
Interesting ports on xx-xxx-xx-xx.ashbva.mindyourbizz.net (xx.xxx.xx.xx):
(The 1651 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
23/tcp open telnet
80/tcp filtered http
113/tcp filtered auth
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
443/tcp open https
445/tcp filtered microsoft-ds
513/tcp open login
27374/tcp filtered subseven

Nmap run completed -- 1 IP address (1 host up) scanned in 19.293 seconds

On my firewall I ran netstat -pantu,ps -aux, and nmap and found nothing listen on those ports or anything suspicious. I ran the latest chkrootkit and found nothing.I check my firewall rules and there is nothing referencing any of those ports to allow them to be open. I am confused. How reliable are these web based port scanning sites. I am using SSH on that port but only internal. port 23 for telnet, I dont have the telnet service on any of my boxes, I use ssh.? Help!

perhaps it scanned some other box or something??

what do your iptables rules look like?? what about netstat?? please post these:

PS: i went to derkeiler.com to do a scan on my own box but i couldn't find the scanner anywhere... could you post a direct link??

https://www.grc.com/x/ne.dll?bh0bkyd2

I am making some adjustments and then I will post the rest. Many thanks

make sure that before you post you run the test again after you do your adjustments cuz if not it would defeat the purpose of posting...

BTW, i tried the grc.com scan thing and it worked fine for me... i could see the scan happening in my /var/log/syslog using "tail -f" with no problems... my result was:

I will certainly do that. It must be something in my firewall. Let me ask you this:

If I have lets say sshd running on a machine behind my firewall, how can I allow only my internal machines to connect to that sshd dameon and if my firewall is set to filter related or established connection comming in but allow most connections going out could it be something in the sshd_config file that is allowing connection from outside the firewall in and I guess maybe that would be the same for telnet? What programs other than telnet would use port 23?

I found out what had opened ports. It is my VOIP modem/router that is causing issues. But how can my voip router/modem do that? I can telnet to it thus port 23 open. The VOIP/Router is set to gateway mode, should I change it to bridge mode thus giving my firewall full control?

Check it out. Now I passed:

GRC Port Authority Report created on UTC: 2006-04-01 at 19:05:14

Results from scan of ports: 0-1055

0 Ports Open
0 Ports Closed
1056 Ports Stealth
---------------------
1056 Ports Tested

ALL PORTS tested were found to be: STEALTH.

TruStealth: PASSED - ALL tested ports were STEALTH,
- NO unsolicited packets were received,
- NO Ping reply (ICMP Echo) was received.

This was a lesson well learned.

Know everything about you equipment and test test test (stressing security) until your fingers drop off. I had a VOIP modem/Router that had several services on and I believe because it was used in GATEWAY mode is why my firewall was not blocking these services and ports(I am still a little confused about that) including ICMP requests, telnet and mirroring some of my services (SSHD). But one questions still remains, how could this VOIP Modem/Router(my IPtables blocking ssh externally) still have allow external people to connect to my system. I block every dog gone thing and still the web test failed me. ?

could we see you iptables script?? the answer might be there...

I am going to post it very shorty. I am making some minor adjustments. I disconnected my VOIP modem/router and connected my firewall to the cable modem directly and passed with flying colors,my firewall was doing what it is designed to do. Everything was blocked but the minute I connected back my VOIP modem/router then the services were allowed through. I very confused. I will post shortly.

Here is my network

VOIP Modem (They are two different models. This one has telnet and http access thus port 23 and 80 open)
|
|
|
VOIP Modem (The older original VOIP modem, only web access)
|
|
|
Linux Firewall
|
|
|
LAN

Here is my IPTABLES rules. Dont be to hard on me!

#! /bin/sh

IPTABLES="/usr/sbin/iptables"

case "$1" in
stop)
echo "Shutting down firewall..."
$IPTABLES -F
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -X -t mangle
$IPTABLES -X -t nat

$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
echo "...done"
;;
status)
echo $"Table: filter"
iptables --list
echo $"Table: nat"
iptables -t nat --list
echo $"Table: mangle"
iptables -t mangle --list
;;
restart|reload)
$0 stop
$0 start
;;
start)
echo "Starting Firewall..."
echo ""


##--------------------------Begin Firewall---------------------------------##

#----Default-Interfaces-----#
EXTIF="eth0"
EXTIP="192.168.3.1"
INTIF="eth3"
INTLAN="192.168.3.0/25"
#EXTGW="192.168.3.1"
INTMASK="255.255.255.128"

#----Special Variables-----#

# IP Mask for all IP addresses
UNIVERSE="0.0.0.0/0"

# Specification of the high unprivileged IP ports.
UNPRIVPORTS="1024:65535"

# Specification of X Window System (TCP) ports.
#XWINPORTS="6000:6063"

# Ports for IRC-Connection-Tracking
#IRCPORTS="6665,6666,6667,6668,6669,7000"

# DMZ UDP ports
#DMZUDP="1024:1030,5060:5065,10000:20000"
####PS2 PORTS####


#-----Port-Forwarding Variables-----#

#IP for forwarded HTTP-traffic
HTTPIP="192.168.3.1"

#IP's for DMZ to VOIP
#DMZ_NETWORK="192.168.2.0"
DMZ_IFACE="eth4"
DMZ_IP="192.168.2.1"
#DMZ_DNS_IP="xx.xx.xxx.xx"
DMZ_VOIP_PHONE="192.168.2.120"

####PS2#######
#PS2_NETWORK="192.168.2.0"
#PS2_IFACE="eth4"
#PS2_IP="192.168.2.1"
#PS2="192.168.2.120"


#----Flood Variables-----#

# Overall Limit for TCP-SYN-Flood detection
TCPSYNLIMIT="5/s"
# Burst Limit for TCP-SYN-Flood detection
TCPSYNLIMITBURST="10"

# Overall Limit for Loggging in Logging-Chains
LOGLIMIT="2/s"
# Burst Limit for Logging in Logging-Chains
LOGLIMITBURST="10"

# Overall Limit for Ping-Flood-Detection
PINGLIMIT="5/s"
# Burst Limit for Ping-Flood-Detection
PINGLIMITBURST="10"


echo "Loading IPTABLES modules"

dmesg -n 1 #Kill copyright display on module load
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack_sip
/sbin/modprobe ip_nat_sip
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_conntrack_irc ports=$IRCPORTS
#/sbin/modprobe ip_nat_irc ports=$IRCPORTS
dmesg -n 6

echo " --- "


#----Clear/Reset all chains-----#

#Clear all IPTABLES-chains

#Flush everything, start from scratch
$IPTABLES -F
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -X -t mangle
$IPTABLES -X -t nat

#Set default policies to DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#----Set network sysctl options-----#
echo "Setting sysctl options"
#Enable forwarding in kernel
echo 1 > /proc/sys/net/ipv4/ip_forward
#Disabling IP Spoofing attacks.
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
#Don't respond to broadcast pings (Smurf-Amplifier-Protection)
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#Block source routing
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
#Kill timestamps
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
#Enable SYN Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#Kill redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
#Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#Log martians (packets with impossible addresses)
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
#Set out local port range
echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
#Reduce DoS'ing ability by reducing timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo " --- "

echo "Creating user-chains"

#----Create logging chains-----#

#Invalid packets (not ESTABLISHED,RELATED or NEW)
$IPTABLES -N LINVALID
$IPTABLES -A LINVALID -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=INVALID:1 a=DROP "
$IPTABLES -A LINVALID -j DROP
#TCP-Packets with one ore more bad flags
$IPTABLES -N LBADFLAG
$IPTABLES -A LBADFLAG -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=BADFLAG:1 a=DROP "
$IPTABLES -A LBADFLAG -j DROP
#Logging of connection attempts on special ports (Trojan portscans, special services, etc.)
$IPTABLES -N LSPECIALPORT
$IPTABLES -A LSPECIALPORT -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=SPECIALPORT:1 a=DROP "
$IPTABLES -A LSPECIALPORT -j DROP

#Logging of possible TCP-SYN-Floods
$IPTABLES -N LSYNFLOOD
$IPTABLES -A LSYNFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=SYNFLOOD:1 a=DROP "
$IPTABLES -A LSYNFLOOD -j DROP

#Logging of possible Ping-Floods
$IPTABLES -N LPINGFLOOD
$IPTABLES -A LPINGFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=PINGFLOOD:1 a=DROP "
$IPTABLES -A LPINGFLOOD -j DROP

#All other dropped packets
$IPTABLES -N LDROP
$IPTABLES -A LDROP -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=TCP:1 a=DROP "
$IPTABLES -A LDROP -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=UDP:2 a=DROP "
$IPTABLES -A LDROP -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3 a=DROP "
$IPTABLES -A LDROP -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=FRAGMENT:4 a=DROP "
$IPTABLES -A LDROP -j DROP

#All other rejected packets
$IPTABLES -N LREJECT
$IPTABLES -A LREJECT -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=TCP:1 a=REJECT "
$IPTABLES -A LREJECT -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=UDP:2 a=REJECT "
$IPTABLES -A LREJECT -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3 a=REJECT "
$IPTABLES -A LREJECT -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=FRAGMENT:4 a=REJECT "
$IPTABLES -A LREJECT -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A LREJECT -p udp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A LREJECT -j REJECT

#----Create Accept-Chains-----#
#TCPACCEPT - Check for SYN-Floods before letting TCP-Packets in

$IPTABLES -N TCPACCEPT
$IPTABLES -A TCPACCEPT -p tcp --syn -m limit --limit $TCPSYNLIMIT --limit-burst $TCPSYNLIMITBURST -j ACCEPT
$IPTABLES -A TCPACCEPT -p tcp --syn -j LSYNFLOOD
$IPTABLES -A TCPACCEPT -p tcp ! --syn -j ACCEPT

#----Create special User-Chains-----#

#CHECKBADFLAG - Kill any Inbound/Outbound TCP-Packets with impossible flag-combinations (Some port-scanners use these, eg. nmap Xmas,Null,etc.-scan)

$IPTABLES -N CHECKBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL FIN,URG,PSH -j LBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL ALL -j LBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL NONE -j LBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,RST SYN,RST -j LBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,FIN SYN,FIN -j LBADFLAG

#Inbound/Outbound SILENTDROPS/REJECTS (Things we don't want in our Logs)

#SMB-Traffic
$IPTABLES -N SMB
$IPTABLES -A SMB -p tcp --dport 137 -j DROP
$IPTABLES -A SMB -p tcp --dport 138 -j DROP
$IPTABLES -A SMB -p tcp --dport 139 -j DROP
$IPTABLES -A SMB -p tcp --dport 445 -j DROP
$IPTABLES -A SMB -p udp --dport 137 -j DROP
$IPTABLES -A SMB -p udp --dport 138 -j DROP
$IPTABLES -A SMB -p udp --dport 139 -j DROP
$IPTABLES -A SMB -p udp --dport 445 -j DROP
$IPTABLES -A SMB -p tcp --sport 137 -j DROP
$IPTABLES -A SMB -p tcp --sport 138 -j DROP
$IPTABLES -A SMB -p tcp --sport 139 -j DROP
$IPTABLES -A SMB -p tcp --sport 445 -j DROP
$IPTABLES -A SMB -p udp --sport 137 -j DROP
$IPTABLES -A SMB -p udp --sport 138 -j DROP
$IPTABLES -A SMB -p udp --sport 139 -j DROP
$IPTABLES -A SMB -p udp --sport 445 -j DROP

#Inbound Special Ports

$IPTABLES -N SPECIALPORTS

#Deepthroat Scan
$IPTABLES -A SPECIALPORTS -p tcp --dport 6670 -j LSPECIALPORT

#Subseven Scan
$IPTABLES -A SPECIALPORTS -p tcp --dport 1243 -j LSPECIALPORT
$IPTABLES -A SPECIALPORTS -p udp --dport 1243 -j LSPECIALPORT
$IPTABLES -A SPECIALPORTS -p tcp --dport 27374 -j LSPECIALPORT
$IPTABLES -A SPECIALPORTS -p udp --dport 27374 -j LSPECIALPORT
$IPTABLES -A SPECIALPORTS -p tcp --dport 6711:6713 -j LSPECIALPORT

#Netbus Scan
$IPTABLES -A SPECIALPORTS -p tcp --dport 12345:12346 -j LSPECIALPORT
$IPTABLES -A SPECIALPORTS -p tcp --dport 20034 -j LSPECIALPORT

#Back Orifice scan
$IPTABLES -A SPECIALPORTS -p udp --dport 31337:31338 -j LSPECIALPORT

#X-Win
#$IPTABLES -A SPECIALPORTS -p tcp --dport $XWINPORTS -j LSPECIALPORT

#Hack'a'Tack 2000
$IPTABLES -A SPECIALPORTS -p udp --dport 28431 -j LSPECIALPORT

#ICMP/TRACEROUTE FILTERING

#Inbound ICMP/Traceroute

$IPTABLES -N ICMPINBOUND

#Ping Flood protection. Accept $PINGLIMIT echo-requests/sec, rest will be logged/dropped

$IPTABLES -A ICMPINBOUND -p icmp --icmp-type echo-request -m limit --limit $PINGLIMIT --limit-burst $PINGLIMITBURST -j ACCEPT

$IPTABLES -A ICMPINBOUND -p icmp --icmp-type echo-request -j LPINGFLOOD

##Block ICMP-Redirects (Should already be catched by sysctl-options, if enabled)

$IPTABLES -A ICMPINBOUND -p icmp --icmp-type redirect -j LDROP

#Block ICMP-Timestamp (Should already be catched by sysctl-options, if enabled)

$IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-request -j LDROP

$IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-reply -j LDROP

#Block ICMP-address-mask (can help to prevent OS-fingerprinting)

$IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-request -j LDROP

$IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-reply -j LDROP

#Allow all other ICMP in
$IPTABLES -A ICMPINBOUND -p icmp -j ACCEPT

#Outbound ICMP/Traceroute

$IPTABLES -N ICMPOUTBOUND

#Block ICMP-Redirects (Should already be catched by sysctl-options, if enabled)
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type redirect -j LDROP

#Block ICMP-TTL-Expired
#MS Traceroute (MS uses ICMP instead of UDp for tracert)
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-transit -j LDROP
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-reassembly -j LDROP

#Block ICMP-Parameter-Problem
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type parameter-problem -j LDROP

#Block ICMP-Timestamp (Should already be catched by sysctl-options, if enabled)
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type timestamp-request -j LDROP
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type timestamp-reply -j LDROP

#Block ICMP-address-mask (can help to prevent OS-fingerprinting)
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type address-mask-request -j LDROP
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type address-mask-reply -j LDROP


##Accept all other ICMP going out
$IPTABLES -A ICMPOUTBOUND -p icmp -j ACCEPT

############################### PS2 Fowarding Chains #########################################

$IPTABLES -N WAN2DMZ
#$IPTABLES -N PS22WAN
$IPTABLES -N DMZ2WAN

#----End User-Chains-----#

echo " --- "

#----Start Ruleset-----#

echo "Implementing firewall rules..."

#################
## INPUT-Chain ## (everything that is addressed to the firewall itself)
#################

##GENERAL Filtering

# Kill INVALID packets (not ESTABLISHED, RELATED or NEW)
$IPTABLES -A INPUT -m state --state INVALID -j LINVALID

# Check TCP-Packets for Bad Flags
$IPTABLES -A INPUT -p tcp -j CHECKBADFLAG


##Packets FROM FIREWALL-BOX ITSELF

#Local IF
$IPTABLES -A INPUT -i lo -j ACCEPT
#
#Kill connections to the local interface from the outside world (--> Should be already catched by kernel/rp_filter)
$IPTABLES -A INPUT -d 127.0.0.0/25 -j LREJECT
$IPTABLES -A INPUT -m tcp -p tcp -s ! 127.0.0.1 --dport 3128 -j DROP
$IPTABLES -A INPUT -m tcp -p tcp -s ! 127.0.0.1 --dport 80 -j DROP

##Packets FROM INTERNAL NET

##Allow unlimited traffic from internal network using legit addresses to firewall-box
##If protection from the internal interface is needed, alter it

$IPTABLES -A INPUT -i $INTIF -s $INTLAN -j ACCEPT

#Kill anything from outside claiming to be from internal network (Address-Spoofing --> Should be already catched by rp_filter)
$IPTABLES -A INPUT -s $INTLAN -j LREJECT

##Packets FROM EXTERNAL NET

##ICMP & Traceroute filtering

#Filter ICMP
$IPTABLES -A INPUT -i $EXTIF -p ICMP -j DROP

#$IPTABLES -A INPUT -i $EXTIF -p icmp -j LDROP

#Block UDP-Traceroute
#$IPTABLES -A INPUT -p udp --dport 33434:33523 -j LDROP


##Silent Drops/Rejects (Things we don't want in our logs)

#Drop all SMB-Traffic
$IPTABLES -A INPUT -i $EXTIF -j SMB

#Silently reject Ident (Don't DROP ident, because of possible delays when establishing an outbound connection)
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 113 -j REJECT --reject-with tcp-reset


##Public services running ON FIREWALL-BOX (comment out to activate):

###########- From DMZ Interface to DMZ firewall IP########################
##################################################################

############################### ssh ###########################################

# $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 513 -j TCPACCEPT

############Separate logging of special portscans/connection attempts #######################

$IPTABLES -A INPUT -i $EXTIF -j SPECIALPORTS

##Allow ESTABLISHED/RELATED connections in

$IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport $UNPRIVPORTS -m state --state RELATED,ESTABLISHED -j TCPACCEPT
$IPTABLES -A INPUT -i $EXTIF -p udp --dport $UNPRIVPORTS -m state --state RELATED,ESTABLISHED -j ACCEPT

##Catch all rule
$IPTABLES -A INPUT -j LDROP

##################
## Output-Chain ## (everything that comes directly from the Firewall-Box)
##################

##Packets TO FIREWALL-BOX ITSELF

#Local IF
$IPTABLES -A OUTPUT -o lo -j ACCEPT

##Packets TO INTERNAL NET

#Allow unlimited traffic to internal network using legit addresses

$IPTABLES -A OUTPUT -o $INTIF -d $INTLAN -j ACCEPT

##ICMP & Traceroute

$IPTABLES -A OUTPUT -o $EXTIF -p icmp -j ICMPOUTBOUND

##Silent Drops/Rejects (Things we don't want in our logs)

#SMB
#$IPTABLES -A OUTPUT -o $EXTIF -j SMB

#Ident
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 113 -j REJECT --reject-with tcp-reset

##Public services running ON FIREWALL-BOX (comment out to activate):

# ssh
#$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 513 -m state --state ESTABLISHED -j ACCEPT

##Accept all tcp/udp traffic on unprivileged ports going out

$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p tcp --sport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p udp --sport $UNPRIVPORTS -j ACCEPT

##Catch all rule

$IPTABLES -A OUTPUT -j LDROP

####################
## FORWARD-Chain ## (everything that passes the firewall)
####################


##GENERAL Filtering

#Kill invalid packets (not ESTABLISHED, RELATED or NEW)
$IPTABLES -A FORWARD -m state --state INVALID -j LINVALID

# Check TCP-Packets for Bad Flags
$IPTABLES -A FORWARD -p tcp -j CHECKBADFLAG


##Filtering FROM INTERNAL NET


##Silent Drops/Rejects (Things we don't want in our logs)

#SMB
$IPTABLES -A FORWARD -o $EXTIF -j SMB

##Port-Forwarding from Ports < 1024 [outbound] (--> Also see chain PREROUTING)

#HTTP-Forwarding
$IPTABLES -A FORWARD -o $EXTIF -s $HTTPIP -p tcp --sport 3128 -j ACCEPT

##Allow all other forwarding (from Ports > 1024) from Internal Net to External Net
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p tcp --sport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p udp --sport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p icmp -j ACCEPT


##Filtering FROM EXTERNAL NET


##Silent Drops/Rejects (Things we don't want in our logs)

#SMB
# $IPTABLES -A FORWARD -i $EXTIF -j SMB


##Allow replies coming in
$IPTABLES -A FORWARD -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -p tcp --dport $UNPRIVPORTS -m state --state RELATED -j TCPACCEPT
$IPTABLES -A FORWARD -i $EXTIF -p udp --dport $UNPRIVPORTS -m state --state RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -p icmp -m state --state RELATED -j ACCEPT

######################################## DMZ ################################################
$IPTABLES -A FORWARD -i $EXTIF -o $DMZ_IFACE -j WAN2DMZ
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $EXTIF -j DMZ2WAN
################################## VOIP or PS2 -Forwarding #########################

#################### ################## WAN to PS2 ###########################################

#$IPTABLES -A WAN2DMZ -p tcp -d $DMZ_VOIP_PHONE --dport 80 -m state --state NEW -j ACCEPT
#$IPTABLES -A WAN2DMZ -p tcp -d $DMZ_VOIP_PHONE --dport 443 -m state --state NEW -j ACCEPT
$IPTABLES -A WAN2DMZ -p udp -d $DMZ_VOIP_PHONE --dport 1024:1030 -m state --state NEW -j ACCEPT
$IPTABLES -A WAN2DMZ -p udp -d $DMZ_VOIP_PHONE --dport 5050:5065 -m state --state NEW -j ACCEPT
$IPTABLES -A WAN2DMZ -p udp -d $DMZ_VOIP_PHONE --dport 10000:20000 -m state --state NEW -j ACCEPT
#$IPTABLES -A WAN2DMZ -p tcp -d $DMZ_VOIP_PHONE --dport 26300:26399 -m state --state NEW -j ACCEPT
#$IPTABLES -A WAN2DMZ -p tcp -d $DMZ_VOIP_PHONE --dport 30000:30099 -m state --state NEW -j ACCEPT
$IPTABLES -A WAN2DMZ -j RETURN

################################### PS2 to WAN #################################################################################################### #########################################

#$IPTABLES -A DMZ2WAN -p tcp -s $DMZ_VOIP_PHONE --dport 80 -m state --state NEW -j ACCEPT
#$IPTABLES -A DMZ2WAN -p tcp -s $DMZ_VOIP_PHONE --dport 443 -m state --state NEW -j ACCEPT
$IPTABLES -A DMZ2WAN -p udp -s $DMZ_VOIP_PHONE --dport 1024:1030 -m state --state NEW -j ACCEPT
$IPTABLES -A DMZ2WAN -p udp -s $DMZ_VOIP_PHONE --dport 5050:5065 -m state --state NEW -j ACCEPT
$IPTABLES -A DMZ2WAN -p udp -s $DMZ_VOIP_PHONE --dport 10000:20000 -m state --state NEW -j ACCEPT
#$IPTABLES -I DMZ2WAN -p tcp -s $DMZ_VOIP_PHONE --dport 26300:26399 -m state --state NEW -j ACCEPT
#$IPTABLES -I DMZ2WAN -p tcp -s $DMZ_VOIP_PHONE --dport 30000:30099 -m state --state NEW -j ACCEPT
$IPTABLES -I DMZ2WAN -j RETURN


##Catch all rule/Deny every other forwarding

$IPTABLES -A FORWARD -j LDROP

################
## PREROUTING ##
################

##Port-Forwarding (--> Also see chain FORWARD)

##HTTP
$IPTABLES -A PREROUTING -t nat -i $EXTIF -p tcp --dport 3128 -j REDIRECT --to-port 192.168.3.2:8080

######################################## PS2 #################################################################################################### ###########################################


#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 80 -j DNAT --to-destination $DMZ_VOIP_PHONE
#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 443 -j DNAT --to-destination $DMZ_VOIP_PHONE
$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 1024:1030 -j DNAT --to-destination $DMZ_VOIP_PHONE
$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 5050:5065 -j DNAT --to-destination $DMZ_VOIP_PHONE
$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 10000:20000 -j DNAT --to-destination $DMZ_VOIP_PHONE
#IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 26300:26399 -j DNAT --to-destination $DMZ_VOIP_PHONE
#IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 30000:30099 -j DNAT --to-destination $DMZ_VOIP_PHONE

###################
## POSTROUTING ##
###################

#Masquerade from Internal Net to External Net
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE

#####DMZ VOIP PHONE step 5 #######

# $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to-source 192.168.2.120


#------End Ruleset------#

echo "...done"
echo ""


echo "--> IPTABLES firewall loaded/activated <--"


##--------------------------------End Firewall---------------------------------##

;;
*)
echo "Usage: firewall (start|stop|restart|status) EXTIF INTIF"
exit 1
esac

exit 0

metallica1973


WOW......


Keep it up

Impressive

I will shorten it up.WINSUX32 there it finally is after a million posts. I know it is huge but I am still learning IPTABLES and I am experimenting. Can you see what I might be doing wrong in my rules. I used your recommendations and I still cannot get my VOIP phones to work. I called the VOIP company and they say that those are the correct ports 5060-5065 UDP, 1020-1030 UDP and 10000-20000 UDP. I am will not let this beat me.

huh?? how did this thread go from a web scan to VOIP problems??

also, what recommendations are you talking about?? i don't believe i've made any...

That is true but let me refresh your memory

http://www.linuxquestions.org/questi...=390997&page=2

I due appreciate your help and youn staff.

oh, okay, i see where you're coming from now...

indeed, the script did seem familiar...

anyhow, the VOIP issue has nothing to do with this thread, so we really should take the VOIP discussion to the other thread... i'll see you over there...

BTW, it would be great if you could use the code tags when you post scripts as it makes things much easier for people and it also avoids having the page's layout affected...