LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
LinkBack Search this Thread
Old 01-21-2005, 10:47 AM   #1
proendo
LQ Newbie
 
Registered: Jan 2004
Posts: 15

Rep: Reputation: 0
IPTABLES allowing port 5900 when it shouldnt


Hello I have been using a Slackware box as a firewall, and have the following IPTABLES setup to allow VPN access to a windows 2000 advanced server box on the lan. (x.x.x.x being the WAN ip)

rc.local
-------------------------------------------------
ifconfig eth0 10.0.0.11
dhcpcd -d -n -S eth1

#VPN
iptables -I PREROUTING -t nat -p tcp -d x.x.x.x --destination-port 1723 -j DNAT --to-destination 10.0.0.1:1723
iptables -I PREROUTING -t nat -d x.x.x.x -p 47 -j DNAT --to-destination 10.0.0.1
iptables -A INPUT -i inet -s 0/0 -d 10.0.0.1 -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -i inet -s 0/0 -d 10.0.0.1 -p 47 -j ACCEPT

#NO-IP Dynamic Update Program
/usr/local/bin/noip2

#Standard NAT iptables command
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

#FTP additions to allow clients to use ftp
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
------------------------------------------------------



I have Real VNC Enterprise on the windows 2000 server box because I like to use it LOCALLY on the LAN or sometimes using it while VPN'ing in and entering the local ip into VNC of the windows 2000 server box (ie 10.0.0.1)

One night RAS service was stopped on the windows 2000 server so I had to logon to it from home and get it running to allow VPN access.

I SSH'd into the Slackware box and enabled an iptable command to allow port 5900

I tried entering the WAN IP into my VNC viewer from home and I was in.


After finishing the fix to the Windows 2000 Server I quickly went back into the Slackware box and did an IPTABLES -F then re entered the VPN script from the RC.Local from the command line to allow VPN again.

To double check that port 5900 and access to the VNC on the server was not open to the WAN IP I tried to use VNC with the WAN IP , and it allowed me in.... !

My theory is it was allowing it ALL along.

What gives... I thought it should not allow anything through unless I tell it to let alone forward the 5900 traffic to a local computer on the lan?

Suggestions?

Last edited by proendo; 01-21-2005 at 10:49 AM.
 
Old 01-21-2005, 11:26 AM   #2
jtshaw
Senior Member
 
Registered: Nov 2000
Location: Seattle, WA USA
Distribution: Ubuntu @ Home, RHEL @ Work
Posts: 3,892
Blog Entries: 1

Rep: Reputation: 65
Can we see all your iptables rules? When you do iptables -L do you have a DROP rule in there somewhere?

Here is an example of a simple iptables script I use:

Code:
#flush existing rules
        ${IPTABLES} -F INPUT

        #This allows all data that has been sent out to get reply's back.
        ${IPTABLES} -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p icmp
        ${IPTABLES} -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p tcp
        ${IPTABLES} -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p udp

        #Allow incoming SSH requests
        ${IPTABLES} -A INPUT -p tcp --dport ssh -j ACCEPT

        #Allow incoming NTP - Disabled because I'm not running a time server:)
        #${IPTABLES} -A INPUT -p udp --dport ntp -j ACCEPT

        #Allow incoming netbios and microsoft-ds for Samba
        #Someday I might experiement to see which of these is actually required.
        #so I can close off the rest.
        ${IPTABLES} -A INPUT -p tcp --dport netbios-ssn -j ACCEPT
        ${IPTABLES} -A INPUT -p tcp --dport microsoft-ds -j ACCEPT
        ${IPTABLES} -A INPUT -p udp --dport netbios-ns -j ACCEPT
        ${IPTABLES} -A INPUT -p udp --dport netbios-dgm -j ACCEPT

        #Allow incoming ipp connections for network printing
        ${IPTABLES} -A INPUT -p tcp --dport ipp -j ACCEPT
        ${IPTABLES} -A INPUT -p udp --dport ipp -j ACCEPT

        #Drop and log all other data
        #The logging is set so if more than 5 packets are dropped in
        #three seconds they will be ignored. This helps to prevent a DOS attack
        #Crashing the computer the firewall is running on
        ${IPTABLES} -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG
        ${IPTABLES} -A INPUT -i ! lo -j DROP
 
Old 01-21-2005, 11:30 AM   #3
jtshaw
Senior Member
 
Registered: Nov 2000
Location: Seattle, WA USA
Distribution: Ubuntu @ Home, RHEL @ Work
Posts: 3,892
Blog Entries: 1

Rep: Reputation: 65
Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     icmp --  anywhere             anywhere            state ESTABLISHED 
ACCEPT     tcp  --  anywhere             anywhere            state ESTABLISHED 
ACCEPT     udp  --  anywhere             anywhere            state ESTABLISHED 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:netbios-ssn 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:microsoft-ds 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:netbios-ns 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:netbios-dgm 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp 
LOG        all  --  anywhere             anywhere            limit: avg 3/sec burst 5 LOG level warning 
DROP       all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
That is the output of iptables -L when I'm using that script above. If traffic doesn't fit the criteria of any of the first 10 rules it hits the LOG and DROP rules and gets denied.
 
Old 01-21-2005, 01:20 PM   #4
proendo
LQ Newbie
 
Registered: Jan 2004
Posts: 15

Original Poster
Rep: Reputation: 0
Quote:
Originally posted by jtshaw
Can we see all your iptables rules? When you do iptables -L do you have a DROP rule in there somewhere?
Ok that must be it. I do not have a DROP rule LOL I am not sure how I missed that in the docs

Well anyway when I do an iptable -L now i get

Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     gre  --  anywhere             10.0.0.1
ACCEPT     tcp  --  anywhere             10.0.0.1           tcp dpt:pptp

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
I will try some of your script to work with my setup. Thanks!
 
Old 01-21-2005, 01:22 PM   #5
jtshaw
Senior Member
 
Registered: Nov 2000
Location: Seattle, WA USA
Distribution: Ubuntu @ Home, RHEL @ Work
Posts: 3,892
Blog Entries: 1

Rep: Reputation: 65
Ok, I highly recommend those first rules, or else you won't be able to get reply-back packets from servicies that you don't allow incoming connections on
 
Old 04-18-2005, 09:42 AM   #6
proendo
LQ Newbie
 
Registered: Jan 2004
Posts: 15

Original Poster
Rep: Reputation: 0
Update

Well its been a while but some recent events have made me take another look at my little slackware firewall box.

Here is my current script ( i removed SSH , VPN, dynamic ip services. )

#(LAN NIC)
ifconfig eth1 10.0.0.11

#(INTERNET NIC)
dhcpcd -d -n -S eth0

#flush existing rules
iptables -F INPUT

#This allows all data that has been sent out to get reply's back.
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p icmp
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p tcp
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p udp

#Drop and log all other data
#The logging is set so if more than 5 packets are dropped in
#three seconds they will be ignored. This helps to prevent a DOS attack
#Crashing the computer the firewall is running on
iptables -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG
iptables -A INPUT -i ! lo -j DROP

#Standard NAT iptables command
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

From a security stand point is this a good start?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables allowing a range adm1329 Linux - Networking 2 02-01-2005 01:04 PM
Open port 5900 or 59 for VNC jamiguel77 Linux - Security 5 01-08-2005 03:04 AM
Allowing connections to port 8080 in iptables apache363 Linux - Software 1 10-12-2004 02:14 PM
Iptables not allowing outbound https john8675309 Linux - Software 3 09-13-2004 10:41 PM
iptables - allowing hostnames from ip addresses chrisfirestar Linux - Security 13 01-20-2004 09:42 PM


All times are GMT -5. The time now is 04:00 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration