Why doesnt my firewall block all ports
Hi guys Ive got the following script :
#!/bin/bash echo "" echo "" mii-tool -F 10baseT-HD eth0 echo "Setting IPTABLES,IFCONFIG and ROUTE" EXT_NIC="eth0" EXT_IP="192.168.0.82" INT_NIC="eth1" INT_IP="192.168.1.1" echo "flushing IPTABLES" iptables -F iptables -F -t nat iptables -F -t mangle iptables -X -t nat iptables -X -t mangle iptables -X echo "Setting routing $EXT_NIC -> $INT_NIC" iptables -t nat -A POSTROUTING -o $EXT_NIC -j MASQUERADE echo "Adding Firewall State Rules" iptables -A INPUT -p icmp -i eth0 -m state --state NEW,INVALID -j LOG iptables -A INPUT -p icmp -i eth0 -m state --state NEW,INVALID -j ACCEPT iptables -A INPUT -i $EXT_NIC -m state --state ESTABLISHED,RELATED -j ACCEPT #Transparent proxy echo "Enabling Transparent Proxy" iptables -t nat -A PREROUTING -i eth0 -s ! 10.2.2.1 -p tcp --dport 80 -j DNAT --to 10.2.2.1:8080 iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0 -d 10.2.2.1 -j SNAT --to 192.168.0.82 iptables -A FORWARD -s 192.168.0.0 -d 10.2.2.1 -i eth0 -o eth0 -p tcp --dport 8080 -j ACCEPT echo "Opening Few Ports for the external network" #iptables -A INPUT -p tcp -i $EXT_NIC --dport 22 -j ACCEPT #SSH (TCP) #iptables -A INPUT -p tcp -i $EXT_NIC --dport 80 -j DROP #HTTP (TCP) echo "Drop ALL Other Connections on the external network" iptables -A INPUT -i $EXT_NIC -j DROP echo "Droping Few Ports for the internal network" #iptables -A INPUT -p tcp -i $INT_NIC --dport 1863 -j DROP #MSN (TCP) #iptables -A INPUT -p tcp -i $INT_NIC --dport 21 -j DROP #FTP (TCP) echo "Enabling IPForwarding" echo 1 > /proc/sys/net/ipv4/ip_forward echo "..." echo "Internet sharing is enabled, happy surfing..." The prob is that the script is supposed to block all the connections to the external interface exept for port 80 and ssh but when I do a nmap port scan on the interface I get several other ports including ports for mysql sendmail etc...... Why is that happening ? |
I think it is a result of this line
Code:
iptables -A INPUT -p icmp -i eth0 -m state --state NEW,INVALID -j ACCEPT Code:
iptables -A INPUT -p icmp -i eth0 -m state --state NEW,INVALID -j LOG |
BTW you should set your default policies to drop. AFAIK nmap running on the local machine will show all services. A better test would be to run nmap on a PC on the WAN side. You can go to www.grc.com and run shields up for a quick check to see what ports are open.
|
ok I got you guys and what should I do to avoid the current situation?
|
Did dropping that line with "-j ACCEPT" work? Did you change your default policies to drop? Did you take michaelk's suggestion and and check your ports from the outside? Are thing still showing up as open when you want them closed?
|
All times are GMT -5. The time now is 11:50 PM. |