LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Why doesnt my firewall block all ports (https://www.linuxquestions.org/questions/linux-networking-3/why-doesnt-my-firewall-block-all-ports-389249/)

ALInux 12-04-2005 05:09 PM

Why doesnt my firewall block all ports
 
Hi guys Ive got the following script :

#!/bin/bash
echo ""
echo ""

mii-tool -F 10baseT-HD eth0

echo "Setting IPTABLES,IFCONFIG and ROUTE"
EXT_NIC="eth0"
EXT_IP="192.168.0.82"
INT_NIC="eth1"
INT_IP="192.168.1.1"

echo "flushing IPTABLES"
iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -X -t nat
iptables -X -t mangle
iptables -X

echo "Setting routing $EXT_NIC -> $INT_NIC"
iptables -t nat -A POSTROUTING -o $EXT_NIC -j MASQUERADE

echo "Adding Firewall State Rules"
iptables -A INPUT -p icmp -i eth0 -m state --state NEW,INVALID -j LOG
iptables -A INPUT -p icmp -i eth0 -m state --state NEW,INVALID -j ACCEPT
iptables -A INPUT -i $EXT_NIC -m state --state ESTABLISHED,RELATED -j ACCEPT

#Transparent proxy
echo "Enabling Transparent Proxy"
iptables -t nat -A PREROUTING -i eth0 -s ! 10.2.2.1 -p tcp --dport 80 -j DNAT --to 10.2.2.1:8080
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0 -d 10.2.2.1 -j SNAT --to 192.168.0.82
iptables -A FORWARD -s 192.168.0.0 -d 10.2.2.1 -i eth0 -o eth0 -p tcp --dport 8080 -j ACCEPT

echo "Opening Few Ports for the external network"
#iptables -A INPUT -p tcp -i $EXT_NIC --dport 22 -j ACCEPT #SSH (TCP)
#iptables -A INPUT -p tcp -i $EXT_NIC --dport 80 -j DROP #HTTP (TCP)

echo "Drop ALL Other Connections on the external network"
iptables -A INPUT -i $EXT_NIC -j DROP

echo "Droping Few Ports for the internal network"
#iptables -A INPUT -p tcp -i $INT_NIC --dport 1863 -j DROP #MSN (TCP)
#iptables -A INPUT -p tcp -i $INT_NIC --dport 21 -j DROP #FTP (TCP)

echo "Enabling IPForwarding"
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "..."
echo "Internet sharing is enabled, happy surfing..."





The prob is that the script is supposed to block all the connections to the external interface exept for port 80 and ssh
but when I do a nmap port scan on the interface I get several other ports including ports for mysql sendmail etc......
Why is that happening ?

Mad Scientist 12-04-2005 06:39 PM

I think it is a result of this line

Code:

iptables -A INPUT -p icmp -i eth0 -m state --state NEW,INVALID -j ACCEPT
The line before that is

Code:

iptables -A INPUT -p icmp -i eth0 -m state --state NEW,INVALID -j LOG
and that's the one you want to keep. I believe that you're accepting all "new" and "invalid" connections from the outside world.

michaelk 12-04-2005 06:51 PM

BTW you should set your default policies to drop. AFAIK nmap running on the local machine will show all services. A better test would be to run nmap on a PC on the WAN side. You can go to www.grc.com and run shields up for a quick check to see what ports are open.

ALInux 12-05-2005 04:56 AM

ok I got you guys and what should I do to avoid the current situation?

Mad Scientist 12-05-2005 04:49 PM

Did dropping that line with "-j ACCEPT" work? Did you change your default policies to drop? Did you take michaelk's suggestion and and check your ports from the outside? Are thing still showing up as open when you want them closed?


All times are GMT -5. The time now is 06:09 AM.