LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 12-04-2005, 05:09 PM   #1
ALInux
Member
 
Registered: Nov 2003
Location: Lebanon
Distribution: RHEL 5/CentOS 5/Debian Lenny/(K)Ubuntu Is Dead/Mandriva 10.1
Posts: 676
Blog Entries: 7

Rep: Reputation: 32
Why doesnt my firewall block all ports


Hi guys Ive got the following script :

#!/bin/bash
echo ""
echo ""

mii-tool -F 10baseT-HD eth0

echo "Setting IPTABLES,IFCONFIG and ROUTE"
EXT_NIC="eth0"
EXT_IP="192.168.0.82"
INT_NIC="eth1"
INT_IP="192.168.1.1"

echo "flushing IPTABLES"
iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -X -t nat
iptables -X -t mangle
iptables -X

echo "Setting routing $EXT_NIC -> $INT_NIC"
iptables -t nat -A POSTROUTING -o $EXT_NIC -j MASQUERADE

echo "Adding Firewall State Rules"
iptables -A INPUT -p icmp -i eth0 -m state --state NEW,INVALID -j LOG
iptables -A INPUT -p icmp -i eth0 -m state --state NEW,INVALID -j ACCEPT
iptables -A INPUT -i $EXT_NIC -m state --state ESTABLISHED,RELATED -j ACCEPT

#Transparent proxy
echo "Enabling Transparent Proxy"
iptables -t nat -A PREROUTING -i eth0 -s ! 10.2.2.1 -p tcp --dport 80 -j DNAT --to 10.2.2.1:8080
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0 -d 10.2.2.1 -j SNAT --to 192.168.0.82
iptables -A FORWARD -s 192.168.0.0 -d 10.2.2.1 -i eth0 -o eth0 -p tcp --dport 8080 -j ACCEPT

echo "Opening Few Ports for the external network"
#iptables -A INPUT -p tcp -i $EXT_NIC --dport 22 -j ACCEPT #SSH (TCP)
#iptables -A INPUT -p tcp -i $EXT_NIC --dport 80 -j DROP #HTTP (TCP)

echo "Drop ALL Other Connections on the external network"
iptables -A INPUT -i $EXT_NIC -j DROP

echo "Droping Few Ports for the internal network"
#iptables -A INPUT -p tcp -i $INT_NIC --dport 1863 -j DROP #MSN (TCP)
#iptables -A INPUT -p tcp -i $INT_NIC --dport 21 -j DROP #FTP (TCP)

echo "Enabling IPForwarding"
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "..."
echo "Internet sharing is enabled, happy surfing..."





The prob is that the script is supposed to block all the connections to the external interface exept for port 80 and ssh
but when I do a nmap port scan on the interface I get several other ports including ports for mysql sendmail etc......
Why is that happening ?
 
Old 12-04-2005, 06:39 PM   #2
Mad Scientist
Member
 
Registered: May 2003
Posts: 167

Rep: Reputation: 30
I think it is a result of this line

Code:
iptables -A INPUT -p icmp -i eth0 -m state --state NEW,INVALID -j ACCEPT
The line before that is

Code:
iptables -A INPUT -p icmp -i eth0 -m state --state NEW,INVALID -j LOG
and that's the one you want to keep. I believe that you're accepting all "new" and "invalid" connections from the outside world.
 
Old 12-04-2005, 06:51 PM   #3
michaelk
Moderator
 
Registered: Aug 2002
Posts: 21,814

Rep: Reputation: 4251Reputation: 4251Reputation: 4251Reputation: 4251Reputation: 4251Reputation: 4251Reputation: 4251Reputation: 4251Reputation: 4251Reputation: 4251Reputation: 4251
BTW you should set your default policies to drop. AFAIK nmap running on the local machine will show all services. A better test would be to run nmap on a PC on the WAN side. You can go to www.grc.com and run shields up for a quick check to see what ports are open.

Last edited by michaelk; 12-04-2005 at 07:05 PM.
 
Old 12-05-2005, 04:56 AM   #4
ALInux
Member
 
Registered: Nov 2003
Location: Lebanon
Distribution: RHEL 5/CentOS 5/Debian Lenny/(K)Ubuntu Is Dead/Mandriva 10.1
Posts: 676

Original Poster
Blog Entries: 7

Rep: Reputation: 32
ok I got you guys and what should I do to avoid the current situation?
 
Old 12-05-2005, 04:49 PM   #5
Mad Scientist
Member
 
Registered: May 2003
Posts: 167

Rep: Reputation: 30
Did dropping that line with "-j ACCEPT" work? Did you change your default policies to drop? Did you take michaelk's suggestion and and check your ports from the outside? Are thing still showing up as open when you want them closed?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
how to open and block the ports in squid.... shahg_shahg Linux - Security 1 04-28-2005 06:01 PM
block m$ related ports using iptables carboncopy Linux - Security 8 01-28-2005 12:30 PM
Ports to Block chrisfirestar Linux - General 1 10-28-2003 03:27 AM
How to Block music ports JohnRide Linux - Security 1 12-02-2002 03:17 PM
how to block ports furquan Linux - Security 9 02-21-2002 06:23 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 06:30 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration