-   Linux - Newbie (
-   -   Applying iptables rules / don't seem to work once I change them (

win32sux 10-22-2008 04:34 PM


Originally Posted by jonwondering (Post 3319093)
what is nic?

Network interface card.

jonwondering 10-22-2008 11:14 PM

well thanks but that doesn't help. i still have no idea what that hosting company has...
and i also have no idea why this has been moved to a newbie section. it is a question about security and iptables after all.

billymayday 10-22-2008 11:59 PM

Sorry, but my question was coming from th angle that I see some funny nmap results from machines with multiple NICs. Not sure why.

Can I suggest - and this is totally up to you - that you email me you external IP and I'll run nmap from here. I don't see how I can do any damage that way. You can send me a message by clicking on my name to the left and select send email to...

I'll post the results back here (without IP)

jonwondering 10-23-2008 06:31 PM

billymayday, I appreciate your effort to help and all your suggestions, but I think I am just gonna carefully revise my iptables rules, because it's obvious I don't have all those hundreds of processes listening on those ports, and it's probably just something wrong with the rules...

Plus I can't just trust a stranger with my expensive playbox :) (Even though you've probably helped tons of ppl with 4K+ posts :))

Thank you for all the troubles of helping me once again...

billymayday 10-23-2008 06:41 PM

That's fine.


plpl303 10-23-2008 08:38 PM

NIC = network interface card

If this is a virtual host, it might be the case that you are in fact port-scanning the *real* host that your virtual host is running on. (I don't know if that is so, but it's a thought.)

But regardless of what iptables is configured for, a port shouldn't be accessible if there's nothing listening there. So it's kind of puzzling... it seems to be an issue besides iptables itself. It's also odd that netstat doesn't think anything's listening.

Maybe I'm being kind of paranoid, but are you sure that the box hasn't been compromised?

jonwondering 10-24-2008 11:02 AM

nope, not sure. with all this weird crap happening there's a good chance it has and i have no idea about it. but i don't even know how to check really, does anybody? lol. there's not much of a website there, and i've looked in different folders, and checked running processes, and looked at iptables rules for backdoors, and cron jobs and stuff like that. didn't see anything out of the ordinary.

scanning the host itself is probably impossible (at least i hope) because they gave me a unique ip. really don't know what's going on. the crappy part is they refuse to help because they say it's not their problem, and keep sending me stupid links on how to configure my webserver...

plpl303 10-24-2008 08:31 PM

Hey, wait a minute... looking back over your nmap output:


SYN Stealth Scan Timing: About 33.59% done; ETC: 22:17 (0:02:12 remaining)
Increasing send delay for xx.xx.xx.xx from 0 to 5 due to 13 out of 32 dropped probes since last increase.
Discovered open port 7201/tcp on xx.xx.xx.xx
Discovered open port 1364/tcp on xx.xx.xx.xx
Increasing send delay for xx.xx.xx.xx from 5 to 10 due to 11 out of 11 dropped probes since last increase.
Discovered open port 1472/tcp on xx.xx.xx.xx
It looks like some sort of adaptive firewall is in place: Notice that nmap's probes are being dropped: First about 40% of them and then 100%. So I'm guessing that nmap is not reporting the correct output due to firewall rules. It's probably not your virtual box's iptables rules but rather something either on the real host or on another intermediate firewall that's making the results inaccurate. At least that's my guess... seems that nmap's output indicates that *every* port is open -- and even if the box was cracked, that is a little difficult to believe... not impossible, but it seems a little surprising.

jonwondering 10-24-2008 09:24 PM

hmmm, but how can this be? shouldn't i be able to manipulate my rules on the server the way i want them to? lol. i just don't know where this "magical" thing might come from... the thing is, i scanned this server from three different ip's from two different networks, and it all shows the same thing: tons of ports open - waaaay too many of them. so i am guessing its nothing on my end (nmap computers), and rather something either with mediahost, or with my own misconfiguration of the server. the problem is i don't even understand how these rules show up in nmap. telnet seems to connect to a few of them, but not all (and i don't even know if that means much anyway)...

jonwondering 10-24-2008 09:40 PM

okay this is the weirdest thing. i finally managed to get a guy on the line that actually helped and explained what was happening, or at least what he thinks is happening. he says mediatemple has a firewall that covers all the servers it has, including the hosted websites and their own individual firewalls. so if i understood him correctly, he's saying nmap gets through some firewall rules, but not through mine (if i set them up correctly).

he recommended checking listening ports, and my own iptables rules. he said if somebody would have tried an attack through a port, they would know about it because of their firewall that blankets everybody else's.

it's just still a little puzzling to me why i am seeing hundreds and hundreds of these ports open. what's the purpose? plus it feels uncomfortable when you work on your iptables rules, and can't really check them thoroughly anyway to see if they work the way you want them to. and to make sure that you do have at least some level of security. but this way it looks like anything and everything is possible...

All times are GMT -5. The time now is 07:37 AM.