LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   block m$ related ports using iptables (https://www.linuxquestions.org/questions/linux-security-4/block-m%24-related-ports-using-iptables-282415/)

carboncopy 01-26-2005 07:10 AM

block m$ related ports using iptables
 
Hi!

I know there is tons of docs about iptables out there. But I need a quick and dirty iptables command to block netbios and samba ports from the Internet at my firewall. Both incoming and outgoing.

I already have basic rc.firewall script downloaded from somewhere in the Internet. Configured to be NAT and eanble all outgoing but only related incoming.

Oh, yuh, explanation of the command flags would be helpful. Thanks.

Hangdog42 01-26-2005 08:42 AM

Rather than shut down those ports specifically, the better approach is to shut down ALL ports with the default table properties and then open up only those you need. So your defaults should look something like

INPUT -P DROP
OUTPUT -P DROP
FORWARD -P DROP

Then for each daemon you want to be able to listen, add a line opening that port. So say you want to run Apache with SSL. You'll need to open two ports

iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

You would also need to open up outbound traffic, and I like to use state matching to do this.

iptables -A OUTPUT -p tcp -m state --state NEW, ESTABLISHED, RELATED -j ACCEPT


So as long as you don't open the netbios or Samba ports, the table defaults will block them. This also means that you are only opening the ports you absoluetly need to have.

carboncopy 01-26-2005 12:19 PM

Will I have problem with bittorrent if I use this method?

Does bittorrent connection initiated (NEW) by me? Or it is both ways?

carboncopy 01-26-2005 12:20 PM

This is how my INPUT chain looks like for now
Code:

Chain INPUT (policy ACCEPT)
target    prot opt source              destination       
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:445 LOG flags 0 level 4
LOG        udp  --  0.0.0.0/0            0.0.0.0/0          udp dpt:445 LOG flags 0 level 4
DROP      tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:445
DROP      udp  --  0.0.0.0/0            0.0.0.0/0          udp dpt:445
LOG        udp  --  0.0.0.0/0            0.0.0.0/0          udp dpt:137 LOG flags 0 level 4
DROP      udp  --  0.0.0.0/0            0.0.0.0/0          udp dpt:137
LOG        udp  --  0.0.0.0/0            0.0.0.0/0          udp dpt:138 LOG flags 0 level 4
DROP      udp  --  0.0.0.0/0            0.0.0.0/0          udp dpt:138
LOG        udp  --  0.0.0.0/0            0.0.0.0/0          udp dpt:139 LOG flags 0 level 4
DROP      udp  --  0.0.0.0/0            0.0.0.0/0          udp dpt:139
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:139 LOG flags 0 level 4
DROP      tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:139

Does this look correct for blocking those ports? Where is the log store? I know this is bad policy, but let me learn please :)

Hangdog42 01-26-2005 03:34 PM

Quote:

Will I have problem with bittorrent if I use this method?
I think you do have to open up some additional ports to use bittorrent. Unless I'm mistaken, incoming bittorrent connections are NEW and you really don't want to allow state matches to NEW on your INPUT chain. It kinda defeats the purpose of a firewall. However, if you are using state matches on OUTPUT, you can safely use NEW and probably want to. I'm not at my linux box, but tonight I'll post how I allow bittorrent through my firewall.

Quote:

Does this look correct for blocking those ports? Where is the log store?
Yeah, it looks like the ports are blocked. As for the log entries look in /var/log/syslog. If there is nothing there check /var/log/messages.

Hangdog42 01-26-2005 05:44 PM

OK, for bittorrent I allow port 6881 through the firewall and that works just fine.

carboncopy 01-28-2005 10:08 AM

Is that the only port which is used by bittorrent? I mean, I can have hundreds of connection using that port?

carboncopy 01-28-2005 10:51 AM

Ok as a follow up to bittorrent,

does this netstat looks ok?

Code:

root@carboncopy:/var/log# netstat --numeric-hosts
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address          Foreign Address        State     
tcp        0  1462 XXX.XXX.200.97:42291      82.168.82.183:64998    ESTABLISHED
tcp        0  1867 XXX.XXX.200.97:42624      82.168.82.183:64998    ESTABLISHED
tcp        0      0 XXX.XXX.200.97:42187      82.41.73.197:6881      ESTABLISHED
tcp        0  2002 XXX.XXX.200.97:39367      71.32.19.170:6881      ESTABLISHED
<internal connection>
tcp        0      0 XXX.XXX.200.97:43106      201.8.193.63:23918      ESTABLISHED
tcp        0  1984 XXX.XXX.200.97:42118      82.35.242.218:10001    ESTABLISHED
tcp        0  3807 XXX.XXX.200.97:42169      80.202.218.52:6881      ESTABLISHED
tcp        0  5534 XXX.XXX.200.97:42864      80.202.218.52:6881      ESTABLISHED


Hangdog42 01-28-2005 01:30 PM

Quote:

Originally posted by carboncopy
Is that the only port which is used by bittorrent? I mean, I can have hundreds of connection using that port?
It is the only port that bittorrent listens on, it can actually send on any number of ports, so as long as you allow inbound traffic on 6881 and then allow outbound traffic on any number of ports, you should be fine. So the two rules in my firewall that apply here are:

iptables -A INPUT -i eth0 -p tcp --dport 6881 -j ACCEPT
iptables -A OUTPUT -i eth0 -p tcp -m state --state NEW, RELATED, ESTABLISHED -j ACCEPT.


The first rule allow all inbound traffic on 6881 and the second rule allow all outbound traffic regardless of what port it originates from.

I guess I don't see anything wrong with the netstat output either. However, you may want to try slightly different output (see man netstat for options) to make sure that all of the connections are from programs you recognize.


All times are GMT -5. The time now is 01:36 AM.