LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-26-2005, 06:10 AM   #1
carboncopy
Senior Member
 
Registered: Jan 2003
Location: Malaysia
Posts: 1,210
Blog Entries: 4

Rep: Reputation: 45
block m$ related ports using iptables


Hi!

I know there is tons of docs about iptables out there. But I need a quick and dirty iptables command to block netbios and samba ports from the Internet at my firewall. Both incoming and outgoing.

I already have basic rc.firewall script downloaded from somewhere in the Internet. Configured to be NAT and eanble all outgoing but only related incoming.

Oh, yuh, explanation of the command flags would be helpful. Thanks.
 
Old 01-26-2005, 07:42 AM   #2
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
Rather than shut down those ports specifically, the better approach is to shut down ALL ports with the default table properties and then open up only those you need. So your defaults should look something like

INPUT -P DROP
OUTPUT -P DROP
FORWARD -P DROP

Then for each daemon you want to be able to listen, add a line opening that port. So say you want to run Apache with SSL. You'll need to open two ports

iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

You would also need to open up outbound traffic, and I like to use state matching to do this.

iptables -A OUTPUT -p tcp -m state --state NEW, ESTABLISHED, RELATED -j ACCEPT


So as long as you don't open the netbios or Samba ports, the table defaults will block them. This also means that you are only opening the ports you absoluetly need to have.
 
Old 01-26-2005, 11:19 AM   #3
carboncopy
Senior Member
 
Registered: Jan 2003
Location: Malaysia
Posts: 1,210

Original Poster
Blog Entries: 4

Rep: Reputation: 45
Will I have problem with bittorrent if I use this method?

Does bittorrent connection initiated (NEW) by me? Or it is both ways?
 
Old 01-26-2005, 11:20 AM   #4
carboncopy
Senior Member
 
Registered: Jan 2003
Location: Malaysia
Posts: 1,210

Original Poster
Blog Entries: 4

Rep: Reputation: 45
This is how my INPUT chain looks like for now
Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:445 LOG flags 0 level 4 
LOG        udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:445 LOG flags 0 level 4 
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:445 
DROP       udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:445 
LOG        udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:137 LOG flags 0 level 4 
DROP       udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:137 
LOG        udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:138 LOG flags 0 level 4 
DROP       udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:138 
LOG        udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:139 LOG flags 0 level 4 
DROP       udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:139 
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:139 LOG flags 0 level 4 
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:139
Does this look correct for blocking those ports? Where is the log store? I know this is bad policy, but let me learn please
 
Old 01-26-2005, 02:34 PM   #5
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
Quote:
Will I have problem with bittorrent if I use this method?
I think you do have to open up some additional ports to use bittorrent. Unless I'm mistaken, incoming bittorrent connections are NEW and you really don't want to allow state matches to NEW on your INPUT chain. It kinda defeats the purpose of a firewall. However, if you are using state matches on OUTPUT, you can safely use NEW and probably want to. I'm not at my linux box, but tonight I'll post how I allow bittorrent through my firewall.

Quote:
Does this look correct for blocking those ports? Where is the log store?
Yeah, it looks like the ports are blocked. As for the log entries look in /var/log/syslog. If there is nothing there check /var/log/messages.
 
Old 01-26-2005, 04:44 PM   #6
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
OK, for bittorrent I allow port 6881 through the firewall and that works just fine.
 
Old 01-28-2005, 09:08 AM   #7
carboncopy
Senior Member
 
Registered: Jan 2003
Location: Malaysia
Posts: 1,210

Original Poster
Blog Entries: 4

Rep: Reputation: 45
Is that the only port which is used by bittorrent? I mean, I can have hundreds of connection using that port?
 
Old 01-28-2005, 09:51 AM   #8
carboncopy
Senior Member
 
Registered: Jan 2003
Location: Malaysia
Posts: 1,210

Original Poster
Blog Entries: 4

Rep: Reputation: 45
Ok as a follow up to bittorrent,

does this netstat looks ok?

Code:
root@carboncopy:/var/log# netstat --numeric-hosts
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0   1462 XXX.XXX.200.97:42291      82.168.82.183:64998     ESTABLISHED 
tcp        0   1867 XXX.XXX.200.97:42624      82.168.82.183:64998     ESTABLISHED 
tcp        0      0 XXX.XXX.200.97:42187      82.41.73.197:6881       ESTABLISHED 
tcp        0   2002 XXX.XXX.200.97:39367      71.32.19.170:6881       ESTABLISHED 
<internal connection> 
tcp        0      0 XXX.XXX.200.97:43106      201.8.193.63:23918      ESTABLISHED 
tcp        0   1984 XXX.XXX.200.97:42118      82.35.242.218:10001     ESTABLISHED 
tcp        0   3807 XXX.XXX.200.97:42169      80.202.218.52:6881      ESTABLISHED 
tcp        0   5534 XXX.XXX.200.97:42864      80.202.218.52:6881      ESTABLISHED
 
Old 01-28-2005, 12:30 PM   #9
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
Quote:
Originally posted by carboncopy
Is that the only port which is used by bittorrent? I mean, I can have hundreds of connection using that port?
It is the only port that bittorrent listens on, it can actually send on any number of ports, so as long as you allow inbound traffic on 6881 and then allow outbound traffic on any number of ports, you should be fine. So the two rules in my firewall that apply here are:

iptables -A INPUT -i eth0 -p tcp --dport 6881 -j ACCEPT
iptables -A OUTPUT -i eth0 -p tcp -m state --state NEW, RELATED, ESTABLISHED -j ACCEPT.


The first rule allow all inbound traffic on 6881 and the second rule allow all outbound traffic regardless of what port it originates from.

I guess I don't see anything wrong with the netstat output either. However, you may want to try slightly different output (see man netstat for options) to make sure that all of the connections are from programs you recognize.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Internet-Process Id,ports related jared78 Linux - Networking 6 05-19-2005 02:44 AM
IPTables and PPTPD :S (to block or not to block) thewonka Linux - Networking 0 03-24-2005 06:58 PM
Ports to Block chrisfirestar Linux - General 1 10-28-2003 03:27 AM
iptables: block ports and RELATED, ESTABLISHED Klaus Pforte Linux - Security 6 07-17-2003 10:00 AM
how to block ports furquan Linux - Security 9 02-21-2002 06:23 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:08 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration