Blocking specific ports on IPTABLES

stonereh · 02-14-2006, 04:33 PM

I'm trying to block ports (just using 21 as an example).

I tried using:
$IPTABLES -A INPUT -i eth0 -p tcp --dport 21 -j DROP

I saw that off an example on another post, I also tried:
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j denied (also DROP, reject, etc).

When I go to run the firewall again, it runs fine, but on nmaping the machine and also ftping from the outside, it still allows access. Still showing open. I also tried adding an -N denied (DROP, reject, etc) with no luck on that. Can anybody please inform me of how I should go about doing this?

Also another question, how can I allow unrestricted access from a specific subnet?

gilead · 02-14-2006, 04:48 PM

Is your external (internet) interface eth0 or is that your LAN? If you have the wrong interface, the external scan will still show the port as open. A simpler approach might be to have a default policy of drop for the input chain and then allowing ports as you need them.

Have a look through http://www.netfilter.org/documentation/ and http://iptables-tutorial.frozentux.n...-tutorial.html - they both provide useful information.

stonereh · 02-14-2006, 04:52 PM

eth0 WAN
eth1 LAN
I'm doing an nmap/ftp test from externally. I know I have the right interface.

Matir · 02-14-2006, 09:04 PM

The following should drop anything coming in on tcp port 21 on eth0:

Code:

iptables -A INPUT -p tcp --dport 21 -j DROP

However, make sure there are no rules ACCEPTing port 21 before this one. You might want to try -I INPUT to insert it in the input chain at the beginning.

stonereh · 02-14-2006, 09:13 PM

Code:

iptables: Chain already exists
iptables: Chain already exists
iptables: Chain already exists
iptables: Chain already exists
iptables: Chain already exists
iptables: No chain/target/match by that name

That's what shows up when I execute the firewall. The last line has come up before this, something else is causing it (I'm too stupid to figure it out). But regardless, adding that command apparently didn't shoot out any other errors, but I can still FTP in from an outside source. I don't believe "DROP" is known to it.

Chain names I have right now are "allowed" "tcp_packets" "udp_packets" and "icmp_packets", don't know if that matters.

Matir · 02-14-2006, 09:16 PM

DROP is one of the default targets. Posting your existing configuration might help us find the source of all the problems.

gilead · 02-14-2006, 09:16 PM

Do you mind posting the whole script so we can try and step through it?

doublejoon · 02-15-2006, 07:02 AM

Might be a silly question but are you doing a iptables-restore < your script? after you edited?

stonereh · 02-15-2006, 10:49 AM

Code:

INET_IP="70.121.144.215"
INET_IFACE="eth0"
INET_BROADCAST="255.255.255.255"

LAN_IP="192.168.0.1"
LAN_IP_RANGE="192.168.0.1/24"
LAN_IFACE="eth1"

LO_IFACE="lo"
LO_IP="127.0.0.1"

IPTABLES="/sbin/iptables"

/sbin/depmod -a

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state

echo "1" > /proc/sys/net/ipv4/ip_forward

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

$IPTABLES -N bad_tcp_packets

$IPTABLES -N allowed
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets

$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset 
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

$IPTABLES -A INPUT -p tcp --dport 21 -j DROP
#$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 443 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 6660:6670 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 10000 -j allowed

#
# UDP ports
#

$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 53 -j ACCEPT
#$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 123 -j ACCEPT
#$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 2074 -j ACCEPT
#$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 4000 -j ACCEPT

#
# In Microsoft Networks you will be swamped by broadcasts. These lines 
# will prevent them from showing up in the logs.
#

#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d $INET_BROADCAST \
#--destination-port 135:139 -j DROP

#
# If we get DHCP requests from the Outside of our network, our logs will 
# be swamped as well. This rule will block them from getting logged.
#

#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 \
#--destination-port 67:68 -j DROP

#
# ICMP rules
#

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# 4.1.4 INPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
# Rules for special networks not part of the Internet
#

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT

#
# Special rule for DHCP requests from LAN, which are not caught properly
# otherwise.
#

$IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT

#
# Rules for incoming packets from the internet.
#

$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

#
# If you have a Microsoft Network on the outside of your firewall, you may 
# also get flooded by Multicasts. We drop them so we do not get flooded by 
# logs
#

#$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP

#
# Log weird packets that don't match the above.
#

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "

#
# 4.1.5 FORWARD chain
#

#
# Bad TCP packets we don't want
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

#
# Accept the packets we actually want to forward
#

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "

#
# 4.1.6 OUTPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

#
# Special OUTPUT rules to decide which IP's to allow.
#

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

#
# Enable simple IP Forwarding and Network Address Translation
#

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP


# ###PORT FORWARDING###
##Remote Desktop Sharing
$IPTABLES -t nat -A PREROUTING -p tcp -i eth0 --dport 3389 -j DNAT --to 192.168.0.3:3389
$IPTABLES -A FORWARD -p tcp -i eth0 -d 192.168.0.3 --dport 3389 -j ACCEPT
$IPTABLES -I INPUT -p tcp --dport 3389 -j ACCEPT

##EMULE
$IPTABLES -t nat -A PREROUTING -p tcp -i eth0 --dport 4662 -j DNAT --to 192.168.0.3:4662
$IPTABLES -A FORWARD -p tcp -i eth0 -d 192.168.0.3 --dport 4662 -j ACCEPT
$IPTABLES -I INPUT -p tcp --dport 4662 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p udp -i eth0 --dport 4672 -j DNAT --to 192.168.0.3:4672
$IPTABLES -A FORWARD -p udp -i eth0 -d 192.168.0.3 --dport 4672 -j ACCEPT
$IPTABLES -I INPUT -p udp --dport 4672 -j ACCEPT

I'll try that command...didn't even think about it. But that's the script..