Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
05-09-2003, 11:40 AM
|
#1
|
|
Member
Registered: Jun 2000
Location: Upstate New York
Distribution: Ubuntu
Posts: 158
Rep: 
|
Firewall not blocking ports...
I'm using gShield to generate an IPTables firewall on my Linux box. Unfortunately, even though the specific ports are blocked, I can still access the daemons on my server remotely...
IE: I have a SSH server running. I am blocking port 22. A port scan shows port 22 is open and I can connect to the SSH server.
I thought it was because I ran the firewall before I activated the daemons, but then I ran the script (which flushed all the rules and made new ones) after they were all up and running and it made no difference...
Any pointers???
Andy
|
|
|
|
|
05-09-2003, 01:54 PM
|
#2
|
|
Moderator
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,696
|
Are you sure the rules block the right interface(s)? If you've got 2 or more NICs, you need to be careful and choose the right ones.
|
|
|
|
|
05-09-2003, 03:32 PM
|
#3
|
|
Member
Registered: Jun 2000
Location: Upstate New York
Distribution: Ubuntu
Posts: 158
Original Poster
Rep:
|
Yes they are. I do have two NIC's and I know the script works...
The difference is that I am running Debain now and not RedHat... :\ This did not happen with RH...
|
|
|
|
|
05-09-2003, 04:35 PM
|
#4
|
|
Senior Member
Registered: Dec 2002
Location: Atlantic City, NJ
Distribution: Ubuntu & Arch
Posts: 3,503
Rep:
|
Question: If you are blocking access to ssh in the firewall then why do you have the service running? Are you using it on the LAN only?
Also, when you run:
iptables -L
what do you get? And finally, is the iptables service turned on?
P.S. Please do not take offense to these questions. Some people get mad when I ask questions like this.
|
|
|
|
|
05-09-2003, 06:47 PM
|
#5
|
|
Member
Registered: Jun 2000
Location: Upstate New York
Distribution: Ubuntu
Posts: 158
Original Poster
Rep:
|
The ssh was just an example... And to prove that my firewall is not working. 
I did a port scan and found a bunch of ports open by services that I never used (but I have never heard of them so I didn't know how to turn them off). I tried rebooting and then starting the firewall and when that didn't work, I just blocked the ssh port to see what would happen...
I took no offense. You are trying to help, why would I complain? 
Code:
voyager:/# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
loopback all -- anywhere anywhere
ACCEPT all -- 192.168.0.0/24 192.168.0.0/24
RESERVED all -- 10.0.0.0/8 anywhere
RESERVED all -- 172.16.0.0/12 anywhere
RESERVED all -- 192.168.0.0/16 anywhere
RESERVED all -- ALL-SYSTEMS.MCAST.NET anywhere
RESERVED all -- ALL-ROUTERS.MCAST.NET anywhere
RESERVED all -- DVMRP.MCAST.NET anywhere
RESERVED all -- OSPF-ALL.MCAST.NET anywhere
RESERVED all -- OSPF-DSIG.MCAST.NET anywhere
RESERVED all -- RIP2-ROUTERS.MCAST.NET anywhere
RESERVED all -- PIM-ROUTERS.MCAST.NET anywhere
RESERVED all -- ALL-CBT-ROUTERS.MCAST.NET anywhere
MULTICAST all -- ALL-SYSTEMS.MCAST.NET anywhere
MULTICAST all -- ALL-ROUTERS.MCAST.NET anywhere
MULTICAST all -- DVMRP.MCAST.NET anywhere
MULTICAST all -- OSPF-ALL.MCAST.NET anywhere
MULTICAST all -- OSPF-DSIG.MCAST.NET anywhere
MULTICAST all -- RIP2-ROUTERS.MCAST.NET anywhere
MULTICAST all -- PIM-ROUTERS.MCAST.NET anywhere
MULTICAST all -- ALL-CBT-ROUTERS.MCAST.NET anywhere
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp echo-reply
DROPICMP icmp -- anywhere anywhere
DHCP udp -- 208.246.218.2 anywhere udp spt:bootps dpt:bootpc
ACCEPT udp -- 132.163.135.130 anywhere udp spt:ntp dpts:1024:65535
ACCEPT udp -- otc2.psu.edu anywhere udp spt:ntp dpts:1024:65535
ACCEPT udp -- time-nw.nist.gov anywhere udp spt:ntp dpts:1024:65535
DNS udp -- rochny-dns-cac-01-dmfe0.nyroc.rr.com anywhere udp spt:domain
DNS udp -- rochny-dns-cac-02-dmfe1.nyroc.rr.com anywhere udp spt:domain
DNS udp -- rochny-dns-cac-03-dmfe0.nyroc.rr.com anywhere udp spt:domain
DNS udp -- dns-cac-01-eri3.nyroc.rr.com anywhere udp spt:domain
PUBLIC tcp -- anywhere xx.rochester.rr.comtcp dpt:ssh
PUBLIC udp -- anywhere xx.rochester.rr.comudp dpt:ssh
PUBLIC tcp -- anywhere xx.rochester.rr.comtcp dpt:auth
PUBLIC udp -- anywhere xx.rochester.rr.comudp dpt:113
CLOSED tcp -- anywhere xx.rochester.rr.comtcp dpt:daytime
CLOSED udp -- anywhere xx.rochester.rr.comudp dpt:daytime
CLOSED tcp -- anywhere xx.rochester.rr.comtcp dpt:14
CLOSED udp -- anywhere xx.rochester.rr.comudp dpt:14
CLOSED tcp -- anywhere xx.rochester.rr.comtcp dpt:bootps
CLOSED udp -- anywhere xx.rochester.rr.comudp dpt:bootps
CLOSED tcp -- anywhere xx.rochester.rr.comtcp dpt:bootpc
CLOSED udp -- anywhere xx.rochester.rr.comudp dpt:bootpc
CLOSED tcp -- anywhere xx.rochester.rr.comtcp dpt:domain
CLOSED udp -- anywhere xx.rochester.rr.comudp dpt:domain
CLOSED tcp -- anywhere xx.rochester.rr.comtcp dpt:ntp
CLOSED udp -- anywhere xx.rochester.rr.comudp dpt:ntp
CLOSED tcp -- anywhere xx.rochester.rr.comtcp dpts:netbios-ns:netbios-ssn
CLOSED udp -- anywhere xx.rochester.rr.comudp dpts:netbios-ns:netbios-ssn
CLOSED tcp -- anywhere xx.rochester.rr.comtcp dpt:printer
CLOSED udp -- anywhere xx.rochester.rr.comudp dpt:515
CLOSED tcp -- anywhere xx.rochester.rr.comtcp dpt:swat
CLOSED udp -- anywhere xx.rochester.rr.comudp dpt:901
CLOSED tcp -- anywhere xx.rochester.rr.comtcp dpts:x11:6009
CLOSED udp -- anywhere xx.rochester.rr.comudp dpts:x11:6009
HIGHPORT tcp -- anywhere anywhere tcp dpts:1024:65535
HIGHPORT udp -- anywhere anywhere udp dpts:1024:65535
OPENPORT tcp -- anywhere anywhere tcp dpt:ssh
OPENPORT udp -- anywhere anywhere udp dpt:ssh
STATEFUL all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
BLOCK_OUT tcp -- anywhere anywhere tcp dpt:swat
BLOCK_OUT udp -- anywhere anywhere udp dpt:901
BLOCK_OUT tcp -- anywhere anywhere tcp dpts:x11:6009
BLOCK_OUT udp -- anywhere anywhere udp dpts:x11:6009
BLOCK_OUT tcp -- anywhere anywhere tcp dpt:netbios-ns
BLOCK_OUT udp -- anywhere anywhere udp dpt:netbios-ns
BLOCK_OUT tcp -- anywhere anywhere tcp dpt:netbios-dgm
BLOCK_OUT udp -- anywhere anywhere udp dpt:netbios-dgm
BLOCK_OUT tcp -- anywhere anywhere tcp dpt:netbios-ssn
BLOCK_OUT udp -- anywhere anywhere udp dpt:netbios-ssn
STATEFUL all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
loopback all -- anywhere anywhere
DROP icmp -- anywhere anywhere state INVALID
BLOCK_OUT tcp -- anywhere anywhere tcp dpt:swat
BLOCK_OUT udp -- anywhere anywhere udp dpt:901
BLOCK_OUT tcp -- anywhere anywhere tcp dpts:x11:6009
BLOCK_OUT udp -- anywhere anywhere udp dpts:x11:6009
BLOCK_OUT tcp -- anywhere anywhere tcp dpt:netbios-ns
BLOCK_OUT udp -- anywhere anywhere udp dpt:netbios-ns
BLOCK_OUT tcp -- anywhere anywhere tcp dpt:netbios-dgm
BLOCK_OUT udp -- anywhere anywhere udp dpt:netbios-dgm
BLOCK_OUT tcp -- anywhere anywhere tcp dpt:netbios-ssn
BLOCK_OUT udp -- anywhere anywhere udp dpt:netbios-ssn
Chain ACCEPTnLOG (0 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix `gShield (accept) '
ACCEPT all -- anywhere anywhere
Chain BLACKLIST (0 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix `gShield (blacklisted drop) '
DROP all -- anywhere anywhere
Chain BLOCK_OUT (20 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain CLIENT (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain CLOSED (20 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix `gShield (closed port drop) '
DROP tcp -- anywhere anywhere
DROP udp -- anywhere anywhere
DROP all -- anywhere anywhere
Chain DHCP (1 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix `gShield (DHCP accept) '
ACCEPT all -- anywhere anywhere
Chain DMZ (0 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix `gShield (DMZ drop) '
DROP all -- anywhere anywhere
Chain DNS (4 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain DROPICMP (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain DROPnLOG (1 references)
target prot opt source destination
DROP udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn
ACCEPT tcp -- anywhere anywhere tcp spt:www dpts:1024:65535 flags:!SYN,RST,ACK/SYN
DROP udp -- anywhere 255.255.255.255 udp spt:bootps dpt:bootpc
DROP udp -- anywhere 255.255.255.255 udp spt:bootpc dpt:bootps
DROP tcp -- anywhere anywhere
DROP udp -- anywhere anywhere
DROP all -- anywhere anywhere
Chain HIGHPORT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain MON_OUT (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain MULTICAST (8 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain OPENPORT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain PUBLIC (4 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain RESERVED (11 references)
target prot opt source destination
DROP tcp -- anywhere anywhere
DROP udp -- anywhere anywhere
DROP all -- anywhere anywhere
Chain SCAN (0 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix `gShield (possible port scan) '
DROP all -- anywhere anywhere
Chain SERVICEDROP (0 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix `gShield (service drop) '
DROP tcp -- anywhere anywhere
DROP udp -- anywhere anywhere
DROP all -- anywhere anywhere
Chain STATEFUL (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
DROPnLOG all -- anywhere anywhere
Chain loopback (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
voyager:/# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
loopback all -- anywhere anywhere
ACCEPT all -- 192.168.0.0/24 192.168.0.0/24
RESERVED all -- 10.0.0.0/8 anywhere
RESERVED all -- 172.16.0.0/12 anywhere
RESERVED all -- 192.168.0.0/16 anywhere
RESERVED all -- ALL-SYSTEMS.MCAST.NET anywhere
RESERVED all -- ALL-ROUTERS.MCAST.NET anywhere
RESERVED all -- DVMRP.MCAST.NET anywhere
RESERVED all -- OSPF-ALL.MCAST.NET anywhere
RESERVED all -- OSPF-DSIG.MCAST.NET anywhere
RESERVED all -- RIP2-ROUTERS.MCAST.NET anywhere
RESERVED all -- PIM-ROUTERS.MCAST.NET anywhere
RESERVED all -- ALL-CBT-ROUTERS.MCAST.NET anywhere
MULTICAST all -- ALL-SYSTEMS.MCAST.NET anywhere
MULTICAST all -- ALL-ROUTERS.MCAST.NET anywhere
MULTICAST all -- DVMRP.MCAST.NET anywhere
MULTICAST all -- OSPF-ALL.MCAST.NET anywhere
MULTICAST all -- OSPF-DSIG.MCAST.NET anywhere
MULTICAST all -- RIP2-ROUTERS.MCAST.NET anywhere
MULTICAST all -- PIM-ROUTERS.MCAST.NET anywhere
MULTICAST all -- ALL-CBT-ROUTERS.MCAST.NET anywhere
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp echo-reply
DROPICMP icmp -- anywhere anywhere
DHCP udp -- 208.246.218.2 anywhere udp spt:bootps dpt:bootpc
ACCEPT udp -- 132.163.135.130 anywhere udp spt:ntp dpts:1024:65535
ACCEPT udp -- otc2.psu.edu anywhere udp spt:ntp dpts:1024:65535
ACCEPT udp -- time-nw.nist.gov anywhere udp spt:ntp dpts:1024:65535
DNS udp -- rochny-dns-cac-01-dmfe0.nyroc.rr.com anywhere udp spt:domain
DNS udp -- rochny-dns-cac-02-dmfe1.nyroc.rr.com anywhere udp spt:domain
DNS udp -- rochny-dns-cac-03-dmfe0.nyroc.rr.com anywhere udp spt:domain
DNS udp -- dns-cac-01-eri3.nyroc.rr.com anywhere udp spt:domain
PUBLIC tcp -- anywhere xx.rochester.rr.comtcp dpt:ssh
PUBLIC udp -- anywhere xx.rochester.rr.comudp dpt:ssh
PUBLIC tcp -- anywhere xx.rochester.rr.comtcp dpt:auth
PUBLIC udp -- anywhere xx.rochester.rr.comudp dpt:113
CLOSED tcp -- anywhere xx.rochester.rr.comtcp dpt:daytime
CLOSED udp -- anywhere xx.rochester.rr.comudp dpt:daytime
CLOSED tcp -- anywhere xx.rochester.rr.comtcp dpt:14
CLOSED udp -- anywhere xx.rochester.rr.comudp dpt:14
CLOSED tcp -- anywhere xx.rochester.rr.comtcp dpt:bootps
CLOSED udp -- anywhere xx.rochester.rr.comudp dpt:bootps
CLOSED tcp -- anywhere xx.rochester.rr.comtcp dpt:bootpc
CLOSED udp -- anywhere xx.rochester.rr.comudp dpt:bootpc
CLOSED tcp -- anywhere xx.rochester.rr.comtcp dpt:domain
CLOSED udp -- anywhere xx.rochester.rr.comudp dpt:domain
CLOSED tcp -- anywhere xx.rochester.rr.comtcp dpt:ntp
CLOSED udp -- anywhere xx.rochester.rr.comudp dpt:ntp
CLOSED tcp -- anywhere xx.rochester.rr.comtcp dpts:netbios-ns:netbios-ssn
CLOSED udp -- anywhere xx.rochester.rr.comudp dpts:netbios-ns:netbios-ssn
CLOSED tcp -- anywhere xx.rochester.rr.comtcp dpt:printer
CLOSED udp -- anywhere xx.rochester.rr.comudp dpt:515
CLOSED tcp -- anywhere xx.rochester.rr.comtcp dpt:swat
CLOSED udp -- anywhere xx.rochester.rr.comudp dpt:901
CLOSED tcp -- anywhere xx.rochester.rr.comtcp dpts:x11:6009
CLOSED udp -- anywhere xx.rochester.rr.comudp dpts:x11:6009
HIGHPORT tcp -- anywhere anywhere tcp dpts:1024:65535
HIGHPORT udp -- anywhere anywhere udp dpts:1024:65535
OPENPORT tcp -- anywhere anywhere tcp dpt:ssh
OPENPORT udp -- anywhere anywhere udp dpt:ssh
STATEFUL all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
BLOCK_OUT tcp -- anywhere anywhere tcp dpt:swat
BLOCK_OUT udp -- anywhere anywhere udp dpt:901
BLOCK_OUT tcp -- anywhere anywhere tcp dpts:x11:6009
BLOCK_OUT udp -- anywhere anywhere udp dpts:x11:6009
BLOCK_OUT tcp -- anywhere anywhere tcp dpt:netbios-ns
BLOCK_OUT udp -- anywhere anywhere udp dpt:netbios-ns
BLOCK_OUT tcp -- anywhere anywhere tcp dpt:netbios-dgm
BLOCK_OUT udp -- anywhere anywhere udp dpt:netbios-dgm
BLOCK_OUT tcp -- anywhere anywhere tcp dpt:netbios-ssn
BLOCK_OUT udp -- anywhere anywhere udp dpt:netbios-ssn
STATEFUL all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
loopback all -- anywhere anywhere
DROP icmp -- anywhere anywhere state INVALID
BLOCK_OUT tcp -- anywhere anywhere tcp dpt:swat
BLOCK_OUT udp -- anywhere anywhere udp dpt:901
BLOCK_OUT tcp -- anywhere anywhere tcp dpts:x11:6009
BLOCK_OUT udp -- anywhere anywhere udp dpts:x11:6009
BLOCK_OUT tcp -- anywhere anywhere tcp dpt:netbios-ns
BLOCK_OUT udp -- anywhere anywhere udp dpt:netbios-ns
BLOCK_OUT tcp -- anywhere anywhere tcp dpt:netbios-dgm
BLOCK_OUT udp -- anywhere anywhere udp dpt:netbios-dgm
BLOCK_OUT tcp -- anywhere anywhere tcp dpt:netbios-ssn
BLOCK_OUT udp -- anywhere anywhere udp dpt:netbios-ssn
Chain ACCEPTnLOG (0 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix `gShield (accept) '
ACCEPT all -- anywhere anywhere
Chain BLACKLIST (0 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix `gShield (blacklisted drop) '
DROP all -- anywhere anywhere
Chain BLOCK_OUT (20 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain CLIENT (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain CLOSED (20 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix `gShield (closed port drop) '
DROP tcp -- anywhere anywhere
DROP udp -- anywhere anywhere
DROP all -- anywhere anywhere
Chain DHCP (1 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix `gShield (DHCP accept) '
ACCEPT all -- anywhere anywhere
Chain DMZ (0 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix `gShield (DMZ drop) '
DROP all -- anywhere anywhere
Chain DNS (4 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain DROPICMP (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain DROPnLOG (1 references)
target prot opt source destination
DROP udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn
ACCEPT tcp -- anywhere anywhere tcp spt:www dpts:1024:65535 flags:!SYN,RST,ACK/SYN
DROP udp -- anywhere 255.255.255.255 udp spt:bootps dpt:bootpc
DROP udp -- anywhere 255.255.255.255 udp spt:bootpc dpt:bootps
DROP tcp -- anywhere anywhere
DROP udp -- anywhere anywhere
DROP all -- anywhere anywhere
Chain HIGHPORT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain MON_OUT (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain MULTICAST (8 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain OPENPORT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain PUBLIC (4 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain RESERVED (11 references)
target prot opt source destination
DROP tcp -- anywhere anywhere
DROP udp -- anywhere anywhere
DROP all -- anywhere anywhere
Chain SCAN (0 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix `gShield (possible port scan) '
DROP all -- anywhere anywhere
Chain SERVICEDROP (0 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix `gShield (service drop) '
DROP tcp -- anywhere anywhere
DROP udp -- anywhere anywhere
DROP all -- anywhere anywhere
Chain STATEFUL (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
DROPnLOG all -- anywhere anywhere
Chain loopback (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
xx is my host, fyi...
As far as I know the iptables service is turned on. I mean, nothing is shown at bootup that displays iptables, but if all this is being spit out by iptables, something must be working, right???
Andy |
|
|
|
|
05-09-2003, 07:23 PM
|
#6
|
|
Senior Member
Registered: Dec 2002
Location: Atlantic City, NJ
Distribution: Ubuntu & Arch
Posts: 3,503
Rep:
|
Quote:
Originally posted by bfloeagle
As far as I know the iptables service is turned on. I mean, nothing is shown at bootup that displays iptables, but if all this is being spit out by iptables, something must be working, right???
|
Well, I think you have the rules loaded here but the service itself is not running. I see your doing this on debian so I'm not sure about this but I think you should try:
/etc/init.d/iptables restart
If it says something like:
Stopping iptables: [FAILED]
then iptables was never turned on. |
|
|
|
|
05-10-2003, 09:16 AM
|
#7
|
|
LQ Veteran
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
|
I don't think anything in that firewall is actually blocking ssh. The only references I see to ssh send the packets to either the PUBLIC or OPENPORT tables, both of which just accept everything. I'm not familiar with gShield, but it looks to me like it isn't doing the trick.
If iptables appears to be running, you could try insterting a rule that would specifically block port 22
iptables -I 1 INPUT -p tcp --dport 22 -j DROP
That inserts a rule at the first position of the INPUT table (so it can't be missed) and should block all access to port 22. If that rule blocks ssh, then you need to revisit what gShield is doing.
|
|
|
|
|
05-10-2003, 02:47 PM
|
#8
|
|
Senior Member
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467
Rep:
|
Quote:
voyager:/# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
...
OPENPORT tcp -- anywhere anywhere tcp dpt:ssh
OPENPORT udp -- anywhere anywhere udp dpt:ssh
STATEFUL all -- anywhere anywhere
|
Well you jump here to the OPENPORT chain and in the OPENPORT chain you allow EVERYTHING. So this is the first problem.
Quote:
Chain STATEFUL (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
DROPnLOG all -- anywhere anywhere
|
You want to accept EVERYTHING ? Well your last INPUT CHAIN rule jumps to the STATEFUL chain and here as you accept everything (NEW). You do NOT need that. All you need is ESTABLISHED here, anything other is not required. Kick off RELATED and NEW.
I did not fully check your firewall since this is very time consuming. I just noticed these 2 things. I'm running a pretty nailed down firewall. My firewall script:
Code:
#!/bin/sh
# /------------------------------------------------------------------\
# | netfilter firewall for Linux 2.4+ built by Markus Welsch |
# | |
# | |
# | This firewall is not intended to be used by newbies. I give no |
# | warranty of any kind that using it protects your box. |
# | Personally I suggest using a OpenBSD box as firewall :-) |
# | |
# | If you agree to all of the above and also dislike M$ you may |
# | continue reading. Have fun ;-) |
# \------------------------------------------------------------------/
# --------------------------------------------------------------------
# 1. definitions
# --------------------------------------------------------------------
IPTABLES="/sbin/iptables"
LOG_LEVEL="notice"
LOOPBACK_IF="lo"
# --------------------------------------------------------------------
# --------------------------------------------------------------------
# 2. removing current rulesets
# --------------------------------------------------------------------
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F FORWARD
$IPTABLES -F OUTPUT
$IPTABLES -X
# --------------------------------------------------------------------
# --------------------------------------------------------------------
# 3. enforcing default policy as drop
# --------------------------------------------------------------------
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
# --------------------------------------------------------------------
# --------------------------------------------------------------------
# 4. setting up user-defined chains
# --------------------------------------------------------------------
# 4.1 - LOG_DROP
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$IPTABLES -N LOG_DROP
$IPTABLES -F LOG_DROP
$IPTABLES -A LOG_DROP -m limit --limit 5/minute \
-j LOG --log-level $LOG_LEVEL
$IPTABLES -A LOG_DROP -j DROP
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# 4.2 - CHECK_ICMP_ACCESS
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$IPTABLES -N CHECK_ICMP_ACCESS
$IPTABLES -F CHECK_ICMP_ACCESS
$IPTABLES -A CHECK_ICMP_ACCESS -p icmp \
--icmp-type destination-unreachable -j ACCEPT
$IPTABLES -A CHECK_ICMP_ACCESS -p icmp \
--icmp-type echo-reply -j ACCEPT
$IPTABLES -A CHECK_ICMP_ACCESS -p icmp \
--icmp-type time-exceeded -j ACCEPT
$IPTABLES -A CHECK_ICMP_ACCESS -j DROP
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# 4.3 - CHECK_PROBES
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$IPTABLES -N CHECK_PROBES
$IPTABLES -F CHECK_PROBES
# os fingerprinting
$IPTABLES -A CHECK_PROBES -p tcp -s 0.0.0.0 --dport 0 \
-j LOG_DROP
$IPTABLES -A CHECK_PROBES -p udp -s 0.0.0.0 --dport 0 \
-j LOG_DROP
# tcpmux scanning
$IPTABLES -A CHECK_PROBES -p tcp --dport 1 -j LOG_DROP
$IPTABLES -A CHECK_PROBES -p udp --dport 1 -j LOG_DROP
# sscan
$IPTABLES -A CHECK_PROBES -p tcp -m multiport \
--sports 1,2,3,4,5 -j LOG_DROP
# sysstat scan
$IPTABLES -A CHECK_PROBES -p tcp --dport 11 -j LOG_DROP
$IPTABLES -A CHECK_PROBES -p udp --dport 11 -j LOG_DROP
# finger scan
$IPTABLES -A CHECK_PROBES -p tcp --dport 79 -j LOG_DROP
$IPTABLES -A CHECK_PROBES -p udp --dport 79 -j LOG_DROP
# linuxconf scan
$IPTABLES -A CHECK_PROBES -p tcp --dport 98 -j LOG_DROP
$IPTABLES -A CHECK_PROBES -p udp --dport 98 -j LOG_DROP
# mountd scan
$IPTABLES -A CHECK_PROBES -p tcp --dport 635 -j LOG_DROP
$IPTABLES -A CHECK_PROBES -p udp --dport 635 -j LOG_DROP
# proxy scan
$IPTABLES -A CHECK_PROBES -p tcp --dport 1080 -j LOG_DROP
$IPTABLES -A CHECK_PROBES -p udp --dport 1080 -j LOG_DROP
# proxy scan
$IPTABLES -A CHECK_PROBES -p tcp --dport 3128 -j LOG_DROP
$IPTABLES -A CHECK_PROBES -p udp --dport 3128 -j LOG_DROP
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# 4.4 - CHECK_TCP_FLAGS
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$IPTABLES -N CHECK_TCP_FLAGS
$IPTABLES -F CHECK_TCP_FLAGS
# stealth FIN scan
$IPTABLES -A CHECK_TCP_FLAGS -p tcp --tcp-flags ALL FIN \
-j LOG_DROP
# stealth NULL scan
$IPTABLES -A CHECK_TCP_FLAGS -p tcp --tcp-flags ALL NONE \
-j LOG_DROP
# stealth SYN/FIN (probably)
$IPTABLES -A CHECK_TCP_FLAGS -p tcp \
--tcp-flags SYN,FIN SYN,FIN -j LOG_DROP
# stealth SYN/RST scan
$IPTABLES -A CHECK_TCP_FLAGS -p tcp \
--tcp-flags SYN,RST SYN,RST -j LOG_DROP
# stealth xmas-scan
$IPTABLES -A CHECK_TCP_FLAGS -p tcp \
--tcp-flags ALL FIN,URG,PSH -j LOG_DROP
# stealth xmas-all-scan
$IPTABLES -A CHECK_TCP_FLAGS -p tcp \
--tcp-flags ALL ALL -j LOG_DROP
# stealth xmas-PSH-scan
$IPTABLES -A CHECK_TCP_FLAGS -p tcp \
--tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG_DROP
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# 4.5 - EXTERNAL_SERVICES_INPUT
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$IPTABLES -N EXTERNAL_SERVICES_INPUT
$IPTABLES -F EXTERNAL_SERVICES_INPUT
# SSH
$IPTABLES -A EXTERNAL_SERVICES_INPUT -p tcp \
--dport 22 -j ACCEPT
$IPTABLES -A EXTERNAL_SERVICES_INPUT -p udp \
--dport 22 -j ACCEPT
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# --------------------------------------------------------------------
# --------------------------------------------------------------------
# 5. setting up base chains
# --------------------------------------------------------------------
# 5.1 - INPUT
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$IPTABLES -A INPUT -i $LOOPBACK_IF -j ACCEPT
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A INPUT -p icmp -j CHECK_ICMP_ACCESS
$IPTABLES -A INPUT -p tcp -j CHECK_TCP_FLAGS
$IPTABLES -A INPUT -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -j EXTERNAL_SERVICES_INPUT
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# 5.2 - FORWARD
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# 5.3 - OUTPUT
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$IPTABLES -A OUTPUT -m state --state ! INVALID -j ACCEPT
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# --------------------------------------------------------------------
Note: I've SSH open though (I use public key authentification with 2048 bit ... that's secure IMHO). I have 1 ethernet interface only, but it shouldn't be that much of a problem converting it to 2 interfaces. I will need to do that also soon BTW ... |
|
|
|
|
05-10-2003, 02:52 PM
|
#9
|
|
Senior Member
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467
Rep:
|
Quote:
|
Well, I think you have the rules loaded here but the service itself is not running. I see your doing this on debian...
|
Well first of all do not load any iptables rules and save this as inactive using
Code:
/etc/init.d/iptables save inactive
afterwards load your firewall script (after you checked it again carefully) and
Code:
/etc/init.d/iptables save active
After you did that configure iptables to load on bootup (dpkg --reconfigure iptables). |
|
|
|
|
05-20-2003, 02:53 PM
|
#10
|
|
Member
Registered: Jun 2000
Location: Upstate New York
Distribution: Ubuntu
Posts: 158
Original Poster
Rep:
|
I really can't explain why, but after screwing around with my system (and actually reinstalling it), I don't get this kind of behavior anymore...
So thanks to all you guys for trying to help me. 
Even after 3 years... 
Now I have another problem: Here |
|
|
|
All times are GMT -5. The time now is 01:47 AM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
