How can I make ports 1024-5000 stealth?
Hello everybody,
I configured my firewall (iptables/guarddog) and went to www.grc.com to see the results. I got everything stealth but ports from 1024 to 5000 which were in status close. Does anybody know what can I do in order to make them stealth? |
How is your current firewall configured?
|
I use guarddog, I guess it has to do with Local Dynamic Port Range?
|
I don't use guarddog, but from looking at the guarddog online manual I believe that you want to disable that option (Local Dynamic Ports). Try it and re-run the grc test.
|
Well, I couldn't mange to find a remove option from the guarddog and whhen I set the range from 1024 to 3999, i saw no difference (i.e. ports 1024-5000, were still in status "closed") I guess I 'll have to add some line to the script generated by the guarddog...Anyone has any any idea how can i set a range of ports in stealth mode?
|
iptables -A INPUT -p tcp --dport 1024:5000 -m state --state NEW -j DROP
iptables -A INPUT -p udp --dport 1024:5000 -m state --state NEW -j DROP |
It doesn't work, neither as lines in the script nor from the console....:(
|
There's probably something explicitly allowing those ports. Post your firewall script after removing any identifiable public IPs.
|
Sorry, actually the two lines you posted work perfect, I just forgot to flush my previous rules. The problem is that when I add those lines to my script then they have no effect...(port 1024 to 5000 remain in status closed)
Here is my script: #!/bin/bash # [Guarddog2] # DO NOT EDIT! # This firewall script was generated by "Guarddog" by Simon Edwards # http://www.simonzone.com/software/guarddog/ This script requires Linux # kernel version 2.2.x and ipchains OR Linux kernel 2.4.x and iptables. # # [Description] # # [Config] # LOCALPORTRANGESTART=1024 # LOCALPORTRANGEEND=5999 # DISABLED=0 # LOGREJECT=0 # LOGDROP=1 # LOGABORTEDTCP=0 # LOGIPOPTIONS=1 # LOGTCPOPTIONS=1 # LOGTCPSEQUENCE=1 # LOGLEVEL=4 # LOGRATELIMIT=1 # LOGRATE=1 # LOGRATEUNIT=0 # LOGRATEBURST=10 # LOGWARNLIMIT=1 # LOGWARNRATE=2 # LOGWARNRATEUNIT=1 # DHCPC=0 # DHCPCINTERFACENAME=eth0 # DHCPD=0 # DHCPDINTERFACENAME=eth0 # ALLOWTCPTIMESTAMPS=0 # [Zone] # NAME=Servers # COMMENT=IB servers # ADDRESS=10.11.0.1 # ADDRESS=195.138.138.4 # ADDRESS=195.138.138.6 # [Zone] # NAME=mail-news # COMMENT=mail-news # ADDRESS=140.117.11.12 # ADDRESS=213.239.180.57 # [ServerZone] Internet # [ClientZone] Local # CONNECTED=1 # PROTOCOL=dict # PROTOCOL=https # PROTOCOL=cddb # PROTOCOL=icq # PROTOCOL=ftp # PROTOCOL=ping # PROTOCOL=msnmessenger # PROTOCOL=nicname # PROTOCOL=http # PROTOCOL=vj-traceroute # [ClientZone] Servers # CONNECTED=0 # [ClientZone] mail-news # CONNECTED=0 # [ServerZone] Local # [ClientZone] Internet # CONNECTED=1 # PROTOCOL=ping # PROTOCOL=nicname # PROTOCOL=vj-traceroute # [ClientZone] Servers # CONNECTED=1 # PROTOCOL=ping # PROTOCOL=nicname # PROTOCOL=vj-traceroute # [ClientZone] mail-news # CONNECTED=1 # PROTOCOL=nntp # [ServerZone] Servers # [ClientZone] Internet # CONNECTED=0 # [ClientZone] Local # CONNECTED=1 # PROTOCOL=nis # PROTOCOL=esp # PROTOCOL=https # PROTOCOL=auth # PROTOCOL=kerberos # PROTOCOL=domain # PROTOCOL=isakmp # PROTOCOL=redirect # PROTOCOL=quench # PROTOCOL=ftp # PROTOCOL=ping # PROTOCOL=syslog # PROTOCOL=icp # PROTOCOL=bpalogin # PROTOCOL=socks # PROTOCOL=squid # PROTOCOL=nicname # PROTOCOL=pptp # PROTOCOL=privoxy # PROTOCOL=http # PROTOCOL=vj-traceroute # PROTOCOL=ah # [ClientZone] mail-news # CONNECTED=0 # [ServerZone] mail-news # [ClientZone] Internet # CONNECTED=0 # [ClientZone] Local # CONNECTED=1 # PROTOCOL=smtp # PROTOCOL=nntp # PROTOCOL=pop3 # [ClientZone] Servers # CONNECTED=0 # [End] # Real code starts here # If you change the line below then also change the # DISABLED line above. DISABLE_GUARDDOG=0 if test -z $GUARDDOG_VERBOSE; then GUARDDOG_VERBOSE=0 fi; if [ $DISABLE_GUARDDOG -eq 0 ]; then # Set the path PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin # Detect which filter command we should use. FILTERSYS=0 # 0 = unknown, 1 = ipchains, 2 = iptables # Check for ipchains. if [ -e /sbin/ipchains ]; then FILTERSYS=1 fi; if [ -e /usr/sbin/ipchains ]; then FILTERSYS=1 fi; if [ -e /usr/local/sbin/ipchains ]; then FILTERSYS=1 fi; # Check for iptables support. if [ -e /proc/sys/kernel/osrelease ]; then KERNEL_VERSION=`sed "s/^\([0-9][0-9]*\.[0-9][0-9]*\).*\$/\1/" < /proc/sys/kernel/osrelease` if [ $KERNEL_VERSION == "2.6" ]; then KERNEL_VERSION="2.4" fi; if [ $KERNEL_VERSION == "2.5" ]; then KERNEL_VERSION="2.4" fi; if [ $KERNEL_VERSION == "2.4" ]; then if [ -e /sbin/iptables ]; then FILTERSYS=2 fi; if [ -e /usr/sbin/iptables ]; then FILTERSYS=2 fi; if [ -e /usr/local/sbin/iptables ]; then FILTERSYS=2 fi; fi; fi; if [ $FILTERSYS -eq 2 ]; then ############################### ###### iptables firewall ###### ############################### logger -p auth.info -t guarddog Configuring iptables firewall now. [ $GUARDDOG_VERBOSE -eq 1 ] && echo "Using iptables." [ $GUARDDOG_VERBOSE -eq 1 ] && echo "Resetting firewall rules." # Shut down all traffic iptables -P FORWARD DROP iptables -P INPUT DROP iptables -P OUTPUT DROP # Delete any existing chains iptables -F iptables -X # Load any special kernel modules. [ $GUARDDOG_VERBOSE -eq 1 ] && echo "Loading kernel modules." modprobe ip_conntrack_ftp [ $GUARDDOG_VERBOSE -eq 1 ] && echo "Setting kernel parameters." # Turn on kernel IP spoof protection echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 2> /dev/null # Set the TCP timestamps config echo 0 > /proc/sys/net/ipv4/tcp_timestamps 2> /dev/null # Enable TCP SYN Cookie Protection if available test -e /proc/sys/net/ipv4/tcp_syncookies && echo 1 > /proc/sys/net/ipv4/tcp_syncookies 2> /dev/null echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route 2> /dev/null echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route 2> /dev/null # Log truly weird packets. echo 1 > /proc/sys/net/ipv4/conf/all/log_martians 2> /dev/null echo 1 > /proc/sys/net/ipv4/conf/default/log_martians 2> /dev/null # Switch the current language for a moment GUARDDOG_BACKUP_LANG=$LANG GUARDDOG_BACKUP_LC_ALL=$LC_ALL LANG=US LC_ALL=US export LANG export LC_ALL # Set kernel rp_filter. NICs used for IPSEC should not have rp_fitler turned on. # Find the IPs of any ipsecX NICs IPSEC_IPS="`ifconfig | gawk '/^ipsec\w/ { grabip = 1} /inet addr:[[:digit:]\\.]+/ { if(grabip==1) printf \"%s \",gensub(/^.*inet addr:([[:digit:]\\.]+).*$/,\"\\\\1\",\"g\",$0) grabip = 0}'`" # Build a list of NIC names and metching IPs IP_NIC_PAIRS="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\",$1)} /inet addr:.*/ {match($0,/inet addr:[[:digit:]\.]+/) ip=substr($0,RSTART+10,RLENGTH-10) printf \"%s_%s\\n\",nic,ip }'`" # Restore the language setting LANG=$GUARDDOG_BACKUP_LANG LC_ALL=$GUARDDOG_BACKUP_LC_ALL export LANG export LC_ALL # Activate rp_filter for each NIC, except for NICs that are using # an IP that is involved with IPSEC. for X in $IP_NIC_PAIRS ; do NIC="`echo \"$X\" | cut -f 1 -d _`" IP="`echo \"$X\" | cut -f 2 -d _`" RPF="1" for SEC_IP in $IPSEC_IPS ; do if [[ $SEC_IP == $IP ]]; then RPF="0" fi done echo $RPF > /proc/sys/net/ipv4/conf/$NIC/rp_filter 2> /dev/null done echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter 2> /dev/null echo "1024 5999" > /proc/sys/net/ipv4/ip_local_port_range 2> /dev/null [ $GUARDDOG_VERBOSE -eq 1 ] && echo "Configuring firewall rules." # Set up our logging and packet 'executing' chains iptables -N logdrop2 iptables -A logdrop2 -j LOG --log-prefix "DROPPED " --log-level 4 --log-ip-options --log-tcp-options --log-tcp-sequence iptables -A logdrop2 -j DROP iptables -N logdrop iptables -A logdrop -m limit --limit 1/second --limit-burst 10 -j logdrop2 iptables -A logdrop -m limit --limit 2/minute --limit-burst 1 -j LOG --log-prefix "LIMITED " --log-level 4 iptables -A logdrop -j DROP iptables -N logreject2 iptables -A logreject2 -p tcp -j REJECT --reject-with tcp-reset iptables -A logreject2 -p udp -j REJECT --reject-with icmp-port-unreachable iptables -A logreject2 -j DROP iptables -N logreject iptables -A logreject -j logreject2 # Allow loopback traffic. iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Switch the current language for a moment GUARDDOG_BACKUP_LANG=$LANG GUARDDOG_BACKUP_LC_ALL=$LC_ALL LANG=US LC_ALL=US export LANG export LC_ALL # Accept broadcasts from ourself. IP_BCAST_PAIRS="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\",$1)} /inet addr:.*Bcast/ {match($0,/inet addr:[[:digit:]\\.]+/) ip=substr($0,RSTART+10,RLENGTH-10) match($0,/Bcast:[[:digit:]\\.]+/) bcast = substr($0,RSTART+6,RLENGTH-6) printf \"%s_%s_%s\\n\",nic,ip,bcast }'`" # Restore the language setting LANG=$GUARDDOG_BACKUP_LANG LC_ALL=$GUARDDOG_BACKUP_LC_ALL export LANG export LC_ALL for X in $IP_BCAST_PAIRS ; do NIC="`echo \"$X\" | cut -f 1 -d _`" IP="`echo \"$X\" | cut -f 2 -d _`" BCAST="`echo \"$X\" | cut -f 3 -d _`" iptables -A INPUT -i $NIC -s $IP -d $BCAST -j ACCEPT done # Quickly allow anything that belongs to an already established connection. iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow certain critical ICMP types iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT # Dest unreachable iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j ACCEPT # Dest unreachable iptables -A FORWARD -p icmp --icmp-type destination-unreachable -j ACCEPT &> /dev/null # Dest unreachable iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT # Time exceeded iptables -A OUTPUT -p icmp --icmp-type time-exceeded -j ACCEPT # Time exceeded iptables -A FORWARD -p icmp --icmp-type time-exceeded -j ACCEPT &> /dev/null # Time exceeded iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT # Parameter Problem iptables -A OUTPUT -p icmp --icmp-type parameter-problem -j ACCEPT # Parameter Problem iptables -A FORWARD -p icmp --icmp-type parameter-problem -j ACCEPT &> /dev/null # Parameter Problem # Switch the current language for a moment GUARDDOG_BACKUP_LANG=$LANG GUARDDOG_BACKUP_LC_ALL=$LC_ALL LANG=US LC_ALL=US export LANG export LC_ALL # Work out our local IPs. NIC_IP="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\",\$1)} /inet addr:/ { match(\$0,/inet addr:[[:digit:]\\.]+/) printf \"%s_%s\\n\",nic,substr(\$0,RSTART+10,RLENGTH-10) } /Bcast/ { match(\$0,/Bcast:[[:digit:]\\.]+/) printf \"%s_%s\\n\",nic,substr(\$0,RSTART+6,RLENGTH-6) }'`" # Restore the language setting LANG=$GUARDDOG_BACKUP_LANG LC_ALL=$GUARDDOG_BACKUP_LC_ALL export LANG export LC_ALL # Create the nicfilt chain iptables -N nicfilt GOT_LO=0 NIC_COUNT=0 for X in $NIC_IP ; do NIC="`echo \"$X\" | cut -f 1 -d _`" iptables -A nicfilt -i $NIC -j RETURN # We also take this opportunity to see if we only have a lo interface. if [ $NIC == "lo" ]; then GOT_LO=1 fi let NIC_COUNT=$NIC_COUNT+1 done IPS="`echo \"$NIC_IP\" | cut -f 2 -d _`" iptables -A nicfilt -j logdrop # Do we have just a lo interface? if [ $GOT_LO -eq 1 ] && [ $NIC_COUNT -eq 1 ] ; then MIN_MODE=1 else MIN_MODE=0 fi # Are there *any* interfaces? if [ $NIC_COUNT -eq 0 ] ; then MIN_MODE=1 fi # If we only have a lo interface or no interfaces then we assume that DNS # is not going to work and just skip any iptables calls that need DNS. # Create the filter chains # Create chain to filter traffic going from 'Internet' to 'Local' iptables -N f0to1 # Create chain to filter traffic going from 'Internet' to 'Servers' iptables -N f0to2 # Create chain to filter traffic going from 'Internet' to 'mail-news' iptables -N f0to3 # Create chain to filter traffic going from 'Local' to 'Internet' iptables -N f1to0 # Create chain to filter traffic going from 'Local' to 'Servers' iptables -N f1to2 # Create chain to filter traffic going from 'Local' to 'mail-news' iptables -N f1to3 # Create chain to filter traffic going from 'Servers' to 'Internet' iptables -N f2to0 # Create chain to filter traffic going from 'Servers' to 'Local' iptables -N f2to1 # Create chain to filter traffic going from 'Servers' to 'mail-news' iptables -N f2to3 # Create chain to filter traffic going from 'mail-news' to 'Internet' iptables -N f3to0 # Create chain to filter traffic going from 'mail-news' to 'Local' iptables -N f3to1 # Create chain to filter traffic going from 'mail-news' to 'Servers' iptables -N f3to2 # Add rules to the filter chains # Traffic from 'Internet' to 'Local' # Allow 'ping' # Echo Request iptables -A f0to1 -p icmp --icmp-type echo-request -j ACCEPT # Echo reply iptables -A f1to0 -p icmp --icmp-type echo-reply -j ACCEPT # Allow 'nicname' iptables -A f0to1 -p tcp --sport 1024:65535 --dport 43:43 -m state --state NEW -j ACCEPT iptables -A f0to1 -p udp --sport 0:65535 --dport 43:43 -j ACCEPT # Allow 'vj-traceroute' iptables -A f0to1 -p udp --sport 0:65535 --dport 33434:33600 -j ACCEPT # Rejected traffic from 'Internet' to 'Local' # Traffic from 'Internet' to 'Servers' # Rejected traffic from 'Internet' to 'Servers' # Traffic from 'Internet' to 'mail-news' # Rejected traffic from 'Internet' to 'mail-news' # Traffic from 'Local' to 'Internet' # Allow 'dict' iptables -A f1to0 -p tcp --sport 1024:5999 --dport 2628:2628 -m state --state NEW -j ACCEPT # Allow 'https' iptables -A f1to0 -p tcp --sport 1024:5999 --dport 443:443 -m state --state NEW -j ACCEPT # Allow 'cddb' iptables -A f1to0 -p tcp --sport 1024:5999 --dport 888:888 -m state --state NEW -j ACCEPT # Allow 'icq' iptables -A f1to0 -p udp --sport 0:65535 --dport 4000:4000 -j ACCEPT iptables -A f1to0 -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state NEW -j ACCEPT iptables -A f0to1 -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state NEW -j ACCEPT # Allow 'ftp' # Control connection iptables -A f1to0 -p tcp --sport 1024:5999 --dport 21:21 -m state --state NEW -j ACCEPT # Data connection # - Handled by netfilter state tracking # Data connection passive mode # - Handled by netfilter state tracking # Allow 'ping' # Echo Request iptables -A f1to0 -p icmp --icmp-type echo-request -j ACCEPT # Echo reply iptables -A f0to1 -p icmp --icmp-type echo-reply -j ACCEPT # Allow 'msnmessenger' iptables -A f1to0 -p tcp --sport 1024:5999 --dport 1863:1863 -m state --state NEW -j ACCEPT # Allow 'nicname' iptables -A f1to0 -p tcp --sport 1024:5999 --dport 43:43 -m state --state NEW -j ACCEPT iptables -A f1to0 -p udp --sport 0:65535 --dport 43:43 -j ACCEPT # Allow 'http' iptables -A f1to0 -p tcp --sport 1024:5999 --dport 80:80 -m state --state NEW -j ACCEPT iptables -A f1to0 -p tcp --sport 1024:5999 --dport 8080:8080 -m state --state NEW -j ACCEPT iptables -A f1to0 -p tcp --sport 1024:5999 --dport 8008:8008 -m state --state NEW -j ACCEPT iptables -A f1to0 -p tcp --sport 1024:5999 --dport 8000:8000 -m state --state NEW -j ACCEPT iptables -A f1to0 -p tcp --sport 1024:5999 --dport 8888:8888 -m state --state NEW -j ACCEPT # Allow 'vj-traceroute' iptables -A f1to0 -p udp --sport 0:65535 --dport 33434:33600 -j ACCEPT # Rejected traffic from 'Local' to 'Internet' # Traffic from 'Local' to 'Servers' # Allow 'nis' # RPC port mapper service iptables -A f1to2 -p tcp --sport 0:65535 --dport 111:111 -m state --state NEW -j ACCEPT # RPC port mapper service iptables -A f1to2 -p udp --sport 0:65535 --dport 111:111 -j ACCEPT # General RPC traffic iptables -A f1to2 -p tcp --sport 0:65535 --dport 1024:65535 -m state --state NEW -j ACCEPT # General RPC traffic iptables -A f1to2 -p udp --sport 0:65535 --dport 1024:65535 -j ACCEPT # Allow 'esp' iptables -A f1to2 -p 50 -j ACCEPT # Allow 'https' iptables -A f1to2 -p tcp --sport 1024:5999 --dport 443:443 -m state --state NEW -j ACCEPT # Allow 'auth' iptables -A f1to2 -p tcp --sport 1024:5999 --dport 113:113 -m state --state NEW -j ACCEPT iptables -A f1to2 -p udp --sport 0:65535 --dport 113:113 -j ACCEPT # Allow 'kerberos' # Ticket requests iptables -A f1to2 -p udp --sport 1024:5999 --dport 88:88 -j ACCEPT # Kerberos 5-to-4 ticket conversion iptables -A f1to2 -p udp --sport 1024:5999 --dport 4444:4444 -j ACCEPT # Changing password (kpasswd under unix) iptables -A f1to2 -p tcp --sport 1024:5999 --dport 749:749 -m state --state NEW -j ACCEPT # Changing password (under windows, old interface) iptables -A f1to2 -p tcp --sport 1024:5999 --dport 464:464 -m state --state NEW -j ACCEPT # Changing password (under windows, new interface) iptables -A f1to2 -p udp --sport 1024:5999 --dport 464:464 -j ACCEPT # Running kadmin iptables -A f1to2 -p tcp --sport 1024:5999 --dport 749:749 -m state --state NEW -j ACCEPT # Allow 'domain' iptables -A f1to2 -p tcp --sport 0:65535 --dport 53:53 -m state --state NEW -j ACCEPT iptables -A f1to2 -p udp --sport 0:65535 --dport 53:53 -j ACCEPT # Allow 'isakmp' iptables -A f1to2 -p udp --sport 0:65535 --dport 500:500 -j ACCEPT # Allow 'redirect' iptables -A f2to1 -p icmp --icmp-type redirect -j ACCEPT # Allow 'quench' iptables -A f1to2 -p icmp --icmp-type source-quench -j ACCEPT # Allow 'ftp' # Control connection iptables -A f1to2 -p tcp --sport 1024:5999 --dport 21:21 -m state --state NEW -j ACCEPT # Data connection # - Handled by netfilter state tracking # Data connection passive mode # - Handled by netfilter state tracking # Allow 'ping' # Echo Request iptables -A f1to2 -p icmp --icmp-type echo-request -j ACCEPT # Echo reply iptables -A f2to1 -p icmp --icmp-type echo-reply -j ACCEPT # Allow 'syslog' iptables -A f1to2 -p udp --sport 0:65535 --dport 514:514 -j ACCEPT # Allow 'icp' iptables -A f1to2 -p udp --sport 1024:65535 --dport 3130:3130 -j ACCEPT iptables -A f2to1 -p udp --sport 1024:65535 --dport 3130:3130 -j ACCEPT # Allow 'bpalogin' # Authentication iptables -A f1to2 -p tcp --sport 1024:5999 --dport 5050:5050 -m state --state NEW -j ACCEPT # Heartbeat iptables -A f2to1 -p udp --sport 5050:5050 --dport 5050:5050 -j ACCEPT # Allow 'socks' iptables -A f1to2 -p tcp --sport 1024:5999 --dport 1080:1080 -m state --state NEW -j ACCEPT iptables -A f1to2 -p udp --sport 0:65535 --dport 1080:1080 -j ACCEPT # Allow 'squid' # default iptables -A f1to2 -p tcp --sport 1024:5999 --dport 3128:3128 -m state --state NEW -j ACCEPT # Allow 'nicname' iptables -A f1to2 -p tcp --sport 1024:5999 --dport 43:43 -m state --state NEW -j ACCEPT iptables -A f1to2 -p udp --sport 0:65535 --dport 43:43 -j ACCEPT # Allow 'pptp' # Control connection iptables -A f1to2 -p tcp --sport 1024:5999 --dport 1723:1723 -m state --state NEW -j ACCEPT iptables -A f1to2 -p 47 -j ACCEPT # Allow 'privoxy' iptables -A f1to2 -p tcp --sport 1024:5999 --dport 8118:8118 -m state --state NEW -j ACCEPT # Allow 'http' iptables -A f1to2 -p tcp --sport 1024:5999 --dport 80:80 -m state --state NEW -j ACCEPT iptables -A f1to2 -p tcp --sport 1024:5999 --dport 8080:8080 -m state --state NEW -j ACCEPT iptables -A f1to2 -p tcp --sport 1024:5999 --dport 8008:8008 -m state --state NEW -j ACCEPT iptables -A f1to2 -p tcp --sport 1024:5999 --dport 8000:8000 -m state --state NEW -j ACCEPT iptables -A f1to2 -p tcp --sport 1024:5999 --dport 8888:8888 -m state --state NEW -j ACCEPT # Allow 'vj-traceroute' iptables -A f1to2 -p udp --sport 0:65535 --dport 33434:33600 -j ACCEPT # Allow 'ah' iptables -A f1to2 -p 51 -j ACCEPT # Rejected traffic from 'Local' to 'Servers' # Traffic from 'Local' to 'mail-news' # Allow 'smtp' iptables -A f1to3 -p tcp --sport 1024:5999 --dport 25:25 -m state --state NEW -j ACCEPT # Allow 'nntp' iptables -A f1to3 -p tcp --sport 1024:5999 --dport 119:119 -m state --state NEW -j ACCEPT # Allow 'pop3' iptables -A f1to3 -p tcp --sport 1024:5999 --dport 110:110 -m state --state NEW -j ACCEPT # Rejected traffic from 'Local' to 'mail-news' # Traffic from 'Servers' to 'Internet' # Rejected traffic from 'Servers' to 'Internet' # Traffic from 'Servers' to 'Local' # Allow 'ping' # Echo Request iptables -A f2to1 -p icmp --icmp-type echo-request -j ACCEPT # Echo reply iptables -A f1to2 -p icmp --icmp-type echo-reply -j ACCEPT # Allow 'nicname' iptables -A f2to1 -p tcp --sport 1024:65535 --dport 43:43 -m state --state NEW -j ACCEPT iptables -A f2to1 -p udp --sport 0:65535 --dport 43:43 -j ACCEPT # Allow 'vj-traceroute' iptables -A f2to1 -p udp --sport 0:65535 --dport 33434:33600 -j ACCEPT # Rejected traffic from 'Servers' to 'Local' # Traffic from 'Servers' to 'mail-news' # Rejected traffic from 'Servers' to 'mail-news' # Traffic from 'mail-news' to 'Internet' # Rejected traffic from 'mail-news' to 'Internet' # Traffic from 'mail-news' to 'Local' # Allow 'nntp' iptables -A f3to1 -p tcp --sport 1024:65535 --dport 119:119 -m state --state NEW -j ACCEPT # Rejected traffic from 'mail-news' to 'Local' # Traffic from 'mail-news' to 'Servers' # Rejected traffic from 'mail-news' to 'Servers' # Place DROP and log rules at the end of our filter chains. # Failing all the rules above, we log and DROP the packet. iptables -A f0to1 -j logdrop # Failing all the rules above, we log and DROP the packet. iptables -A f0to2 -j logdrop # Failing all the rules above, we log and DROP the packet. iptables -A f0to3 -j logdrop # Failing all the rules above, we log and DROP the packet. iptables -A f1to0 -j logdrop # Failing all the rules above, we log and DROP the packet. iptables -A f1to2 -j logdrop # Failing all the rules above, we log and DROP the packet. iptables -A f1to3 -j logdrop # Failing all the rules above, we log and DROP the packet. iptables -A f2to0 -j logdrop # Failing all the rules above, we log and DROP the packet. iptables -A f2to1 -j logdrop # Failing all the rules above, we log and DROP the packet. iptables -A f2to3 -j logdrop # Failing all the rules above, we log and DROP the packet. iptables -A f3to0 -j logdrop # Failing all the rules above, we log and DROP the packet. iptables -A f3to1 -j logdrop # Failing all the rules above, we log and DROP the packet. iptables -A f3to2 -j logdrop # Add some temp DNS accept rules to the input and output chains. # This is so that we can pass domain names to ipchains and have iptables be # able to look it up without being blocked by the our half-complete firewall. if [ $MIN_MODE -eq 0 ] ; then iptables -A OUTPUT -p tcp --sport 0:65535 --dport 53:53 -j ACCEPT iptables -A INPUT -p tcp ! --syn --sport 53:53 --dport 0:65535 -j ACCEPT iptables -A OUTPUT -p udp --sport 0:65535 --dport 53:53 -j ACCEPT iptables -A INPUT -p udp --sport 53:53 --dport 0:65535 -j ACCEPT fi # Chain to split traffic coming from zone 'Internet' by dest zone iptables -N s0 for X in $IPS ; do iptables -A s0 -d $X -j f0to1 done if [ $MIN_MODE -eq 0 ] ; then iptables -A s0 -d 10.11.0.1 -j f0to2 iptables -A s0 -d 195.138.138.4 -j f0to2 iptables -A s0 -d 195.138.138.6 -j f0to2 iptables -A s0 -d 140.117.11.12 -j f0to3 iptables -A s0 -d 213.239.180.57 -j f0to3 true # make sure this if [] has at least something in it. fi iptables -A s0 -j logdrop # Chain to split traffic coming from zone 'Local' by dest zone iptables -N s1 if [ $MIN_MODE -eq 0 ] ; then iptables -A s1 -d 10.11.0.1 -j f1to2 iptables -A s1 -d 195.138.138.4 -j f1to2 iptables -A s1 -d 195.138.138.6 -j f1to2 iptables -A s1 -d 140.117.11.12 -j f1to3 iptables -A s1 -d 213.239.180.57 -j f1to3 true # make sure this if [] has at least something in it. fi iptables -A s1 -j f1to0 # Chain to split traffic coming from zone 'Servers' by dest zone iptables -N s2 for X in $IPS ; do iptables -A s2 -d $X -j f2to1 done if [ $MIN_MODE -eq 0 ] ; then iptables -A s2 -d 140.117.11.12 -j f2to3 iptables -A s2 -d 213.239.180.57 -j f2to3 true # make sure this if [] has at least something in it. fi iptables -A s2 -j f2to0 # Chain to split traffic coming from zone 'mail-news' by dest zone iptables -N s3 for X in $IPS ; do iptables -A s3 -d $X -j f3to1 done if [ $MIN_MODE -eq 0 ] ; then iptables -A s3 -d 10.11.0.1 -j f3to2 iptables -A s3 -d 195.138.138.4 -j f3to2 iptables -A s3 -d 195.138.138.6 -j f3to2 true # make sure this if [] has at least something in it. fi iptables -A s3 -j f3to0 # Create the srcfilt chain iptables -N srcfilt if [ $MIN_MODE -eq 0 ] ; then iptables -A srcfilt -s 10.11.0.1 -j s2 iptables -A srcfilt -s 195.138.138.4 -j s2 iptables -A srcfilt -s 195.138.138.6 -j s2 iptables -A srcfilt -s 140.117.11.12 -j s3 iptables -A srcfilt -s 213.239.180.57 -j s3 true # make sure this if [] has at least something in it. fi # Assume internet default rule iptables -A srcfilt -j s0 if [ $MIN_MODE -eq 0 ] ; then # Remove the temp DNS accept rules iptables -D OUTPUT -p tcp --sport 0:65535 --dport 53:53 -j ACCEPT iptables -D INPUT -p tcp ! --syn --sport 53:53 --dport 0:65535 -j ACCEPT iptables -D OUTPUT -p udp --sport 0:65535 --dport 53:53 -j ACCEPT iptables -D INPUT -p udp --sport 53:53 --dport 0:65535 -j ACCEPT fi # The output chain is very simple. We direct everything to the # 'source is local' split chain. iptables -A OUTPUT -j s1 iptables -A INPUT -j nicfilt iptables -A INPUT -j srcfilt # All traffic on the forward chains goes to the srcfilt chain. iptables -A FORWARD -j srcfilt &> /dev/null logger -p auth.info -t guarddog Finished configuring firewall [ $GUARDDOG_VERBOSE -eq 1 ] && echo "Finished." fi; fi; true |
Ok. That's a crackhead script :rolleyes:. If you change those two rules I posted before to this:
iptables -I INPUT -p tcp --dport 1024:5000 -m state --state NEW -j DROP iptables -I INPUT -p udp --dport 1024:5000 -m state --state NEW -j DROP (Same thing as before but used -I instead of -A; basically just puts rule at top instead of bottom of chain). That should be a temporary fix, but walking through the script to find the rule(s) that are causing it in the first place is a better permanent solution. |
THANK YOU!!!!!!!!!!!!!!
It worked....It will be a temporary solution untill I find the time to do some reading about iptables... I would like to really thank you for the time you spend helping me...I wish I become as good as you are and help some other guy sometime... |
Just stick with it and read as much as you can. I can remember not all that long ago not knowing how to do anything in Linux, just took time and whole lot of googling (I think I've learned more from google than grad school ;))
Just briefly looking at it, there are a number of problematic rules that punch open holes in the firewall, but I think this is the major culprit: iptables -A f0to1 -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state NEW -j ACCEPT |
Good attitude... and Google, well that says it all. :Pengy: fun
|
All times are GMT -5. The time now is 12:13 AM. |