How can I make ports 1024-5000 stealth?

stelmed · 02-10-2004, 09:55 AM

Hello everybody,
I configured my firewall (iptables/guarddog) and went to www.grc.com to see the results. I got everything stealth but ports from 1024 to 5000 which were in status close. Does anybody know what can I do in order to make them stealth?

Capt_Caveman · 02-10-2004, 12:13 PM

How is your current firewall configured?

stelmed · 02-10-2004, 12:55 PM

I use guarddog, I guess it has to do with Local Dynamic Port Range?

Capt_Caveman · 02-10-2004, 05:42 PM

I don't use guarddog, but from looking at the guarddog online manual I believe that you want to disable that option (Local Dynamic Ports). Try it and re-run the grc test.

stelmed · 02-10-2004, 08:13 PM

Well, I couldn't mange to find a remove option from the guarddog and whhen I set the range from 1024 to 3999, i saw no difference (i.e. ports 1024-5000, were still in status "closed") I guess I 'll have to add some line to the script generated by the guarddog...Anyone has any any idea how can i set a range of ports in stealth mode?

Capt_Caveman · 02-10-2004, 08:34 PM

iptables -A INPUT -p tcp --dport 1024:5000 -m state --state NEW -j DROP
iptables -A INPUT -p udp --dport 1024:5000 -m state --state NEW -j DROP

stelmed · 02-10-2004, 09:37 PM

It doesn't work, neither as lines in the script nor from the console....

Capt_Caveman · 02-10-2004, 10:25 PM

There's probably something explicitly allowing those ports. Post your firewall script after removing any identifiable public IPs.

stelmed · 02-10-2004, 10:37 PM

Sorry, actually the two lines you posted work perfect, I just forgot to flush my previous rules. The problem is that when I add those lines to my script then they have no effect...(port 1024 to 5000 remain in status closed)
Here is my script:

#!/bin/bash
# [Guarddog2]
# DO NOT EDIT!
# This firewall script was generated by "Guarddog" by Simon Edwards
# http://www.simonzone.com/software/guarddog/ This script requires Linux
# kernel version 2.2.x and ipchains OR Linux kernel 2.4.x and iptables.
#
# [Description]
#
# [Config]
# LOCALPORTRANGESTART=1024
# LOCALPORTRANGEEND=5999
# DISABLED=0
# LOGREJECT=0
# LOGDROP=1
# LOGABORTEDTCP=0
# LOGIPOPTIONS=1
# LOGTCPOPTIONS=1
# LOGTCPSEQUENCE=1
# LOGLEVEL=4
# LOGRATELIMIT=1
# LOGRATE=1
# LOGRATEUNIT=0
# LOGRATEBURST=10
# LOGWARNLIMIT=1
# LOGWARNRATE=2
# LOGWARNRATEUNIT=1
# DHCPC=0
# DHCPCINTERFACENAME=eth0
# DHCPD=0
# DHCPDINTERFACENAME=eth0
# ALLOWTCPTIMESTAMPS=0
# [Zone]
# NAME=Servers
# COMMENT=IB servers
# ADDRESS=10.11.0.1
# ADDRESS=195.138.138.4
# ADDRESS=195.138.138.6
# [Zone]
# NAME=mail-news
# COMMENT=mail-news
# ADDRESS=140.117.11.12
# ADDRESS=213.239.180.57
# [ServerZone] Internet
# [ClientZone] Local
# CONNECTED=1
# PROTOCOL=dict
# PROTOCOL=https
# PROTOCOL=cddb
# PROTOCOL=icq
# PROTOCOL=ftp
# PROTOCOL=ping
# PROTOCOL=msnmessenger
# PROTOCOL=nicname
# PROTOCOL=http
# PROTOCOL=vj-traceroute
# [ClientZone] Servers
# CONNECTED=0
# [ClientZone] mail-news
# CONNECTED=0
# [ServerZone] Local
# [ClientZone] Internet
# CONNECTED=1
# PROTOCOL=ping
# PROTOCOL=nicname
# PROTOCOL=vj-traceroute
# [ClientZone] Servers
# CONNECTED=1
# PROTOCOL=ping
# PROTOCOL=nicname
# PROTOCOL=vj-traceroute
# [ClientZone] mail-news
# CONNECTED=1
# PROTOCOL=nntp
# [ServerZone] Servers
# [ClientZone] Internet
# CONNECTED=0
# [ClientZone] Local
# CONNECTED=1
# PROTOCOL=nis
# PROTOCOL=esp
# PROTOCOL=https
# PROTOCOL=auth
# PROTOCOL=kerberos
# PROTOCOL=domain
# PROTOCOL=isakmp
# PROTOCOL=redirect
# PROTOCOL=quench
# PROTOCOL=ftp
# PROTOCOL=ping
# PROTOCOL=syslog
# PROTOCOL=icp
# PROTOCOL=bpalogin
# PROTOCOL=socks
# PROTOCOL=squid
# PROTOCOL=nicname
# PROTOCOL=pptp
# PROTOCOL=privoxy
# PROTOCOL=http
# PROTOCOL=vj-traceroute
# PROTOCOL=ah
# [ClientZone] mail-news
# CONNECTED=0
# [ServerZone] mail-news
# [ClientZone] Internet
# CONNECTED=0
# [ClientZone] Local
# CONNECTED=1
# PROTOCOL=smtp
# PROTOCOL=nntp
# PROTOCOL=pop3
# [ClientZone] Servers
# CONNECTED=0
# [End]

# Real code starts here
# If you change the line below then also change the # DISABLED line above.
DISABLE_GUARDDOG=0
if test -z $GUARDDOG_VERBOSE; then
GUARDDOG_VERBOSE=0
fi;
if [ $DISABLE_GUARDDOG -eq 0 ]; then
# Set the path
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin
# Detect which filter command we should use.
FILTERSYS=0
# 0 = unknown, 1 = ipchains, 2 = iptables
# Check for ipchains.
if [ -e /sbin/ipchains ]; then
FILTERSYS=1
fi;
if [ -e /usr/sbin/ipchains ]; then
FILTERSYS=1
fi;
if [ -e /usr/local/sbin/ipchains ]; then
FILTERSYS=1
fi;
# Check for iptables support.
if [ -e /proc/sys/kernel/osrelease ]; then
KERNEL_VERSION=`sed "s/^$[0-9][0-9]*\.[0-9][0-9]*$.*\$/\1/" < /proc/sys/kernel/osrelease`
if [ $KERNEL_VERSION == "2.6" ]; then
KERNEL_VERSION="2.4"
fi;
if [ $KERNEL_VERSION == "2.5" ]; then
KERNEL_VERSION="2.4"
fi;
if [ $KERNEL_VERSION == "2.4" ]; then
if [ -e /sbin/iptables ]; then
FILTERSYS=2
fi;
if [ -e /usr/sbin/iptables ]; then
FILTERSYS=2
fi;
if [ -e /usr/local/sbin/iptables ]; then
FILTERSYS=2
fi;
fi;
fi;
if [ $FILTERSYS -eq 2 ]; then
###############################
###### iptables firewall ######
###############################
logger -p auth.info -t guarddog Configuring iptables firewall now.
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Using iptables."
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Resetting firewall rules."
# Shut down all traffic
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP

# Delete any existing chains
iptables -F
iptables -X

# Load any special kernel modules.
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Loading kernel modules."
modprobe ip_conntrack_ftp

[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Setting kernel parameters."
# Turn on kernel IP spoof protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 2> /dev/null
# Set the TCP timestamps config
echo 0 > /proc/sys/net/ipv4/tcp_timestamps 2> /dev/null
# Enable TCP SYN Cookie Protection if available
test -e /proc/sys/net/ipv4/tcp_syncookies && echo 1 > /proc/sys/net/ipv4/tcp_syncookies 2> /dev/null
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route 2> /dev/null
echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route 2> /dev/null
# Log truly weird packets.
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians 2> /dev/null
echo 1 > /proc/sys/net/ipv4/conf/default/log_martians 2> /dev/null
# Switch the current language for a moment
GUARDDOG_BACKUP_LANG=$LANG
GUARDDOG_BACKUP_LC_ALL=$LC_ALL
LANG=US
LC_ALL=US
export LANG
export LC_ALL
# Set kernel rp_filter. NICs used for IPSEC should not have rp_fitler turned on.
# Find the IPs of any ipsecX NICs
IPSEC_IPS="`ifconfig | gawk '/^ipsec\w/ { grabip = 1}
/inet addr:[[:digit:]\\.]+/ { if(grabip==1) printf \"%s \",gensub(/^.*inet addr

[[:digit:]\\.]+).*$/,\"\\\\1\",\"g\",$0)
grabip = 0}'`"
# Build a list of NIC names and metching IPs
IP_NIC_PAIRS="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\",$1)}
/inet addr:.*/ {match($0,/inet addr:[[:digit:]\.]+/)
ip=substr($0,RSTART+10,RLENGTH-10)
printf \"%s_%s\\n\",nic,ip }'`"

# Restore the language setting
LANG=$GUARDDOG_BACKUP_LANG
LC_ALL=$GUARDDOG_BACKUP_LC_ALL
export LANG
export LC_ALL

# Activate rp_filter for each NIC, except for NICs that are using
# an IP that is involved with IPSEC.
for X in $IP_NIC_PAIRS ; do
NIC="`echo \"$X\" | cut -f 1 -d _`"
IP="`echo \"$X\" | cut -f 2 -d _`"
RPF="1"
for SEC_IP in $IPSEC_IPS ; do
if [[ $SEC_IP == $IP ]]; then
RPF="0"
fi
done
echo $RPF > /proc/sys/net/ipv4/conf/$NIC/rp_filter 2> /dev/null
done

echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter 2> /dev/null
echo "1024 5999" > /proc/sys/net/ipv4/ip_local_port_range 2> /dev/null

[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Configuring firewall rules."
# Set up our logging and packet 'executing' chains
iptables -N logdrop2
iptables -A logdrop2 -j LOG --log-prefix "DROPPED " --log-level 4 --log-ip-options --log-tcp-options --log-tcp-sequence
iptables -A logdrop2 -j DROP
iptables -N logdrop
iptables -A logdrop -m limit --limit 1/second --limit-burst 10 -j logdrop2
iptables -A logdrop -m limit --limit 2/minute --limit-burst 1 -j LOG --log-prefix "LIMITED " --log-level 4
iptables -A logdrop -j DROP
iptables -N logreject2
iptables -A logreject2 -p tcp -j REJECT --reject-with tcp-reset
iptables -A logreject2 -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A logreject2 -j DROP
iptables -N logreject
iptables -A logreject -j logreject2

# Allow loopback traffic.
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Switch the current language for a moment
GUARDDOG_BACKUP_LANG=$LANG
GUARDDOG_BACKUP_LC_ALL=$LC_ALL
LANG=US
LC_ALL=US
export LANG
export LC_ALL
# Accept broadcasts from ourself.
IP_BCAST_PAIRS="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\",$1)}
/inet addr:.*Bcast/ {match($0,/inet addr:[[:digit:]\\.]+/)
ip=substr($0,RSTART+10,RLENGTH-10)
match($0,/Bcast:[[:digit:]\\.]+/)
bcast = substr($0,RSTART+6,RLENGTH-6)
printf \"%s_%s_%s\\n\",nic,ip,bcast }'`"
# Restore the language setting
LANG=$GUARDDOG_BACKUP_LANG
LC_ALL=$GUARDDOG_BACKUP_LC_ALL
export LANG
export LC_ALL
for X in $IP_BCAST_PAIRS ; do
NIC="`echo \"$X\" | cut -f 1 -d _`"
IP="`echo \"$X\" | cut -f 2 -d _`"
BCAST="`echo \"$X\" | cut -f 3 -d _`"
iptables -A INPUT -i $NIC -s $IP -d $BCAST -j ACCEPT
done

# Quickly allow anything that belongs to an already established connection.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow certain critical ICMP types
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT # Dest unreachable
iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j ACCEPT # Dest unreachable
iptables -A FORWARD -p icmp --icmp-type destination-unreachable -j ACCEPT &> /dev/null # Dest unreachable
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT # Time exceeded
iptables -A OUTPUT -p icmp --icmp-type time-exceeded -j ACCEPT # Time exceeded
iptables -A FORWARD -p icmp --icmp-type time-exceeded -j ACCEPT &> /dev/null # Time exceeded
iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT # Parameter Problem
iptables -A OUTPUT -p icmp --icmp-type parameter-problem -j ACCEPT # Parameter Problem
iptables -A FORWARD -p icmp --icmp-type parameter-problem -j ACCEPT &> /dev/null # Parameter Problem

# Switch the current language for a moment
GUARDDOG_BACKUP_LANG=$LANG
GUARDDOG_BACKUP_LC_ALL=$LC_ALL
LANG=US
LC_ALL=US
export LANG
export LC_ALL
# Work out our local IPs.
NIC_IP="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\",\$1)}
/inet addr:/ { match(\$0,/inet addr:[[:digit:]\\.]+/)
printf \"%s_%s\\n\",nic,substr(\$0,RSTART+10,RLENGTH-10) }
/Bcast/ { match(\$0,/Bcast:[[:digit:]\\.]+/)
printf \"%s_%s\\n\",nic,substr(\$0,RSTART+6,RLENGTH-6) }'`"
# Restore the language setting
LANG=$GUARDDOG_BACKUP_LANG
LC_ALL=$GUARDDOG_BACKUP_LC_ALL
export LANG
export LC_ALL
# Create the nicfilt chain
iptables -N nicfilt
GOT_LO=0
NIC_COUNT=0
for X in $NIC_IP ; do
NIC="`echo \"$X\" | cut -f 1 -d _`"
iptables -A nicfilt -i $NIC -j RETURN
# We also take this opportunity to see if we only have a lo interface.
if [ $NIC == "lo" ]; then
GOT_LO=1
fi
let NIC_COUNT=$NIC_COUNT+1
done
IPS="`echo \"$NIC_IP\" | cut -f 2 -d _`"
iptables -A nicfilt -j logdrop
# Do we have just a lo interface?
if [ $GOT_LO -eq 1 ] && [ $NIC_COUNT -eq 1 ] ; then
MIN_MODE=1
else
MIN_MODE=0
fi
# Are there *any* interfaces?
if [ $NIC_COUNT -eq 0 ] ; then
MIN_MODE=1
fi
# If we only have a lo interface or no interfaces then we assume that DNS
# is not going to work and just skip any iptables calls that need DNS.

# Create the filter chains
# Create chain to filter traffic going from 'Internet' to 'Local'
iptables -N f0to1
# Create chain to filter traffic going from 'Internet' to 'Servers'
iptables -N f0to2
# Create chain to filter traffic going from 'Internet' to 'mail-news'
iptables -N f0to3
# Create chain to filter traffic going from 'Local' to 'Internet'
iptables -N f1to0
# Create chain to filter traffic going from 'Local' to 'Servers'
iptables -N f1to2
# Create chain to filter traffic going from 'Local' to 'mail-news'
iptables -N f1to3
# Create chain to filter traffic going from 'Servers' to 'Internet'
iptables -N f2to0
# Create chain to filter traffic going from 'Servers' to 'Local'
iptables -N f2to1
# Create chain to filter traffic going from 'Servers' to 'mail-news'
iptables -N f2to3
# Create chain to filter traffic going from 'mail-news' to 'Internet'
iptables -N f3to0
# Create chain to filter traffic going from 'mail-news' to 'Local'
iptables -N f3to1
# Create chain to filter traffic going from 'mail-news' to 'Servers'
iptables -N f3to2
# Add rules to the filter chains

# Traffic from 'Internet' to 'Local'
# Allow 'ping'
# Echo Request
iptables -A f0to1 -p icmp --icmp-type echo-request -j ACCEPT
# Echo reply
iptables -A f1to0 -p icmp --icmp-type echo-reply -j ACCEPT
# Allow 'nicname'
iptables -A f0to1 -p tcp --sport 1024:65535 --dport 43:43 -m state --state NEW -j ACCEPT
iptables -A f0to1 -p udp --sport 0:65535 --dport 43:43 -j ACCEPT
# Allow 'vj-traceroute'
iptables -A f0to1 -p udp --sport 0:65535 --dport 33434:33600 -j ACCEPT

# Rejected traffic from 'Internet' to 'Local'

# Traffic from 'Internet' to 'Servers'

# Rejected traffic from 'Internet' to 'Servers'

# Traffic from 'Internet' to 'mail-news'

# Rejected traffic from 'Internet' to 'mail-news'

# Traffic from 'Local' to 'Internet'
# Allow 'dict'
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 2628:2628 -m state --state NEW -j ACCEPT
# Allow 'https'
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 443:443 -m state --state NEW -j ACCEPT
# Allow 'cddb'
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 888:888 -m state --state NEW -j ACCEPT
# Allow 'icq'
iptables -A f1to0 -p udp --sport 0:65535 --dport 4000:4000 -j ACCEPT
iptables -A f1to0 -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state NEW -j ACCEPT
iptables -A f0to1 -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state NEW -j ACCEPT
# Allow 'ftp'
# Control connection
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 21:21 -m state --state NEW -j ACCEPT
# Data connection
# - Handled by netfilter state tracking
# Data connection passive mode
# - Handled by netfilter state tracking
# Allow 'ping'
# Echo Request
iptables -A f1to0 -p icmp --icmp-type echo-request -j ACCEPT
# Echo reply
iptables -A f0to1 -p icmp --icmp-type echo-reply -j ACCEPT
# Allow 'msnmessenger'
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 1863:1863 -m state --state NEW -j ACCEPT
# Allow 'nicname'
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 43:43 -m state --state NEW -j ACCEPT
iptables -A f1to0 -p udp --sport 0:65535 --dport 43:43 -j ACCEPT
# Allow 'http'
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 80:80 -m state --state NEW -j ACCEPT
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 8080:8080 -m state --state NEW -j ACCEPT
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 8008:8008 -m state --state NEW -j ACCEPT
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 8000:8000 -m state --state NEW -j ACCEPT
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 8888:8888 -m state --state NEW -j ACCEPT
# Allow 'vj-traceroute'
iptables -A f1to0 -p udp --sport 0:65535 --dport 33434:33600 -j ACCEPT

# Rejected traffic from 'Local' to 'Internet'

# Traffic from 'Local' to 'Servers'
# Allow 'nis'
# RPC port mapper service
iptables -A f1to2 -p tcp --sport 0:65535 --dport 111:111 -m state --state NEW -j ACCEPT
# RPC port mapper service
iptables -A f1to2 -p udp --sport 0:65535 --dport 111:111 -j ACCEPT
# General RPC traffic
iptables -A f1to2 -p tcp --sport 0:65535 --dport 1024:65535 -m state --state NEW -j ACCEPT
# General RPC traffic
iptables -A f1to2 -p udp --sport 0:65535 --dport 1024:65535 -j ACCEPT
# Allow 'esp'
iptables -A f1to2 -p 50 -j ACCEPT
# Allow 'https'
iptables -A f1to2 -p tcp --sport 1024:5999 --dport 443:443 -m state --state NEW -j ACCEPT
# Allow 'auth'
iptables -A f1to2 -p tcp --sport 1024:5999 --dport 113:113 -m state --state NEW -j ACCEPT
iptables -A f1to2 -p udp --sport 0:65535 --dport 113:113 -j ACCEPT
# Allow 'kerberos'
# Ticket requests
iptables -A f1to2 -p udp --sport 1024:5999 --dport 88:88 -j ACCEPT
# Kerberos 5-to-4 ticket conversion
iptables -A f1to2 -p udp --sport 1024:5999 --dport 4444:4444 -j ACCEPT
# Changing password (kpasswd under unix)
iptables -A f1to2 -p tcp --sport 1024:5999 --dport 749:749 -m state --state NEW -j ACCEPT
# Changing password (under windows, old interface)
iptables -A f1to2 -p tcp --sport 1024:5999 --dport 464:464 -m state --state NEW -j ACCEPT
# Changing password (under windows, new interface)
iptables -A f1to2 -p udp --sport 1024:5999 --dport 464:464 -j ACCEPT
# Running kadmin
iptables -A f1to2 -p tcp --sport 1024:5999 --dport 749:749 -m state --state NEW -j ACCEPT
# Allow 'domain'
iptables -A f1to2 -p tcp --sport 0:65535 --dport 53:53 -m state --state NEW -j ACCEPT
iptables -A f1to2 -p udp --sport 0:65535 --dport 53:53 -j ACCEPT
# Allow 'isakmp'
iptables -A f1to2 -p udp --sport 0:65535 --dport 500:500 -j ACCEPT
# Allow 'redirect'
iptables -A f2to1 -p icmp --icmp-type redirect -j ACCEPT
# Allow 'quench'
iptables -A f1to2 -p icmp --icmp-type source-quench -j ACCEPT
# Allow 'ftp'
# Control connection
iptables -A f1to2 -p tcp --sport 1024:5999 --dport 21:21 -m state --state NEW -j ACCEPT
# Data connection
# - Handled by netfilter state tracking
# Data connection passive mode
# - Handled by netfilter state tracking
# Allow 'ping'
# Echo Request
iptables -A f1to2 -p icmp --icmp-type echo-request -j ACCEPT
# Echo reply
iptables -A f2to1 -p icmp --icmp-type echo-reply -j ACCEPT
# Allow 'syslog'
iptables -A f1to2 -p udp --sport 0:65535 --dport 514:514 -j ACCEPT
# Allow 'icp'
iptables -A f1to2 -p udp --sport 1024:65535 --dport 3130:3130 -j ACCEPT
iptables -A f2to1 -p udp --sport 1024:65535 --dport 3130:3130 -j ACCEPT
# Allow 'bpalogin'
# Authentication
iptables -A f1to2 -p tcp --sport 1024:5999 --dport 5050:5050 -m state --state NEW -j ACCEPT
# Heartbeat
iptables -A f2to1 -p udp --sport 5050:5050 --dport 5050:5050 -j ACCEPT
# Allow 'socks'
iptables -A f1to2 -p tcp --sport 1024:5999 --dport 1080:1080 -m state --state NEW -j ACCEPT
iptables -A f1to2 -p udp --sport 0:65535 --dport 1080:1080 -j ACCEPT
# Allow 'squid'
# default
iptables -A f1to2 -p tcp --sport 1024:5999 --dport 3128:3128 -m state --state NEW -j ACCEPT
# Allow 'nicname'
iptables -A f1to2 -p tcp --sport 1024:5999 --dport 43:43 -m state --state NEW -j ACCEPT
iptables -A f1to2 -p udp --sport 0:65535 --dport 43:43 -j ACCEPT
# Allow 'pptp'
# Control connection
iptables -A f1to2 -p tcp --sport 1024:5999 --dport 1723:1723 -m state --state NEW -j ACCEPT
iptables -A f1to2 -p 47 -j ACCEPT
# Allow 'privoxy'
iptables -A f1to2 -p tcp --sport 1024:5999 --dport 8118:8118 -m state --state NEW -j ACCEPT
# Allow 'http'
iptables -A f1to2 -p tcp --sport 1024:5999 --dport 80:80 -m state --state NEW -j ACCEPT
iptables -A f1to2 -p tcp --sport 1024:5999 --dport 8080:8080 -m state --state NEW -j ACCEPT
iptables -A f1to2 -p tcp --sport 1024:5999 --dport 8008:8008 -m state --state NEW -j ACCEPT
iptables -A f1to2 -p tcp --sport 1024:5999 --dport 8000:8000 -m state --state NEW -j ACCEPT
iptables -A f1to2 -p tcp --sport 1024:5999 --dport 8888:8888 -m state --state NEW -j ACCEPT
# Allow 'vj-traceroute'
iptables -A f1to2 -p udp --sport 0:65535 --dport 33434:33600 -j ACCEPT
# Allow 'ah'
iptables -A f1to2 -p 51 -j ACCEPT

# Rejected traffic from 'Local' to 'Servers'

# Traffic from 'Local' to 'mail-news'
# Allow 'smtp'
iptables -A f1to3 -p tcp --sport 1024:5999 --dport 25:25 -m state --state NEW -j ACCEPT
# Allow 'nntp'
iptables -A f1to3 -p tcp --sport 1024:5999 --dport 119:119 -m state --state NEW -j ACCEPT
# Allow 'pop3'
iptables -A f1to3 -p tcp --sport 1024:5999 --dport 110:110 -m state --state NEW -j ACCEPT

# Rejected traffic from 'Local' to 'mail-news'

# Traffic from 'Servers' to 'Internet'

# Rejected traffic from 'Servers' to 'Internet'

# Traffic from 'Servers' to 'Local'
# Allow 'ping'
# Echo Request
iptables -A f2to1 -p icmp --icmp-type echo-request -j ACCEPT
# Echo reply
iptables -A f1to2 -p icmp --icmp-type echo-reply -j ACCEPT
# Allow 'nicname'
iptables -A f2to1 -p tcp --sport 1024:65535 --dport 43:43 -m state --state NEW -j ACCEPT
iptables -A f2to1 -p udp --sport 0:65535 --dport 43:43 -j ACCEPT
# Allow 'vj-traceroute'
iptables -A f2to1 -p udp --sport 0:65535 --dport 33434:33600 -j ACCEPT

# Rejected traffic from 'Servers' to 'Local'

# Traffic from 'Servers' to 'mail-news'

# Rejected traffic from 'Servers' to 'mail-news'

# Traffic from 'mail-news' to 'Internet'

# Rejected traffic from 'mail-news' to 'Internet'

# Traffic from 'mail-news' to 'Local'
# Allow 'nntp'
iptables -A f3to1 -p tcp --sport 1024:65535 --dport 119:119 -m state --state NEW -j ACCEPT

# Rejected traffic from 'mail-news' to 'Local'

# Traffic from 'mail-news' to 'Servers'

# Rejected traffic from 'mail-news' to 'Servers'

# Place DROP and log rules at the end of our filter chains.
# Failing all the rules above, we log and DROP the packet.
iptables -A f0to1 -j logdrop
# Failing all the rules above, we log and DROP the packet.
iptables -A f0to2 -j logdrop
# Failing all the rules above, we log and DROP the packet.
iptables -A f0to3 -j logdrop
# Failing all the rules above, we log and DROP the packet.
iptables -A f1to0 -j logdrop
# Failing all the rules above, we log and DROP the packet.
iptables -A f1to2 -j logdrop
# Failing all the rules above, we log and DROP the packet.
iptables -A f1to3 -j logdrop
# Failing all the rules above, we log and DROP the packet.
iptables -A f2to0 -j logdrop
# Failing all the rules above, we log and DROP the packet.
iptables -A f2to1 -j logdrop
# Failing all the rules above, we log and DROP the packet.
iptables -A f2to3 -j logdrop
# Failing all the rules above, we log and DROP the packet.
iptables -A f3to0 -j logdrop
# Failing all the rules above, we log and DROP the packet.
iptables -A f3to1 -j logdrop
# Failing all the rules above, we log and DROP the packet.
iptables -A f3to2 -j logdrop

# Add some temp DNS accept rules to the input and output chains.
# This is so that we can pass domain names to ipchains and have iptables be
# able to look it up without being blocked by the our half-complete firewall.
if [ $MIN_MODE -eq 0 ] ; then
iptables -A OUTPUT -p tcp --sport 0:65535 --dport 53:53 -j ACCEPT
iptables -A INPUT -p tcp ! --syn --sport 53:53 --dport 0:65535 -j ACCEPT
iptables -A OUTPUT -p udp --sport 0:65535 --dport 53:53 -j ACCEPT
iptables -A INPUT -p udp --sport 53:53 --dport 0:65535 -j ACCEPT
fi

# Chain to split traffic coming from zone 'Internet' by dest zone
iptables -N s0
for X in $IPS ; do
iptables -A s0 -d $X -j f0to1
done
if [ $MIN_MODE -eq 0 ] ; then
iptables -A s0 -d 10.11.0.1 -j f0to2
iptables -A s0 -d 195.138.138.4 -j f0to2
iptables -A s0 -d 195.138.138.6 -j f0to2
iptables -A s0 -d 140.117.11.12 -j f0to3
iptables -A s0 -d 213.239.180.57 -j f0to3
true # make sure this if [] has at least something in it.
fi
iptables -A s0 -j logdrop

# Chain to split traffic coming from zone 'Local' by dest zone
iptables -N s1
if [ $MIN_MODE -eq 0 ] ; then
iptables -A s1 -d 10.11.0.1 -j f1to2
iptables -A s1 -d 195.138.138.4 -j f1to2
iptables -A s1 -d 195.138.138.6 -j f1to2
iptables -A s1 -d 140.117.11.12 -j f1to3
iptables -A s1 -d 213.239.180.57 -j f1to3
true # make sure this if [] has at least something in it.
fi
iptables -A s1 -j f1to0

# Chain to split traffic coming from zone 'Servers' by dest zone
iptables -N s2
for X in $IPS ; do
iptables -A s2 -d $X -j f2to1
done
if [ $MIN_MODE -eq 0 ] ; then
iptables -A s2 -d 140.117.11.12 -j f2to3
iptables -A s2 -d 213.239.180.57 -j f2to3
true # make sure this if [] has at least something in it.
fi
iptables -A s2 -j f2to0

# Chain to split traffic coming from zone 'mail-news' by dest zone
iptables -N s3
for X in $IPS ; do
iptables -A s3 -d $X -j f3to1
done
if [ $MIN_MODE -eq 0 ] ; then
iptables -A s3 -d 10.11.0.1 -j f3to2
iptables -A s3 -d 195.138.138.4 -j f3to2
iptables -A s3 -d 195.138.138.6 -j f3to2
true # make sure this if [] has at least something in it.
fi
iptables -A s3 -j f3to0
# Create the srcfilt chain
iptables -N srcfilt
if [ $MIN_MODE -eq 0 ] ; then
iptables -A srcfilt -s 10.11.0.1 -j s2
iptables -A srcfilt -s 195.138.138.4 -j s2
iptables -A srcfilt -s 195.138.138.6 -j s2
iptables -A srcfilt -s 140.117.11.12 -j s3
iptables -A srcfilt -s 213.239.180.57 -j s3
true # make sure this if [] has at least something in it.
fi
# Assume internet default rule
iptables -A srcfilt -j s0

if [ $MIN_MODE -eq 0 ] ; then
# Remove the temp DNS accept rules
iptables -D OUTPUT -p tcp --sport 0:65535 --dport 53:53 -j ACCEPT
iptables -D INPUT -p tcp ! --syn --sport 53:53 --dport 0:65535 -j ACCEPT
iptables -D OUTPUT -p udp --sport 0:65535 --dport 53:53 -j ACCEPT
iptables -D INPUT -p udp --sport 53:53 --dport 0:65535 -j ACCEPT
fi

# The output chain is very simple. We direct everything to the
# 'source is local' split chain.
iptables -A OUTPUT -j s1

iptables -A INPUT -j nicfilt
iptables -A INPUT -j srcfilt

# All traffic on the forward chains goes to the srcfilt chain.
iptables -A FORWARD -j srcfilt &> /dev/null

logger -p auth.info -t guarddog Finished configuring firewall
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Finished."
fi;
fi;
true

Capt_Caveman · 02-10-2004, 10:48 PM

Ok. That's a crackhead script

. If you change those two rules I posted before to this:

iptables -I INPUT -p tcp --dport 1024:5000 -m state --state NEW -j DROP
iptables -I INPUT -p udp --dport 1024:5000 -m state --state NEW -j DROP

(Same thing as before but used -I instead of -A; basically just puts rule at top instead of bottom of chain). That should be a temporary fix, but walking through the script to find the rule(s) that are causing it in the first place is a better permanent solution.

stelmed · 02-10-2004, 10:56 PM

THANK YOU!!!!!!!!!!!!!!
It worked....It will be a temporary solution untill I find the time to do some reading about iptables...

I would like to really thank you for the time you spend helping me...I wish I become as good as you are and help some other guy sometime...

Capt_Caveman · 02-10-2004, 11:17 PM

Just stick with it and read as much as you can. I can remember not all that long ago not knowing how to do anything in Linux, just took time and whole lot of googling (I think I've learned more from google than grad school

)

Just briefly looking at it, there are a number of problematic rules that punch open holes in the firewall, but I think this is the major culprit:

iptables -A f0to1 -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state NEW -j ACCEPT

witeshark · 02-10-2004, 11:30 PM

Good attitude... and Google, well that says it all.

fun