LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-16-2006, 02:59 PM   #1
inescapeableus
Member
 
Registered: Feb 2004
Location: Canada
Distribution: GNU/Linux Debian (Etch)
Posts: 319

Rep: Reputation: 30
IPTables Halting


I have accomplished this issue, yet for some reason I can't close my FTP (21) and SMTP (25) attached is my iptables rules.

#!/bin/bash
#
#
#Chain Policies
#
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
#
#
#Flusing Any Exisiting Rules
#
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
#
#
#Allow Input From Loopback Device
#
iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
#
#
#Allow INPUT & OUTPUT for DNS
#
iptables -A INPUT -p udp -s 0/0 -d 0/0 --sport 53 -j ACCEPT
iptables -A OUTPUT -p udp -s 0/0 -d 0/0 --destination-port 53 -j ACCEPT
#
#
#Allow Port 80 to be open TCP
#
iptables -A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
#
#
#Allow PORT 80 to be open UDP
iptables -A INPUT -p udp -m udp --sport 80 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 80 -j ACCEPT
#
#
#Allow HTTPS To Connect
#
iptables -A INPUT -p tcp -m tcp --sport 443 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
#
#
#FTP Port 21 Close
iptables -A INPUT -p tcp -i eth0 --dport 21 -j DROP
iptables -A INPUT -p udp -i eth0 --dport 21 -j DROP
#
#
#Block any other connections except the ports listed above
#
iptables -A INPUT -j REJECT
iptables -A OUTPUT -j REJECT
#
#

Last edited by inescapeableus; 06-16-2006 at 03:55 PM.
 
Old 06-16-2006, 11:16 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Could you post the exact nmap command you are using to scan the box?
 
Old 06-17-2006, 04:46 PM   #3
Israfel2000
Member
 
Registered: May 2004
Location: Underground base in the mountains
Distribution: FreeBSD, Fedora, Ubuntu
Posts: 87
Blog Entries: 2

Rep: Reputation: 18
You can try other communication devices like eth0, eth1, eth2, etc. Or if you have a dial up modem try modem0, modem1, modem2, etc. This could be your problem.
 
Old 06-17-2006, 07:54 PM   #4
haertig
Senior Member
 
Registered: Nov 2004
Distribution: Mint, MX, antiX, SystemRescue
Posts: 2,337

Rep: Reputation: 358Reputation: 358Reputation: 358Reputation: 358
Are you by chance trying to FTP to yourself (i.e., using loopback)? If so, then your loopback rule is allowing that.

Also, I always set policies AFTER flushing. I don't know if this really makes a difference. But a question that begs testing is "Does the flush flush polices too?" Never tested it personally to prove one way or the other. I've always just done policies after flushing, and I know that works.
 
Old 06-17-2006, 11:21 PM   #5
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by haertig
I always set policies AFTER flushing. I don't know if this really makes a difference. But a question that begs testing is "Does the flush flush polices too?" Never tested it personally to prove one way or the other. I've always just done policies after flushing, and I know that works.
no, flushing will not change your policies...
 
Old 06-17-2006, 11:51 PM   #6
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by inescapeableus
I have accomplished this issue, yet for some reason I can't close my FTP (21) and SMTP (25) attached is my iptables rules.

#!/bin/bash
#
#
#Chain Policies
#
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
#
#
#Flusing Any Exisiting Rules
#
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
#
#
#Allow Input From Loopback Device
#
iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
#
#
#Allow INPUT & OUTPUT for DNS
#
iptables -A INPUT -p udp -s 0/0 -d 0/0 --sport 53 -j ACCEPT
iptables -A OUTPUT -p udp -s 0/0 -d 0/0 --destination-port 53 -j ACCEPT
#
#
#Allow Port 80 to be open TCP
#
iptables -A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
#
#
#Allow PORT 80 to be open UDP
iptables -A INPUT -p udp -m udp --sport 80 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 80 -j ACCEPT
#
#
#Allow HTTPS To Connect
#
iptables -A INPUT -p tcp -m tcp --sport 443 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
#
#
#FTP Port 21 Close
iptables -A INPUT -p tcp -i eth0 --dport 21 -j DROP
iptables -A INPUT -p udp -i eth0 --dport 21 -j DROP
#
#
#Block any other connections except the ports listed above
#
iptables -A INPUT -j REJECT
iptables -A OUTPUT -j REJECT
#
#
i don't really see anything that would explain why your ports 21 and 25 are still appearing as opened (make sure you are scanning your box *remotely*), but there are indeed some awkward and redundant rules in your script... for example, there is no need to DROP port 21 if your policy is already set to DROP and you haven't ACCEPTed anything on 21... also, is there some particular reason why you are REJECTing at the end of the chains??

either way, here's a cleaned-up donation for you:
Code:
#!/bin/bash

### IPtables location...
IPT="/usr/sbin/iptables"

### WAN interface name...
WAN_IFACE="eth0"

### Make sure forwarding is disabled...
echo "0" > /proc/sys/net/ipv4/ip_forward

### Flush chains...
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle

### Delete user chains...
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle

### Set policies...
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

### It doesn't hurt to be thorough...
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT

### Allow packets belonging to established connections, and/or
### connections related to established ones...
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### Allow loopback interface...
$IPT -A INPUT -i lo -j ACCEPT

### Allow DNS daemon...
$IPT -A INPUT -p UDP -i $WAN_IFACE --dport 53 \
-m state --state NEW -j ACCEPT

### Allow HTTP daemon...
$IPT -A INPUT -p TCP -i $WAN_IFACE --dport 80 \
-m state --state NEW -j ACCEPT

### Allow UDP port 80 (not sure what for)...
$IPT -A INPUT -p UDP -i $WAN_IFACE --dport 80 \
-m state --state NEW -j ACCEPT

### Allow HTTPS daemon...
$IPT -A INPUT -p TCP -i $WAN_IFACE --dport 443 \
-m state --state NEW -j ACCEPT

### Log everything else before sending it to DROP...
$IPT -A INPUT -j LOG --log-prefix "INPUT DROP: "

### Allow packets belonging to established connections, and/or
### connections related to established ones...
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### Allow loopback interface...
$IPT -A OUTPUT -o lo -j ACCEPT

### Log everything else before sending it to DROP...
$IPT -A OUTPUT -j LOG --log-prefix "OUTPUT DROP: "
if you still have ports 21 and 25 open after this, then something funny is going-on... like Capt_Caveman said, you should post the method you are using to determine the ports are indeed still open...

just my ... good luck...

Last edited by win32sux; 06-18-2006 at 06:10 PM.
 
Old 06-18-2006, 01:10 PM   #7
inescapeableus
Member
 
Registered: Feb 2004
Location: Canada
Distribution: GNU/Linux Debian (Etch)
Posts: 319

Original Poster
Rep: Reputation: 30
haha thanks for the help, I know of the dual attempts to close 21 and 25 I was just fishing for ideas.
 
Old 06-18-2006, 03:04 PM   #8
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
so it's working fine now??
 
Old 06-18-2006, 06:59 PM   #9
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
@inescapeableus: Could you answer some of the questions asked in this thread? If you are nmaping localhost, then that's likely why you are seeing open ports.

As a side note, filtering incoming traffic based on source ports is a *REALLY* bad idea. As an example, if a remote attacker sets his nmap scan to use a source port of 53, then he can scan every single port on your box as if there was no firewall at all. In fact, if you read the nmap man page subsection on source ports it describes this exact hole and recommends setting the source to port 53 for your scans because it's a common misconfiguration. Unless you are running a DNS, HTTP, or HTTPS server then you should only allow traffic that is in the ESTABLISHED or RELATED states. If you are running those services and need them to be publically accessible, then use something like the script win32sux posted.
 
Old 06-18-2006, 09:19 PM   #10
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
yeah, the script i posted assumes this is a dedicated server... it won't let the server *initiate* a connection at all (only respond to connections initiated by clients)...

if this was actually a client (instead of a server), then most of the INPUT rules i posted would need to be translated into OUTPUT rules... let us know exactly what it is you are doing here, because it's hard to tell by looking at your rules...
 
Old 06-18-2006, 09:24 PM   #11
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
here's the script again, but modified for a (stealth) client:
Code:
#!/bin/bash

### IPtables location...
IPT="/usr/sbin/iptables"

### WAN interface name...
WAN_IFACE="eth0"

### Make sure forwarding is disabled...
echo "0" > /proc/sys/net/ipv4/ip_forward

### Flush chains...
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle

### Delete user chains...
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle

### Set policies...
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

### It doesn't hurt to be thorough...
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT

### Allow packets belonging to established connections, and/or
### connections related to established ones...
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### Allow loopback interface...
$IPT -A INPUT -i lo -j ACCEPT

### Log everything before sending it to DROP...
$IPT -A INPUT -j LOG --log-prefix "INPUT DROP: "

### Allow packets belonging to established connections, and/or
### connections related to established ones...
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### Allow loopback interface...
$IPT -A OUTPUT -o lo -j ACCEPT

### Allow DNS...
$IPT -A OUTPUT -p UDP -o $WAN_IFACE --dport 53 \
-m state --state NEW -j ACCEPT

### Allow HTTP...
$IPT -A OUTPUT -p TCP -o $WAN_IFACE --dport 80 \
-m state --state NEW -j ACCEPT

### Allow UDP port 80 (not sure what for)...
$IPT -A OUTPUT -p UDP -o $WAN_IFACE --dport 80 \
-m state --state NEW -j ACCEPT

### Allow HTTPS...
$IPT -A OUTPUT -p TCP -o $WAN_IFACE --dport 443 \
-m state --state NEW -j ACCEPT

### Log everything else before sending it to DROP...
$IPT -A OUTPUT -j LOG --log-prefix "OUTPUT DROP: "
 
Old 06-19-2006, 07:28 AM   #12
Israfel2000
Member
 
Registered: May 2004
Location: Underground base in the mountains
Distribution: FreeBSD, Fedora, Ubuntu
Posts: 87
Blog Entries: 2

Rep: Reputation: 18
Quote:
haha thanks for the help, I know of the dual attempts to close 21 and 25 I was just fishing for ideas
Hhm. I knew something was fishy.

Quote:
@inescapeableus: Could you answer some of the questions asked in this thread? If you are nmaping localhost, then that's likely why you are seeing open ports.

As a side note, filtering incoming traffic based on source ports is a *REALLY* bad idea. As an example, if a remote attacker sets his nmap scan to use a source port of 53, then he can scan every single port on your box as if there was no firewall at all. In fact, if you read the nmap man page subsection on source ports it describes this exact hole and recommends setting the source to port 53 for your scans because it's a common misconfiguration. Unless you are running a DNS, HTTP, or HTTPS server then you should only allow traffic that is in the ESTABLISHED or RELATED states. If you are running those services and need them to be publically accessible, then use something like the script win32sux posted.
Now that the tables have turned, can you answer the questions?
 
Old 06-19-2006, 08:53 AM   #13
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Let's try to keep the replies related to *helping* the OP. My last reply was a bit on the harsh side, but that was because he's been using a badly misconfigured firewall that is a security risk, so it's important to get down to details and resolved as soon as possible.
 
Old 06-20-2006, 02:07 AM   #14
Israfel2000
Member
 
Registered: May 2004
Location: Underground base in the mountains
Distribution: FreeBSD, Fedora, Ubuntu
Posts: 87
Blog Entries: 2

Rep: Reputation: 18
Ok then. No problem. As for inescapeableus, you should use the firewall script that win32sux posted. As I too recomend it.

Last edited by Israfel2000; 06-20-2006 at 02:17 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Help please... System Halting!?! MadLogic Linux - Software 2 07-21-2005 08:16 AM
halting problem help me navaladi Mandriva 3 02-01-2005 05:05 AM
halting the system jogurt666 Debian 2 02-16-2004 05:59 AM
halting reepark Linux - Newbie 1 08-13-2002 01:51 PM
Halting the machine saturn Linux - General 4 01-23-2002 09:15 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:16 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration