Hi!

I have written a firewall script using iptables and I have a few questions.

The topology of my network is 3 pc on the same hub.

pc A is ssh and domain name server (ports 22 and 53 are open)
pc B is ftp server (port 21 and 20 must be opened)
pc C is a windows XP client

My scope is to close all ports and keep only ports 22 and 53 open, ofcourse I don't want the ports to be presented as open so I appended the following commands:


iptables -A INPUT -m mac --mac-source xx:xx:xx:xx:xx:x1 -j ACCEPT
iptables -A INPUT -m mac --mac-source xx:xx:xx:xx:xx:x2 -j ACCEPT
iptables -A INPUT -mstate --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m multiport --destination-port 22,53 -j ACCEPT


When I scan pc A using nmap with every option the pc it seems to be down but when i give the command "nmap -P0" I see these ports. Of course I have cut every icmp packet states with

iptables -A INPUT -p icmp --icmp-type <*> -j DROP

Could anybody advise me how this scan works or how I can configure iptables to avoid these scans?


Thank U in advance!

iptables -A INPUT -mstate --state ESTABLISHED,RELATED -j ACCEPT

Should this have a space between -m and state or is it just a typo?
Also could you post the rest of your firewall rules including the default policies as it's kind of hard to decipher what's going on in a firewall without looking at all the rules. Also, where are you nmap'ing from? If it's one of the machines with an allowed MAC, then it should see all open ports.

The default nmap scan works by sending out an initial icmp echo request and a tcp ack packet to port 80 in order to see if the host is up. If it get a reply then it proceeds to scan the host, if it doesn't get a reply then nmap assumes the remote host is down. It's likely that because you're specifically dropping icmp traffic, the initial query stage failed to generate a reply. With the -P0 option, nmap skips that initial step and just scans the remote host. Check out the nmap man page (it's pretty informative) as well as the insecure.org website docs for more info on how nmap works.

iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t nat
iptables -F -t mangle

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT


iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p icmp --icmp-type 0 -j DROP

iptables -A INPUT -p icmp --icmp-type 3 -j DROP

iptables -A INPUT -p icmp --icmp-type 4 -j DROP

iptables -A INPUT -p icmp --icmp-type 5 -j DROP

iptables -A INPUT -p icmp --icmp-type 8 -j DROP

iptables -A INPUT -p icmp --icmp-type 9 -j DROP

iptables -A INPUT -p icmp --icmp-type 13 -j DROP

iptables -A INPUT -p icmp --icmp-type 14 -j DROP

iptables -A INPUT -p icmp --icmp-type 15 -j DROP

iptables -A INPUT -p icmp --icmp-type 16 -j DROP

iptables -A INPUT -p icmp --icmp-type 17 -j DROP

iptables -A INPUT -p icmp --icmp-type 18 -j DROP

iptables -A INPUT -p tcp -m multiport --destination-port 22,53 -j ACCEPT

iptables -A INPUT -m mac --mac-source xx:xx:xx:xx:xx:xx -j ACCEPT

iptables -A INPUT -m mac --mac-source yy:yy:yy:yy:yy:yy -j ACCEPT


The commands above exist in my script (yes I know is not written properly )

I scan my firewalled pc from an other pc with other mac .

What mistake I do? I want my ports to be invisible

iptables -A INPUT -p tcp -m multiport --destination-port 22,53 -j ACCEPT

This rule is basically going to allow anyone to access ports 22 and 53 regardless of MAC address. The two MAC rules afterwards, simply allow systems with those MACs to access any ports they like. I'm guessing that's not what you had in mind.

If you're trying to limit access to ports 22,53 to only machines with accepted MACs and to no other systems, then there are two ways to do it. First you can combine the all the MAC and multiport rules into two rules that look like this:

iptables -A INPUT -m mac --mac-source xx:xx:xx:xx:xx:xx -p tcp -m multiport --destination-port 22,53 -j ACCEPT
iptables -A INPUT -m mac --mac-source yy:yy:yy:yy:yy:yy -p tcp -m multiport --destination-port 22,53 -j ACCEPT

So with those rules you are filtering based on MAC and destination port at the same time. The second way to do this is to create a user defined chain and then pull traffic with desired MACs into the user defined chain and then filter by destination port. I think that is probably going to be the best way to do it, because I think you'll find you need to allow UDP traffic for DNS and your rules will start getting a little out of hand.

Also, since you are dropping traffic by default, why don't you remove all the rules dropping the different icmp types (it's kind of redundant) and only specify which ones you want to allow.