Latest LQ Deal: Linux Power User Bundle
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 06-12-2004, 03:02 PM   #1
LQ Newbie
Registered: Jul 2003
Posts: 22

Rep: Reputation: 15
iptables and nmap


I have written a firewall script using iptables and I have a few questions.

The topology of my network is 3 pc on the same hub.

pc A is ssh and domain name server (ports 22 and 53 are open)
pc B is ftp server (port 21 and 20 must be opened)
pc C is a windows XP client

My scope is to close all ports and keep only ports 22 and 53 open, ofcourse I don't want the ports to be presented as open so I appended the following commands:

iptables -A INPUT -m mac --mac-source xx:xx:xx:xx:xx:x1 -j ACCEPT
iptables -A INPUT -m mac --mac-source xx:xx:xx:xx:xx:x2 -j ACCEPT
iptables -A INPUT -mstate --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m multiport --destination-port 22,53 -j ACCEPT

When I scan pc A using nmap with every option the pc it seems to be down but when i give the command "nmap -P0" I see these ports. Of course I have cut every icmp packet states with

iptables -A INPUT -p icmp --icmp-type <*> -j DROP

Could anybody advise me how this scan works or how I can configure iptables to avoid these scans?

Thank U in advance!

Last edited by Bug; 06-12-2004 at 03:26 PM.
Old 06-13-2004, 11:56 PM   #2
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
iptables -A INPUT -mstate --state ESTABLISHED,RELATED -j ACCEPT

Should this have a space between -m and state or is it just a typo?
Also could you post the rest of your firewall rules including the default policies as it's kind of hard to decipher what's going on in a firewall without looking at all the rules. Also, where are you nmap'ing from? If it's one of the machines with an allowed MAC, then it should see all open ports.

The default nmap scan works by sending out an initial icmp echo request and a tcp ack packet to port 80 in order to see if the host is up. If it get a reply then it proceeds to scan the host, if it doesn't get a reply then nmap assumes the remote host is down. It's likely that because you're specifically dropping icmp traffic, the initial query stage failed to generate a reply. With the -P0 option, nmap skips that initial step and just scans the remote host. Check out the nmap man page (it's pretty informative) as well as the website docs for more info on how nmap works.
Old 06-14-2004, 10:19 AM   #3
LQ Newbie
Registered: Jul 2003
Posts: 22

Original Poster
Rep: Reputation: 15
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t nat
iptables -F -t mangle

iptables -P INPUT DROP

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p icmp --icmp-type 0 -j DROP

iptables -A INPUT -p icmp --icmp-type 3 -j DROP

iptables -A INPUT -p icmp --icmp-type 4 -j DROP

iptables -A INPUT -p icmp --icmp-type 5 -j DROP

iptables -A INPUT -p icmp --icmp-type 8 -j DROP

iptables -A INPUT -p icmp --icmp-type 9 -j DROP

iptables -A INPUT -p icmp --icmp-type 13 -j DROP

iptables -A INPUT -p icmp --icmp-type 14 -j DROP

iptables -A INPUT -p icmp --icmp-type 15 -j DROP

iptables -A INPUT -p icmp --icmp-type 16 -j DROP

iptables -A INPUT -p icmp --icmp-type 17 -j DROP

iptables -A INPUT -p icmp --icmp-type 18 -j DROP

iptables -A INPUT -p tcp -m multiport --destination-port 22,53 -j ACCEPT

iptables -A INPUT -m mac --mac-source xx:xx:xx:xx:xx:xx -j ACCEPT

iptables -A INPUT -m mac --mac-source yy:yy:yy:yy:yy:yy -j ACCEPT

The commands above exist in my script (yes I know is not written properly )

I scan my firewalled pc from an other pc with other mac .

What mistake I do? I want my ports to be invisible
Old 06-14-2004, 02:14 PM   #4
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
iptables -A INPUT -p tcp -m multiport --destination-port 22,53 -j ACCEPT

This rule is basically going to allow anyone to access ports 22 and 53 regardless of MAC address. The two MAC rules afterwards, simply allow systems with those MACs to access any ports they like. I'm guessing that's not what you had in mind.

If you're trying to limit access to ports 22,53 to only machines with accepted MACs and to no other systems, then there are two ways to do it. First you can combine the all the MAC and multiport rules into two rules that look like this:

iptables -A INPUT -m mac --mac-source xx:xx:xx:xx:xx:xx -p tcp -m multiport --destination-port 22,53 -j ACCEPT
iptables -A INPUT -m mac --mac-source yy:yy:yy:yy:yy:yy -p tcp -m multiport --destination-port 22,53 -j ACCEPT

So with those rules you are filtering based on MAC and destination port at the same time. The second way to do this is to create a user defined chain and then pull traffic with desired MACs into the user defined chain and then filter by destination port. I think that is probably going to be the best way to do it, because I think you'll find you need to allow UDP traffic for DNS and your rules will start getting a little out of hand.

Also, since you are dropping traffic by default, why don't you remove all the rules dropping the different icmp types (it's kind of redundant) and only specify which ones you want to allow.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTABLES rules for active FTP TruckStuff Linux - Security 7 04-22-2009 07:21 PM
iptables masquerading & active ftp connections PowerMatt Linux - Networking 2 10-20-2005 06:02 PM
ftp confusion/want active connections servnov Linux - General 2 09-26-2004 02:48 PM
Firewall - iptables - ftp connections cubee Linux - Security 22 01-29-2004 11:12 AM
Another iptables Active FTP Issue tnolte Linux - Networking 4 09-28-2003 12:34 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:26 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration