Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Can you post your script that creates the rules? Your INPUT chain's default policy is set to DROP, but the first rule (ACCEPT all -- 0.0.0.0/0 0.0.0.0/0) looks like it accepts anything.
There are 2 main ways to modify your rules. You can have a shell script with multiple iptables rules or you can use iptables-save and iptables-restore to store/retrieve them. How to change your rules depends on which method your script is using.
Can you post your script that creates the rules? Your INPUT chain's default policy is set to DROP, but the first rule (ACCEPT all -- 0.0.0.0/0 0.0.0.0/0) looks like it accepts anything.
There are 2 main ways to modify your rules. You can have a shell script with multiple iptables rules or you can use iptables-save and iptables-restore to store/retrieve them. How to change your rules depends on which method your script is using.
I have try to remove the 139, 138, 137 ports input rules.
After restart the iptables, i can't use the samba to connect to the linux.
But when i reinput these rules and restart the iptables again. the samba work fine. The result and the rule output list not same
Here is the iptable script.
Quote:
## /etc/sysconfig/iptables
## Default policy - deny all request
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
#:OUTPUT DROP [0:0]
## Pass all locally-originating packets
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
## Accept all ICMP requests
-A INPUT -p icmp -j ACCEPT
## Accept traffic on port from a specific IP
## (Do NOT remove the following keywords,
## as they're needed to alter incoming IPs and ports.)
## UPDATE ##
-A INPUT -p tcp -m tcp -s 192.168.0.100 --dport 139 -j ACCEPT
-A INPUT -p tcp -m tcp -s 192.168.0.100 --dport 138 -j ACCEPT
-A INPUT -p tcp -m tcp -s 192.168.0.100 --dport 137 -j ACCEPT
## END ##
## Drop outside initiated connections
-A INPUT -m state --state NEW -j REJECT
## Allow inbound established and related outside communication
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
OK, the rules look fine. According to man iptables, the "exact rules are suppressed until you use iptables -L -v" Can you run that and post the output please?
OK, the rules look fine. According to man iptables, the "exact rules are suppressed until you use iptables -L -v" Can you run that and post the output please?
Following is the output of the "iptables -L -v":
when using the -L and -v to list out the table rule,
i think the first rule is accept the location connection...
the problem may be using wrong command option to list out the rule
Quote:
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT icmp -- any any anywhere anywhere
0 0 REJECT all -- any any anywhere anywhere state NEW reject-with icmp-port-unreachable
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any lo anywhere anywhere
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.