LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-25-2006, 01:13 AM   #1
sarajevo
Member
 
Registered: Apr 2005
Distribution: Debian, OpenBSD,Fedora,RedHat
Posts: 228
Blog Entries: 1

Rep: Reputation: 31
Iptables script, and closing ports on linux box


Hello,

I have iptables script as follows

iptables -F
iptables -t nat -F
iptables -t mangle -F

iptables -X
iptables -t nat -X
iptables -t mangle -X

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A INPUT -p icmp -j DROP
iptables -A INPUT -i eth0 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


iptables -A INPUT -p tcp --syn -j DROP
iptables -A INPUT -p udp -j DROP
iptables -A INPUT -j DROP
echo 0 > /proc/sys/net/ipv4/ip_forward

After running script, using nmap I scanned ports on my machine,

nmap my_ip_address and I got output like below


Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-12-25 09:05 CET
Interesting ports on eee.eee.ttt.ttt :
(The 1660 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
111/tcp open rpcbind
113/tcp open auth
656/tcp open unknown

Nmap finished: 1 IP address (1 host up) scanned in 0.267 seconds

I am askig all people out there does script part
iptables -A INPUT -p tcp --syn -j DROP
iptables -A INPUT -p udp -j DROP
iptables -A INPUT -j DROP
should drop all packets directed to my box, and how close 111, 113, 656 ports, I really do not need them.
How close some port using iptables?
Thanks in advance

Regards
 
Old 12-25-2006, 03:49 AM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by sarajevo
Hello,

I have iptables script as follows

iptables -F
iptables -t nat -F
iptables -t mangle -F

iptables -X
iptables -t nat -X
iptables -t mangle -X

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A INPUT -p icmp -j DROP
iptables -A INPUT -i eth0 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


iptables -A INPUT -p tcp --syn -j DROP
iptables -A INPUT -p udp -j DROP
iptables -A INPUT -j DROP
echo 0 > /proc/sys/net/ipv4/ip_forward

After running script, using nmap I scanned ports on my machine,

nmap my_ip_address and I got output like below


Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-12-25 09:05 CET
Interesting ports on eee.eee.ttt.ttt :
(The 1660 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
111/tcp open rpcbind
113/tcp open auth
656/tcp open unknown

Nmap finished: 1 IP address (1 host up) scanned in 0.267 seconds

I am askig all people out there does script part
iptables -A INPUT -p tcp --syn -j DROP
iptables -A INPUT -p udp -j DROP
iptables -A INPUT -j DROP
should drop all packets directed to my box, and how close 111, 113, 656 ports, I really do not need them.
How close some port using iptables?
Thanks in advance

Regards
try it like this:
Code:
iptables -F
iptables -F -t nat
iptables -F -t mangle

iptables -X
iptables -X -t nat
iptables -X -t mangle

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT

echo 0 > /proc/sys/net/ipv4/ip_forward
do you still get those scan results??

BTW, you don't need any ACCEPT rules in your OUTPUT chain when you have its policy set to ACCEPT...

Last edited by win32sux; 12-25-2006 at 03:51 AM.
 
Old 12-25-2006, 07:00 AM   #3
sarajevo
Member
 
Registered: Apr 2005
Distribution: Debian, OpenBSD,Fedora,RedHat
Posts: 228

Original Poster
Blog Entries: 1

Rep: Reputation: 31
Quote:
Originally Posted by win32sux
try it like this:
Code:
iptables -F
iptables -F -t nat
iptables -F -t mangle

iptables -X
iptables -X -t nat
iptables -X -t mangle

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT

echo 0 > /proc/sys/net/ipv4/ip_forward
do you still get those scan results??

BTW, you don't need any ACCEPT rules in your OUTPUT chain when you have its policy set to ACCEPT...
Hi,
using script above and running it I got nmap output as follows

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-12-25 14:54 CET
Interesting ports on ttt.ddd.ddd.rrr
(The 1660 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
111/tcp open rpcbind
113/tcp open auth
656/tcp open unknown

Nmap finished: 1 IP address (1 host up) scanned in 0.321 seconds

what to to in order to block above mentioned ports using iptables
I read somewhere that
iptables -A INPUT -p tcp --syn -j DROP
iptables -A INPUT -p udp -j DROP
iptables -A INPUT -j DROP
will prevent some user to see what ports are open.
How close them, I know there are services listening on that ports and, I am trying to make these ports inaccessable using iptables tool.

Regards and thank you
 
Old 12-25-2006, 05:59 PM   #4
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by sarajevo
Hi,
using script above and running it I got nmap output as follows

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-12-25 14:54 CET
Interesting ports on ttt.ddd.ddd.rrr
(The 1660 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
111/tcp open rpcbind
113/tcp open auth
656/tcp open unknown

Nmap finished: 1 IP address (1 host up) scanned in 0.321 seconds

what to to in order to block above mentioned ports using iptables
I read somewhere that
iptables -A INPUT -p tcp --syn -j DROP
iptables -A INPUT -p udp -j DROP
iptables -A INPUT -j DROP
will prevent some user to see what ports are open.
How close them, I know there are services listening on that ports and, I am trying to make these ports inaccessable using iptables tool.

Regards and thank you
the script i posted filters all your ports on all your interfaces... you don't need any of the three DROP rules you posted... something is definitely not right here... to confirm that the iptables rules are actually being applied, post the output of:
Code:
iptables -L -v -n

Last edited by win32sux; 12-25-2006 at 06:03 PM.
 
Old 12-25-2006, 06:02 PM   #5
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
wait a second...
Quote:
Originally Posted by sarajevo
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-12-25 14:54 CET
Interesting ports on ttt.ddd.ddd.rrr
(The 1660 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
111/tcp open rpcbind
113/tcp open auth
656/tcp open unknown

Nmap finished: 1 IP address (1 host up) scanned in 0.321 seconds
0.3 seconds, huh?? judging by that amount of time i'm going to assume that you are scanning from the box itself... this is not what you wanna do in order to determine the state of your ports... to get a practical result you need to scan your box from another box... this will show you exactly what, for example, an attacker sees...
 
Old 12-26-2006, 01:19 AM   #6
sarajevo
Member
 
Registered: Apr 2005
Distribution: Debian, OpenBSD,Fedora,RedHat
Posts: 228

Original Poster
Blog Entries: 1

Rep: Reputation: 31
Quote:
Originally Posted by win32sux
wait a second...
0.3 seconds, huh?? judging by that amount of time i'm going to assume that you are scanning from the box itself... this is not what you wanna do in order to determine the state of your ports... to get a practical result you need to scan your box from another box... this will show you exactly what, for example, an attacker sees...
That is right.
Today later I will try scan from machineA to machineB and post result to this forum. I think sometimes before using
iptables -A INPUT -p tcp --syn -j DROP
I blocked everything directed to my box ( except regular traffic I allowed ).

I will post results today at 6 pm

Regards
 
Old 12-26-2006, 12:47 PM   #7
sarajevo
Member
 
Registered: Apr 2005
Distribution: Debian, OpenBSD,Fedora,RedHat
Posts: 228

Original Poster
Blog Entries: 1

Rep: Reputation: 31
@win32sux

your iptables script filter all ports, and that is what I looked for.

Using nmap I was able to discover MAC address of scanned host.

Now I am googlin to find out how using iptables prevent nmap to discover MAC address of scanned host.

Regards and thank you

 
Old 12-27-2006, 05:06 AM   #8
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by sarajevo
@win32sux

your iptables script filter all ports, and that is what I looked for.

Using nmap I was able to discover MAC address of scanned host.

Now I am googlin to find out how using iptables prevent nmap to discover MAC address of scanned host.

Regards and thank you

cool, glad to hear it worked well for you...

one thing: remember that MAC addresses will only be available to hosts on your LAN... it's part of the Ethernet standard... you don't need to be worried about hosts on the WAN since MAC addresses are non-routable...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Accessing WevDav directory on linux box A from linux box B using Ant script. panayoti Linux - Newbie 0 10-07-2006 11:44 PM
linux SU command closing script prematurely. help please? Frelov Programming 4 02-20-2006 01:14 PM
Closing Ports Murdock1979 Linux - Security 1 09-23-2005 09:44 AM
Linux ports randomly closing? eric_marsh Linux - Software 1 07-11-2004 10:33 AM
Linux box calling a batch script on a windows box to run? Is it possible? joelhop Programming 8 05-17-2004 04:49 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:46 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration