LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-03-2003, 01:49 AM   #1
pablovschby
Member
 
Registered: Oct 2003
Posts: 153

Rep: Reputation: 30
RH9-Shrike&iptables-->unbelieviable effect...ports are opened...


hello

I am just very confused about my strange REdHat9Shrike Firewall.... ...well I am running the script below....this script denies every connection exceptly the ssh-port and the local processes so, there should just the ssh-port be opened....here is what my nmap says: the ports 80-83, 1080, 1863, 5190, 11523 are opened...!!!!!

i can't understand this bemusing wonder.... there is a ghost conjuring up some stupid things right in my RedHat9...????????????here is my script:
Code:
[root@router1 pablo]# cat 1
#!/bin/tcsh
#script fr router
echo "firewall is starting now......"
set ipt = /sbin/iptables
set EXT = eth0
set INT = eth1
set IF = ( $EXT $INT )
set p_high = 1024:
#-------------------------
#kernelparameter setzen fuer alle interfaces extra:
echo "0" > /proc/sys/net/ipv4/ip_forward #erstmal abschalten
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/all/bootp_relay
echo "0" > /proc/sys/net/ipv4/conf/all/log_martians


#------------------------
#default policies:
$ipt -P INPUT DROP
$ipt -P OUTPUT DROP
$ipt -P FORWARD DROP
echo "...all BUILT-IN CHAINS are successfully dropped by default..."
$ipt -F
$ipt -t nat -F
$ipt -X
echo "...USERDEFINED CHAINS were flushed..."
#--------------------------------
#local processes:
$ipt -A OUTPUT -o lo -j ACCEPT
$ipt -A INPUT -i lo -j ACCEPT
#---------------------------------------------------

#set TTL (just affecting all the packets, that the router generated by himself):
echo "102" > /proc/sys/net/ipv4/ip_default_ttl
#set TTL for GENERAL OUTGOING PACKETS!
#$ipt -t mangle -A OUTPUT -j TTL --ttl-set 102
#$ipt -t mangle -A OUTPUT -j ttl_fertig --ttl-set 102

echo "...ttl is adjusted...!"
#$ipt -N ttl_fertig

#---------------------------------------------------
#rules for ssh-connection:

$ipt -A OUTPUT -p tcp --sport 22 ! --syn --dport $p_high -j ACCEPT
$ipt -A INPUT -p tcp --dport 22 --sport $p_high -j ACCEPT              #2mal server


echo "......"
 
Old 10-03-2003, 02:45 AM   #2
pablovschby
Member
 
Registered: Oct 2003
Posts: 153

Original Poster
Rep: Reputation: 30
don't you think these facts are strange??
 
Old 10-03-2003, 04:59 AM   #3
pablovschby
Member
 
Registered: Oct 2003
Posts: 153

Original Poster
Rep: Reputation: 30
how would you explane this??
 
Old 10-03-2003, 05:23 AM   #4
jharris
Senior Member
 
Registered: May 2001
Location: Bristol, UK
Distribution: Slackware, Fedora, RHES
Posts: 2,243

Rep: Reputation: 47
This does seem a little odd. I'm a bit confused by your rules though. I would have used something like this instead
Code:
#!/bin/tcsh
#script fr router
echo "firewall is starting now......"
set ipt = /sbin/iptables
set EXT = eth0
set INT = eth1

#-------------------------
#kernelparameter setzen fuer alle interfaces extra:
echo "0" > /proc/sys/net/ipv4/ip_forward #erstmal abschalten
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/all/bootp_relay
echo "0" > /proc/sys/net/ipv4/conf/all/log_martians


#------------------------
#default policies:

$ipt -P INPUT DROP
$ipt -P OUTPUT ACCEPT
$ipt -P FORWARD DROP
echo "...all BUILT-IN CHAINS are successfully dropped by default..."
$ipt -F
$ipt -t nat -F
$ipt -X
echo "...USERDEFINED CHAINS were flushed..."
#--------------------------------
#local processes:
$ipt -A INPUT -i lo -j ACCEPT

#---------------------------------------------------
#rules for ssh-connection:

$ipt -A INPUT -i $EXT -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

echo "......"
Also, where are you running nmap from? If its the same box then clearly it will be allowed through by the lo rule.

cheers

Jamie...
 
Old 10-03-2003, 08:26 AM   #5
pablovschby
Member
 
Registered: Oct 2003
Posts: 153

Original Poster
Rep: Reputation: 30
Quote:
Also, where are you running nmap from?
i already told you--> from a workstation that's standing directly in my LAN....so it's connected with the router through eth1...
Quote:
If its the same box then clearly it will be allowed through by the lo rule.
yes, i know....

connections from the loopback-interface to itself are allowed....but that wasn't what i asked about....

welll...anyway....now, i ran a portscanner from a windows-workstation and it showed me....that there aren't any opened ports that shouldn't be so....

i can't understand this stupid effect, but....however

it isn't a solveable problem.....it seems just to be god, who's sticking my firewall up
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to check what ports are opened Mic Q SUSE / openSUSE 6 08-23-2005 09:04 PM
iptables defaults set by system-config-securitylevel: why are ports 50 and 51 opened? meonkeys Fedora 1 09-23-2004 11:41 AM
I need to open ports on RH9.0 - q3 & ut2004 Thaidog Linux - Security 3 06-20-2004 11:25 PM
Which ports should be opened? ivanatora Linux - Security 8 09-28-2003 08:24 AM
Ports that are already opened? ksoma Linux - Newbie 3 06-29-2003 08:13 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:02 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration