Re: iptables firewall script for debian-woody, 2.4.24

From: Arno van Amersfoort (arnova_at_xs4all.nl)
Date: 04/02/04

  • Next message: James Lick: "Re: nis : how to avoid user1 becoming user2 using local root ?" 
    Date: Fri, 02 Apr 2004 12:14:55 +0200
To: Gord Philpott <tech@gordphilpott.com>

    Note that UDP portscans are NOT reliable. Because of the way UDP works,
    it's almost impossible to determine whether a port is open, closed or
    firewalled. Only thing you can find out is, whether a firewall is NOT in
    place and a port is closed as this would make the server generate an
    "icmp-port-reject".

    May I recommend (maybe) to have a look at my website:

    http://rocky.eld.leidenuniv.nl

    cheers,

    Arno

    Gord Philpott wrote:

    > Hello all,
    >
    > I've created a custom IPTables firewall script for a Debian 3.0 server
    > (2.4.24 kernel) running Bind DNS and SSH.
    >
    > I have used the script on other systems, and have commented out the
    > ports that are not needed for this setup. When I nmap the server
    > with the firewall script off, I get different results than when the
    > firewall script is on. I am looking to have the ports needed to run
    > DNS and SSH available regardless of the firewall status.
    >
    > If anyone can spot why 53/udp and 32768/udp show up as filtered,
    > please let me know.
    > --Gord.
    >
    > #### Output from NMAP while firewall is ON:
    > lan2:/# nmap -sS -sU -P0 -p '20-30,50-60,950-960,32760-32770'
    > 216.xxx.xxx.xxx
    >
    > Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-03-31
    > 14:50 EST
    > Interesting ports on xxx.xxx.net (216.xxx.xxx.xxx):
    > (The 84 ports scanned but not shown below are in state: closed)
    > PORT STATE SERVICE
    > 22/tcp open ssh
    > 53/tcp open domain
    > 53/udp open domain
    > 32768/udp open omad
    >
    > Nmap run completed -- 1 IP address (1 host up) scanned in 34.068 seconds
    >
    >
    > #### Output from NMAP while firewall is ON:
    > lan2:/# nmap -sS -sU -P0 -p '20-30,50-60,950-960,32760-32770'
    > 216.xxx.xxx.xxx
    >
    > Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-03-31
    > 14:47 EST
    > Interesting ports on xxx.xxx.net (216.xxx.xxx.xxx):
    > (The 86 ports scanned but not shown below are in state: filtered)
    > PORT STATE SERVICE
    > 22/tcp open ssh
    > 53/tcp open domain
    >
    > Nmap run completed -- 1 IP address (1 host up) scanned in 6.804 seconds
    >
    >
    >
    > #### IP Firewall script:
    > dns2:/etc/init.d# more ipfirewall
    > #!/bin/bash
    > #
    > # Simple firewall script by Gord P.
    >
    > NAME="ipfirewall"
    > IPTABLES="/sbin/iptables"
    >
    > case "$1" in
    > start)
    > echo -n "Starting firewall.."
    >
    > #Flush then restrict
    > $IPTABLES -F
    > $IPTABLES -P FORWARD DROP
    > $IPTABLES -P INPUT DROP
    > $IPTABLES -P OUTPUT DROP
    >
    > # For ping and traceroute
    > $IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
    > $IPTABLES -A INPUT -p icmp --icmp-type 8 -j ACCEPT
    > $IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
    > $IPTABLES -A OUTPUT -p icmp --icmp-type 4 -j ACCEPT
    > $IPTABLES -A OUTPUT -p icmp --icmp-type 12 -j ACCEPT
    > $IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
    > $IPTABLES -A INPUT -p icmp --icmp-type 30 -j ACCEPT
    >
    > # For traceroute
    > $IPTABLES -A INPUT -i eth0 -p udp --source-port 32769:65535 \
    > --destination-port 33434:33523 -j ACCEPT
    >
    > $IPTABLES -A OUTPUT -p udp --source-port 32769:65535 \
    > --destination-port 33434:33523 -j ACCEPT
    >
    > $IPTABLES -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT
    > $IPTABLES -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
    > $IPTABLES -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT
    > $IPTABLES -A OUTPUT -p icmp --icmp-type 4 -j ACCEPT
    > $IPTABLES -A OUTPUT -p icmp --icmp-type 12 -j ACCEPT
    > $IPTABLES -A OUTPUT -p icmp --icmp-type 11 -j ACCEPT
    > $IPTABLES -A OUTPUT -p icmp --icmp-type 30 -j ACCEPT
    >
    > $IPTABLES -A INPUT -i lo -j ACCEPT
    > $IPTABLES -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
    > $IPTABLES -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
    >
    > # For already established and related allows
    > $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    > $IPTABLES -A INPUT -p tcp --destination-port 22 -j ACCEPT # SSH
    > $IPTABLES -A INPUT -p tcp --destination-port 53 -j ACCEPT #DNS
    > $IPTABLES -A INPUT -p udp --destination-port 53 -j ACCEPT #DNS
    > $IPTABLES -A INPUT -p udp --destination-port 32768 -j ACCEPT #DNS
    > #$IPTABLES -A INPUT -p udp --destination-port 135:139 -j ACCEPT # SMB
    > #$IPTABLES -A INPUT -p tcp --destination-port 135:139 -j ACCEPT # SMB
    > #$IPTABLES -A INPUT -p tcp --destination-port 6674 -j ACCEPT # sched
    > #$IPTABLES -A INPUT -p tcp --destination-port 8080 -j ACCEPT # Proxy
    > #$IPTABLES -A INPUT -p tcp --destination-port 443 -j ACCEPT # HTTPS
    > #$IPTABLES -A INPUT -p tcp --destination-port 20:21 -j ACCEPT # FTP
    > #$IPTABLES -A INPUT -p tcp --destination-port 25 -j ACCEPT # SMTP
    >
    > $IPTABLES -A INPUT -p tcp --dport auth --j REJECT # Reject sunrpc 111
    >
    > $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    > $IPTABLES -A OUTPUT -p tcp --destination-port 53 -j ACCEPT # DNS
    > $IPTABLES -A OUTPUT -p udp --destination-port 53 -j ACCEPT # DNS
    > $IPTABLES -A OUTPUT -p tcp --destination-port 22 -j ACCEPT # SSH
    > #$IPTABLES -A OUTPUT -p tcp --destination-port 80 -j ACCEPT # HTTP
    > #$IPTABLES -A OUTPUT -p tcp --destination-port 443 -j ACCEPT # HTTPS
    > #$IPTABLES -A OUTPUT -p tcp --destination-port 8080 -j ACCEPT # Proxy
    > #$IPTABLES -A OUTPUT -p tcp --destination-port 6674 -j ACCEPT # sched
    > #$IPTABLES -A OUTPUT -p tcp --destination-port 110 -j ACCEPT # POP
    > #$IPTABLES -A OUTPUT -p tcp --destination-port 995 -j ACCEPT # SPOP
    > #$IPTABLES -A OUTPUT -p tcp --destination-port 993 -j ACCEPT # SIMAP
    > #$IPTABLES -A OUTPUT -p tcp --destination-port 25 -j ACCEPT # SMTP
    > #$IPTABLES -A OUTPUT -p tcp --destination-port 1494 -j ACCEPT #
    > Citrix
    > #$IPTABLES -A OUTPUT -p tcp --destination-port 5222 -j ACCEPT #
    > #$IPTABLES -A OUTPUT -p tcp --destination-port 20:21 -j ACCEPT # FTP
    > #$IPTABLES -A OUTPUT -p tcp --destination-port 119 -j ACCEPT # NNTP
    > #$IPTABLES -A OUTPUT -p tcp --destination-port 23 -j ACCEPT # Telnet
    > #$IPTABLES -A OUTPUT -p tcp --destination-port 7741 -j ACCEPT #
    > #$IPTABLES -A OUTPUT -p tcp --destination-port 445 -j ACCEPT
    > #$IPTABLES -A OUTPUT -p udp --destination-port 137:139 -j ACCEPT #
    > SMB
    > #$IPTABLES -A OUTPUT -p tcp --destination-port 538 -j ACCEPT #
    > #$IPTABLES -A OUTPUT -p tcp --destination-port 3306 -j ACCEPT # MySQL
    > #$IPTABLES -A OUTPUT -p tcp --destination-port 81 -j ACCEPT # HTTP
    > #$IPTABLES -A OUTPUT -p tcp --destination-port 43 -j ACCEPT # Whois
    > #$IPTABLES -A OUTPUT -p tcp --destination-port 9628 -j ACCEPT #
    > Objectsocket.php
    > #$IPTABLES -A OUTPUT -p tcp --destination-port 6667 -j ACCEPT # IRC
    >
    > $IPTABLES -A INPUT -p tcp -i lo -d 0/0 -j ACCEPT
    > echo "..done"
    > ;;
    > stop)
    > echo -n "Stopping firewall.."
    > $IPTABLES -F
    > $IPTABLES -P FORWARD DROP
    > $IPTABLES -P OUTPUT ACCEPT
    > $IPTABLES -P INPUT ACCEPT
    > echo "done"
    > ;;
    > *)
    > echo "Usage: $NAME {start|stop}"
    > exit 1
    > ;;
    > esac

  • Next message: James Lick: "Re: nis : how to avoid user1 becoming user2 using local root ?"

    Relevant Pages

    • Re: keeping ports open
      ... If a port is open, it means that 1) a software or service is running on your ... and 2) you're not using a firewall or your firewall isn't ... Use firewall software and hardware and antivirus software that is ... Follow the instructions for hardening Windows and IIS at ...
      (microsoft.public.security)
    • Re: How to Maintain an IIS Server?
      ... > server running on a Windows 2000 server. ... before a firewall and antivirus have been installed]. ... open ports; however, this will not identify which program is using the port. ...
      (microsoft.public.inetserver.iis.security)
    • Re: CEICW fails at firewall config
      ... ISA Server prevents connection to a remote desktop when you connect through ... Remote Web Workplace on a Windows Small Business Server 2003-based computer ... Acceleration Server as a firewall. ... connection uses TCP port 4125. ...
      (microsoft.public.windows.server.sbs)
    • Re: How to Maintain an IIS Server?
      ... >> server running on a Windows 2000 server. ... > before a firewall and antivirus have been installed]. ... > program or executable using that port. ...
      (microsoft.public.inetserver.iis.security)
    • Re: Is secedit.exe left by a hacker?
      ... > tested on port 445. ... > I have a Linksys router that I use as a firewall to my ... Secedit.exe is the name of a legitimate Windows file, ... investigate the files on your computer - antivirus with the latest updates ...
      (microsoft.public.win2000.security)