Re: iptables firewall script for debian-woody, 2.4.24

From: Konstantin Gavrilenko (mlists_at_arhont.com)
Date: 04/05/04

Next message: Eugenijus Januškevičius: "Re: iptables firewall script for debian-woody, 2.4.24"

Previous message: Frank Burkhardt: "Re: nis : how to avoid user1 becoming user2 using local root ?"
In reply to: cookie: "Re: iptables firewall script for debian-woody, 2.4.24"
Next in thread: Eugenijus Januškevičius: "Re: iptables firewall script for debian-woody, 2.4.24"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 05 Apr 2004 01:22:55 +0100
To: cookie <cookie@rknrobin.com>, focus-linux@securityfocus.com

hija,

try sniffing with tcpdump, see what icmp packets are sent back to he
scanning host, you should see icmp type 3 for closed ports and no reply
for open ports.
Therefore if nmap does not get icmp port unreachable to all the probed
prots, it assumes that all the ports are filtered.

kos

cookie wrote:
> Gord Philpott wrote:
>
>> Hello all,
>>
>> I've created a custom IPTables firewall script for a Debian 3.0 server
>> (2.4.24 kernel) running Bind DNS and SSH.
>>
>> I have used the script on other systems, and have commented out the
>> ports that are not needed for this setup. When I nmap the server
>> with the firewall script off, I get different results than when the
>> firewall script is on. I am looking to have the ports needed to run
>> DNS and SSH available regardless of the firewall status.
>>
>> If anyone can spot why 53/udp and 32768/udp show up as filtered,
>> please let me know.
>> --Gord.
>>
>> #### Output from NMAP while firewall is ON:
>> lan2:/# nmap -sS -sU -P0 -p '20-30,50-60,950-960,32760-32770'
>> 216.xxx.xxx.xxx
>>
>> Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-03-31
>> 14:50 EST
>> Interesting ports on xxx.xxx.net (216.xxx.xxx.xxx):
>> (The 84 ports scanned but not shown below are in state: closed)
>> PORT STATE SERVICE
>> 22/tcp open ssh
>> 53/tcp open domain
>> 53/udp open domain
>> 32768/udp open omad
>>
>> Nmap run completed -- 1 IP address (1 host up) scanned in 34.068 seconds
>>
>>
>> #### Output from NMAP while firewall is ON:
>> lan2:/# nmap -sS -sU -P0 -p '20-30,50-60,950-960,32760-32770'
>> 216.xxx.xxx.xxx
>>
>> Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-03-31
>> 14:47 EST
>> Interesting ports on xxx.xxx.net (216.xxx.xxx.xxx):
>> (The 86 ports scanned but not shown below are in state: filtered)
>> PORT STATE SERVICE
>> 22/tcp open ssh
>> 53/tcp open domain
>>
>> Nmap run completed -- 1 IP address (1 host up) scanned in 6.804 seconds
>>
>>
>>
>> #### IP Firewall script:
>> dns2:/etc/init.d# more ipfirewall
>> #!/bin/bash
>> #
>> # Simple firewall script by Gord P.
>>
>> NAME="ipfirewall"
>> IPTABLES="/sbin/iptables"
>>
>> case "$1" in
>> start)
>> echo -n "Starting firewall.."
>>
>> #Flush then restrict
>> $IPTABLES -F
>> $IPTABLES -P FORWARD DROP
>> $IPTABLES -P INPUT DROP
>> $IPTABLES -P OUTPUT DROP
>>
>> # For ping and traceroute
>> $IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
>> $IPTABLES -A INPUT -p icmp --icmp-type 8 -j ACCEPT
>> $IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
>> $IPTABLES -A OUTPUT -p icmp --icmp-type 4 -j ACCEPT
>> $IPTABLES -A OUTPUT -p icmp --icmp-type 12 -j ACCEPT
>> $IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
>> $IPTABLES -A INPUT -p icmp --icmp-type 30 -j ACCEPT
>>
>> # For traceroute
>> $IPTABLES -A INPUT -i eth0 -p udp --source-port 32769:65535 \
>> --destination-port 33434:33523 -j ACCEPT
>>
>> $IPTABLES -A OUTPUT -p udp --source-port 32769:65535 \
>> --destination-port 33434:33523 -j ACCEPT
>>
>> $IPTABLES -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT
>> $IPTABLES -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
>> $IPTABLES -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT
>> $IPTABLES -A OUTPUT -p icmp --icmp-type 4 -j ACCEPT
>> $IPTABLES -A OUTPUT -p icmp --icmp-type 12 -j ACCEPT
>> $IPTABLES -A OUTPUT -p icmp --icmp-type 11 -j ACCEPT
>> $IPTABLES -A OUTPUT -p icmp --icmp-type 30 -j ACCEPT
>>
>> $IPTABLES -A INPUT -i lo -j ACCEPT
>> $IPTABLES -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
>> $IPTABLES -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
>>
>> # For already established and related allows
>> $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>> $IPTABLES -A INPUT -p tcp --destination-port 22 -j ACCEPT # SSH
>> $IPTABLES -A INPUT -p tcp --destination-port 53 -j ACCEPT #DNS
>> $IPTABLES -A INPUT -p udp --destination-port 53 -j ACCEPT #DNS
>> $IPTABLES -A INPUT -p udp --destination-port 32768 -j ACCEPT #DNS
>> #$IPTABLES -A INPUT -p udp --destination-port 135:139 -j ACCEPT # SMB
>> #$IPTABLES -A INPUT -p tcp --destination-port 135:139 -j ACCEPT # SMB
>> #$IPTABLES -A INPUT -p tcp --destination-port 6674 -j ACCEPT # sched
>> #$IPTABLES -A INPUT -p tcp --destination-port 8080 -j ACCEPT # Proxy
>> #$IPTABLES -A INPUT -p tcp --destination-port 443 -j ACCEPT # HTTPS
>> #$IPTABLES -A INPUT -p tcp --destination-port 20:21 -j ACCEPT # FTP
>> #$IPTABLES -A INPUT -p tcp --destination-port 25 -j ACCEPT # SMTP
>>
>> $IPTABLES -A INPUT -p tcp --dport auth --j REJECT # Reject sunrpc 111
>>
>> $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>> $IPTABLES -A OUTPUT -p tcp --destination-port 53 -j ACCEPT # DNS
>> $IPTABLES -A OUTPUT -p udp --destination-port 53 -j ACCEPT # DNS
>> $IPTABLES -A OUTPUT -p tcp --destination-port 22 -j ACCEPT # SSH
>> #$IPTABLES -A OUTPUT -p tcp --destination-port 80 -j ACCEPT # HTTP
>> #$IPTABLES -A OUTPUT -p tcp --destination-port 443 -j ACCEPT # HTTPS
>> #$IPTABLES -A OUTPUT -p tcp --destination-port 8080 -j ACCEPT # Proxy
>> #$IPTABLES -A OUTPUT -p tcp --destination-port 6674 -j ACCEPT # sched
>> #$IPTABLES -A OUTPUT -p tcp --destination-port 110 -j ACCEPT # POP
>> #$IPTABLES -A OUTPUT -p tcp --destination-port 995 -j ACCEPT # SPOP
>> #$IPTABLES -A OUTPUT -p tcp --destination-port 993 -j ACCEPT # SIMAP
>> #$IPTABLES -A OUTPUT -p tcp --destination-port 25 -j ACCEPT # SMTP
>> #$IPTABLES -A OUTPUT -p tcp --destination-port 1494 -j ACCEPT #
>> Citrix
>> #$IPTABLES -A OUTPUT -p tcp --destination-port 5222 -j ACCEPT #
>> #$IPTABLES -A OUTPUT -p tcp --destination-port 20:21 -j ACCEPT # FTP
>> #$IPTABLES -A OUTPUT -p tcp --destination-port 119 -j ACCEPT # NNTP
>> #$IPTABLES -A OUTPUT -p tcp --destination-port 23 -j ACCEPT # Telnet
>> #$IPTABLES -A OUTPUT -p tcp --destination-port 7741 -j ACCEPT #
>> #$IPTABLES -A OUTPUT -p tcp --destination-port 445 -j ACCEPT
>> #$IPTABLES -A OUTPUT -p udp --destination-port 137:139 -j ACCEPT #
>> SMB
>> #$IPTABLES -A OUTPUT -p tcp --destination-port 538 -j ACCEPT #
>> #$IPTABLES -A OUTPUT -p tcp --destination-port 3306 -j ACCEPT # MySQL
>> #$IPTABLES -A OUTPUT -p tcp --destination-port 81 -j ACCEPT # HTTP
>> #$IPTABLES -A OUTPUT -p tcp --destination-port 43 -j ACCEPT # Whois
>> #$IPTABLES -A OUTPUT -p tcp --destination-port 9628 -j ACCEPT #
>> Objectsocket.php
>> #$IPTABLES -A OUTPUT -p tcp --destination-port 6667 -j ACCEPT # IRC
>>
>> $IPTABLES -A INPUT -p tcp -i lo -d 0/0 -j ACCEPT
>> echo "..done"
>> ;;
>> stop)
>> echo -n "Stopping firewall.."
>> $IPTABLES -F
>> $IPTABLES -P FORWARD DROP
>> $IPTABLES -P OUTPUT ACCEPT
>> $IPTABLES -P INPUT ACCEPT
>> echo "done"
>> ;;
>> *)
>> echo "Usage: $NAME {start|stop}"
>> exit 1
>> ;;
>> esac
>>
>>
>>
> a quick glance shows this to be pretty sound... I don't see any reason
> your box should be dropping 53 requests after running these rules...
> then again, there's no way to know for certain unless you take a look
> at the running rules (iptables -L INPUT -n;iptables -L OUTPUT -n) and
> scan through it for anything iffy if you're still unsure, I'd post that
> here as well.
>
> PS. commented lines aren't really necessary for diagnosing a ruleset.
>

-- 
Respectfully,
Konstantin V. Gavrilenko
Managing Director
Arhont Ltd - Information Security
web:    www.arhont.com
e-mail: k.gavrilenko@arhont.com
tel: +44 (0) 870 44 31337
fax: +44 (0) 117 969 0141
PGP: Key ID - 0x4F3608F7
PGP: Server - keyserver.pgp.com

Next message: Eugenijus Januškevičius: "Re: iptables firewall script for debian-woody, 2.4.24"

Previous message: Frank Burkhardt: "Re: nis : how to avoid user1 becoming user2 using local root ?"
In reply to: cookie: "Re: iptables firewall script for debian-woody, 2.4.24"
Next in thread: Eugenijus Januškevičius: "Re: iptables firewall script for debian-woody, 2.4.24"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

D-link dsl 504 and Iptables problems
... I have a Bto Adsl connection plugged into a D-link DSL 504 router. ... I have then set up port forwarding on the d-link to forward ports ... $MPB ip_conntrack ... #ICMP Dead Error Messages protection ...
(comp.os.linux.security)
d-link DSL-504 and IPtables trouble
... I have a Bto Adsl connection plugged into a D-link DSL 504 router. ... I have then set up port forwarding on the d-link to forward ports ... $MPB ip_conntrack ... #ICMP Dead Error Messages protection ...
(comp.security.firewalls)
Re: Questions about ICMP
... I get a LOT of ICMP requests from the Internet probing ... UDP ports can only be tested by UDP packets, and TCP ports can only be tested by TCP packets. ... ICMP is a different IP protocol which doesn't feature numbered ports. ... This is the generic part of the ipfw ruleset, I am now using on the OS X ...
(Fedora)
Re: User origin ports for Web Site access ?
... fox wrote: ... > that one was the user and one was my server. ... > to set the user ports of origin that are accepted. ... I have only ICMP echo allowed. ...
(comp.security.firewalls)
Re: Questions about ICMP
... I get a LOT of ICMP requests from the Internet probing ... UDP ports can only be tested by UDP packets, and TCP ports can only be tested by TCP packets. ... ICMP is a different IP protocol which doesn't feature numbered ports. ... This is the generic part of the ipfw ruleset, I am now using on the OS X ...
(Fedora)