Re: iptables firewall script for debian-woody, 2.4.24

From: Jim (jim999_at_gmx.net)
Date: 05/19/04

  • Next message: Beth Skwarecki: "RE: Secure Form Script?" 
    Date: 19 May 2004 16:08:16 -0000
To: focus-linux@securityfocus.com
    ('binary' encoding is not supported, stored as-is) In-Reply-To: <4071BC2D.6060205@delfi.lt>

    >Gord Philpott wrote:
    >>> I have used the script on other systems, and have commented out the
    >>> ports that are not needed for this setup. When I nmap the server
    >>> with the firewall script off, I get different results than when the
    >>> firewall script is on. I am looking to have the ports needed to run
    >>> DNS and SSH available regardless of the firewall status.
    >
    >>> $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    >>> $IPTABLES -A OUTPUT -p tcp --destination-port 53 -j ACCEPT # DNS
    >>> $IPTABLES -A OUTPUT -p udp --destination-port 53 -j ACCEPT # DNS
    >>> $IPTABLES -A OUTPUT -p tcp --destination-port 22 -j ACCEPT # SSH
    >
    >You hope, that destination port for incoming DNS queries will be 53.
    >This is not true. The same is for SSH.

    This thought is wrong. Of cause SSH and DNS are
    services, which are connected on th ports 22 and 53 as
    destination, so in principle, this should work.
    But only for TCP, as you only allow traffic TO
    those ports, not the other way round. So what
    you're missing are most responses on UDP, since
    not all DNS - queries also use port 53 on their
    local side, especially NMAP won't work that way,
    and your STATE=RELATED does not seem to work
    (and "ESTABLISHED" is always wrong in UDP), so
    I would add the following lines:
    $IPTABLES -A OUTPUT -p udp --source-port 53 -j ACCEPT
    same for the other port, that did not work.

    But I have to tell you, that I saw some more un-nice
    things in your script and will be sending you
    a commented version

  • Next message: Beth Skwarecki: "RE: Secure Form Script?"

    Relevant Pages

    • Re: Event ID: 5504
      ... User Datagram Protocol, Src Port: 1273, Dst Port: domain ... Authority RRs: 0 ... and if its an issue with the Windows DNS ... > assuming (none of us have asked your config yet) that you have all your ...
      (microsoft.public.win2000.dns)
    • RE: strange traffic on UDP port 53
      ... Replies to DNS queries should be coming FROM port 53, ... > found a similar problem with packets being stopped by our firewall. ... The destination IP is our mail server (not ...
      (Incidents)
    • Re: Have to go to web site twice before it comes up
      ... I've ruled out Internet Explorer. ... Telnet does the same thing. ... it's not limited to port 80. ... running on top of it that will have to be re-set up (e.g. DNS, DHCP, AD, ...
      (microsoft.public.win2000.networking)
    • Re: Deny MX queries for dynamic IP pools
      ... As a solution the routing team was thinking to block port 25 for outgoing as ... Luckily we have two set of DNS server farms; one that is serving static IP ... DNS port forwarded queries are going to external servers. ...
      (comp.protocols.dns.bind)
    • Re: network traffic etherealed, need your help on the records (LONG)
      ... I try telnet myIP 80 to test whether my ISP blocking port 80? ... >To see if your hostname resolves from gethostbyname (instead of just DNS) ... Should I do something here for the apache server? ...
      (comp.os.linux.networking)