Re: iptables firewall script for debian-woody, 2.4.24

• Previous message: Paolo Campanella: "RE: Secure Form Script?"
• In reply to: Jim: "Re: iptables firewall script for debian-woody, 2.4.24"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: focus-linux@securityfocus.com
Date: Thu, 20 May 2004 09:46:52 +0100

On 19 May 2004 at 16:08, Jim wrote:

> In-Reply-To: <4071BC2D.6060205@delfi.lt>
>
> >Gord Philpott wrote:
> >>> I have used the script on other systems, and have commented out the
> >>> ports that are not needed for this setup. When I nmap the server
> >>> with the firewall script off, I get different results than when the
> >>> firewall script is on. I am looking to have the ports needed to run
> >>> DNS and SSH available regardless of the firewall status.
> >
> >>> $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> >>> $IPTABLES -A OUTPUT -p tcp --destination-port 53 -j ACCEPT # DNS
> >>> $IPTABLES -A OUTPUT -p udp --destination-port 53 -j ACCEPT # DNS
> >>> $IPTABLES -A OUTPUT -p tcp --destination-port 22 -j ACCEPT # SSH
> >
> >You hope, that destination port for incoming DNS queries will be 53.
> >This is not true. The same is for SSH.
>
> This thought is wrong. Of cause SSH and DNS are
> services, which are connected on th ports 22 and 53 as
> destination, so in principle, this should work.
> But only for TCP, as you only allow traffic TO
> those ports, not the other way round. So what
> you're missing are most responses on UDP, since
> not all DNS - queries also use port 53 on their
> local side, especially NMAP won't work that way,
> and your STATE=RELATED does not seem to work
> (and "ESTABLISHED" is always wrong in UDP)

My understanding (after reading, for example,
http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html)
was that iptables treats a UDP packet from HostA:PortA to
HostB:PortB, followed quickly by a UDP packet from HostB:PortB
to HostA:PortA as a "connection" - so ESTABLISHED does work for
UDP.

, so
> I would add the following lines:
> $IPTABLES -A OUTPUT -p udp --source-port 53 -j ACCEPT
> same for the other port, that did not work.
>
> But I have to tell you, that I saw some more un-nice
> things in your script and will be sending you
> a commented version

-- 
Phil Turner

• Previous message: Paolo Campanella: "RE: Secure Form Script?"
• In reply to: Jim: "Re: iptables firewall script for debian-woody, 2.4.24"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: sshd brute force attempts? ... I think you misunderstood what I meant by public service, or maybe it wasn't clear: By a public service I mean a service available for anyone, even anonymously: You're not going to register the world to let people send mail to your server, require authentication to send mail from your server). ... If this is stored on a usb-stick the user carries with him, or only on systems that require local authentication first, then I think you're better off than password based ssh. ... Cracklib is in ports and easy to build -- FreeBSD could use a) an option in make.conf to prevent passwd from getting built on a buildworld and b) the patched passwd/yppasswd tree in ports. ... I don't assume that level of savvy. ... (freebsd-questions) Re: SSH question ... control area. ... in /usr/local/etc/authorized_keys file and that enabled that user to ssh ... That way when bill ssh from host to hosta as jim, ... (SSH) Re: Prot Forwarding ... Al's SSH method would be the best. ... configure the remote control programs to use different ports on each ... that let you configure the ports in use. ... > Personally I use a Secure Shell tunnel to access multiple XP Pro ... (microsoft.public.windowsxp.network_web) Re: hacked? ... So I ssh'd in and did a netstat and saw what looked like an unwanted SSH connection... ... On the local host type nmap -sV localhost -p 1-65535 to see what ports respond and which apps/services. ... (comp.os.linux.misc) Re: [SLE] Security, ssh/vpn into a network ... "My server is running several services, ... outside are http and ssh. ... Again, ports 5900 is not open to the outside, neither is any of the ... not being forwarded on the firewall but through the ssh tunnel. ... (SuSE)