Re: Coyote IP Chains?

From: beltorak (beltorak@ananzi.co.za)
Date: 01/06/03

Next message: Erik de Castro Lopo: "Re: new user friendly linux site"
Previous message: mjt: "Re: APM error message"
In reply to: Thomas Gibson: "Coyote IP Chains?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: beltorak@ananzi.co.za (beltorak)
Date: 5 Jan 2003 22:25:45 -0800

Thomas Gibson <tegibson@sympatico.ca> wrote in message news:<fLOR9.17242$VW5.1553760@news20.bellglobal.com>...
> Using Sygate's online scanner it seems that Coyote Linux allows external
> ssh sessions on port 22. I would like to block this and am using the
> following ipchain rules:
>
> # Block all low level system ports
> /sbin/ipchains -A input -i eth1 -p tcp -d 0/0 0:1023 -j REJECT
> /sbin/ipchains -A input -i eth1 -p tcp -d 0/0 6000:6010 -j REJECT
> /sbin/ipchains -A output -i eth1 -p tcp -s 0/0 22 -j DENY
> /sbin/ipchains -A input -i eth1 -p tcp -d 0/0 22 -j DENY
> /sbin/ipchains -A input -i eth1 -p udp -d 0/0 0:1023 -j REJECT
> /sbin/ipchains -A input -i eth1 -p icmp --icmp-type ping -s 0/0 -j REJECT
>
> Sygate still is indicating the port is open which leads me to believe I
> don't understand ipchains fully yet. Can anyone provide guidance?

I have had several quirks with online scanners; sometimes sygate shows
my port 80 open when I know for a fact that my ISP blocks that for
personal subscribers...

Try this ruleset instead (my ipchains syntax might be a little off
'cause I use iptables ;) ):

< script>
ipchains -N net_in
ipchains -N lo_in
ipchains -A input -i lo -j lo_in
ipchains -A input -i eth0 -j net_in

ipchains -A lo_in -j ACCEPT # your own box talking to itself should
# be ok; change it to DENY if you must;
ipchains -A net_in -p tcp # .... just as you have them, but leave
# out the '-i eth0' part.
< /end script>

To test yourself, redirect the loopback chain like this:
root# ipchains -R lo_in 1 -j net_in
then use nmap on yourself:
root# nmap -sT -F -vv 127.0.0.1
familiarize yourself with nmap (man nmap or nmap --help); it should be
in any standard distro. You can get it from www.insecure.org .

to reset your loopback:
root# ipchains -R lo_in 1 -j ACCEPT

hope that helps.

-t.

Next message: Erik de Castro Lopo: "Re: new user friendly linux site"
Previous message: mjt: "Re: APM error message"
In reply to: Thomas Gibson: "Coyote IP Chains?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: iptables firewall script for linux
... "ipchains: Incompatible with this kernel". ... port is shown as LISTENING. ... What's wrong with reading the HOWTOs? ... included for their basic firewall concepts. ...
(comp.security.firewalls)
Re: Ipchains and smtp rule
... Subject: Ipchains and smtp rule ... If the client's IDENT port is silently ... the whole mess was due to a missing switch on the dmz. ... With C++ it's harder, but if you succed, you'll shoot off the whole leg. ...
(Focus-Linux)
Re: [ISA 2004] transparenter Proxy
... Das Filtern auf TCP Flags war bei IPCHAINS ... deshalb freu ich mich auf den ISA ... > die Sache indem du ein Portscanner verwendest und deinen absender Port auf ... Ich habe einen Portscanner auf das ...
(microsoft.public.de.german.isaserver)
Re: My customers are going back to NT if I cant get this fixed!!!
... What if he's using ipchains instead of iptables? ... 'lokkit' choose the customise option ... >> its authentication information over port 4000. ...
(comp.os.linux.security)