Re: Iptables udp problems

From: chris (chris@here.com)
Date: 03/11/02

• Next message: sponge: "Re: TPF outgoing alert"
• Previous message: Dave Korn: "Re: Warning: Gibson's GENESIS is broken as published"
• In reply to: C-Pro: "Iptables udp problems"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: chris <chris@here.com>
Date: Mon, 11 Mar 2002 17:52:31 GMT

In article <3C89D6AE.8010803@mail.ru>, C-Pro wrote:
> I am running iptables on my RH 7.1 (kernel 2.5.0) and when scanning from
> another computer on my local network, scanner shows all udp ports
> open. Why?
Because you seem to be wide open.

> my iptables script:
>
> #!/bin/bash
> /sbin/iptables -F
> /sbin/iptables -P INPUT ACCEPT

Are you sure about this? usually one would put up a deny policy by
default.

> /sbin/iptables -P OUTPUT ACCEPT
> /sbin/iptables -P FORWARD DROP
> /sbin/iptables -A INPUT -i lo -p ALL -j ACCEPT
> /sbin/iptables -A INPUT -p tcp --tcp-flags SYN,ACK,RST,FIN RST -m limit
> --limit 3/second -j ACCEPT
> /sbin/iptables -A INPUT -p tcp --tcp-flags SYN,ACK,RST,FIN RST -j DROP
> /sbin/iptables -A INPUT -p tcp --syn -m limit --limit 3/second --dport
> 137:139 -j ACCEPT
> /sbin/iptables -A INPUT -p tcp --syn -j REJECT --reject-with tcp-reset
I am no expert on iptables, but the rules are read top down. With your
first INPUT -p tcp you accept all incoming traffic. Beside that,
you have no rules concerning udp traffic at all. With the default ACCEPT
policy of course your ports show open. You do not mention open tcp ports,
yet I suspect they are wide open as well.
I would definitely change the first INPUT -p tcp rule to LOG
(I think you meant this with your use of the limit matching) and the INPUT
policy to DROP.
Of course this would mean you have to add something for your LAN traffic.

Chris

> /sbin/iptables -A INPUT -p tcp -m state --state INVALID -j DROP
> /sbin/iptables -A INPUT -p tcp -m state --state NEW ! -i eth0 -j REJECT
> --reject-with tcp-reset
> /sbin/iptables -A INPUT -p ICMP -m limit --limit 4/second -j ACCEPT
> /sbin/iptables -A INPUT -p ICMP --icmp-type ! echo-reply -j DROP
>
>
> for blah in /proc/sys/net/ipv4/conf/*/rp_filter; do
> echo "1" > $blah
> done<EOF>
>
> Thank you. C-Pro.
>

---

• Next message: sponge: "Re: TPF outgoing alert"
• Previous message: Dave Korn: "Re: Warning: Gibson's GENESIS is broken as published"
• In reply to: C-Pro: "Iptables udp problems"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: SBS2003 Outlook HTTP/RPC not working ... Do you have rpc listening on any UDP ports? ... I also still have TCP ... (microsoft.public.windows.server.sbs) UDP ports for Internet Explorer ... Does anybody know how UDP ports are assigned to IE? ... use the TCP/UDP filtering to allow only certain ports to be open. ... For example I've allowed TCP 3389 for Remote Desktop, ... (microsoft.public.windowsxp.network_web) Re: TCP/IP Filtering in Windows 2000? ... I already have TCP filtering on, with "Allow only" for TCP ports set and the ... fine when UDP Ports is set to "Allow all". ... (microsoft.public.security) Re: Iptables udp problems ... >> another computer on my local network, scanner shows all udp ports ... With my second INPUT -p tcp i deny remaining rst packets. ... (comp.security.firewalls) RE: IM Programs ... want to block these ports. ... you don't need an explicit deny for the other ports. ... Access-list 101 deny any tcp any any eq 5000 ... >Now, when applying these to your firewall, make sure the number ... (Security-Basics)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.security.firewalls  > 2002-03