Re: Iptables udp problems

From: C-Pro (c-pro-29a*removeit*@mail.ru)
Date: 03/12/02 

From: C-Pro <c-pro-29a*removeit*@mail.ru>
Date: Wed, 13 Mar 2002 00:29:00 +1000

chris wrote:
> In article <3C89D6AE.8010803@mail.ru>, C-Pro wrote:
>
>>I am running iptables on my RH 7.1 (kernel 2.5.0) and when scanning from
>> another computer on my local network, scanner shows all udp ports
>>open. Why?
>>
> Because you seem to be wide open.

Scanner shows open ports only on established connections (i describe a
simple case), and firewall set to "ACCEPT" don't establish connections,
it simply *passes them through*. So if there is no application listening
on this port, scanner will say "closed" anyway.

>
>>my iptables script:
>>
>>#!/bin/bash
>>/sbin/iptables -F
>>/sbin/iptables -P INPUT ACCEPT
>>
>
> Are you sure about this? usually one would put up a deny policy by
> default.

I have closed all ports containing services, listening some ports anyway
(except netbios), so that doesn't matter.

>>/sbin/iptables -P OUTPUT ACCEPT
>>/sbin/iptables -P FORWARD DROP
>>/sbin/iptables -A INPUT -i lo -p ALL -j ACCEPT
>>/sbin/iptables -A INPUT -p tcp --tcp-flags SYN,ACK,RST,FIN RST -m limit
>>--limit 3/second -j ACCEPT
>>/sbin/iptables -A INPUT -p tcp --tcp-flags SYN,ACK,RST,FIN RST -j DROP
>>/sbin/iptables -A INPUT -p tcp --syn -m limit --limit 3/second --dport
>>137:139 -j ACCEPT
>>/sbin/iptables -A INPUT -p tcp --syn -j REJECT --reject-with tcp-reset
>
> I am no expert on iptables, but the rules are read top down. With your
> first INPUT -p tcp you accept all incoming traffic.

With my first INPUT -p tcp i allow *only* 3 rst packets per second.
With my second INPUT -p tcp i deny remaining rst packets.
With my third INPUT -p tcp i allow establishing max 3 tcp connections
per second. And so on...

> Beside that,
> you have no rules concerning udp traffic at all. With the default ACCEPT
> policy of course your ports show open. You do not mention open tcp ports,
> yet I suspect they are wide open as well.

See the top.

> I would definitely change the first INPUT -p tcp rule to LOG
> (I think you meant this with your use of the limit matching) and the INPUT
> policy to DROP.
> Of course this would mean you have to add something for your LAN traffic.

Thanck you anyway.
C-Pro

Relevant Pages

  • RE: IM Programs
    ... want to block these ports. ... you don't need an explicit deny for the other ports. ... Access-list 101 deny any tcp any any eq 5000 ... >Now, when applying these to your firewall, make sure the number ...
    (Security-Basics)
  • Re: What should I block out with my new firewall software?
    ... >> block out that I don't use or need, like UDP or TCP. ... >> activity or attempts from outside hackers to penetrate these ports. ... never stop svchost from comunnicating on the Internet. ... > Web updates, as far as I know, are downloaded the same way that ...
    (comp.security.firewalls)
  • Re: Fingerprinting Windows O/S based on ports open?
    ... finger printing by open default ports is not always ... OS fingerprinting is not as plain and claer cut as it was perhaps a few ... settings in tcp packets. ... >> Looking for a better way to manage your IP security? ...
    (Pen-Test)
  • Re: NFS inconsistent behaviour
    ... of tcp connections in TIME_WAIT state. ... Why there are so many connections in waiting state? ... and remote port so the ports stay in use for a few minutes. ... I ran out of privileged ports due to treemounting on /net from about 50 ...
    (Linux-Kernel)
  • Re: SBS2003 Outlook HTTP/RPC not working
    ... Do you have rpc listening on any UDP ports? ... I also still have TCP ...
    (microsoft.public.windows.server.sbs)
Quantcast