[H-GEN] Need a 2nd (3rd...) opinion.
Martin
mczaplej at bigpond.net.au
Tue Jul 24 11:15:20 EDT 2001
[ Humbug *General* list - semi-serious discussions about Humbug and ]
[ Unix-related topics. Please observe the list's charter. ]
[ Worthwhile understanding: http://www.humbug.org.au/netiquette.html ]
Hello ;]
Im sorry I havent an answer for your problem, I am having similiar problems
with the rules pasted below. When I close off the unrestricted access to my
workstation and scan the ports on this machine, it comes up with 2 open
ports, 25 and 80, how can that be????
this rules were written by me this morning, but do not seem to work, icq or
apt-get just times out, can anyone point out anything obvious in the below?
Meanwhile, ive reverted to pre-built Pmfirewall scripts which seem to work
fine for the time beeing.
(ive changed the ip and hostname for security reasons)
--------------------------------------
#!/bin/sh
#Firewall IP chains rules for host.dyn.dhs.org 24 July 2001
NIC=192.168.101.20
IPBIN=/sbin/ipchains
MASTER=192.168.101.30
#Flush All rules sets.
$IPBIN -F input
$IPBIN -F output
$IPBIN -F forward
#enable forwarding Gateway setup [optional] disabled here
# echo 1 > /proc/sys/net/ipv4/ip_forward
###Allow Loopback interface
$IPBIN -A input -i lo -s 0/0 -d 0/0 -j ACCEPT
$IPBIN -A output -i lo -s 0/0 -d 0/0 -j ACCEPT
###Block incoming IP spoofing
###Turn on Source Address Verification
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
then
for f in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > $f
done
fi
#Turn on SYN COOKIES PROTECTION
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]
then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi
#set common services for minimum delay
$IPBIN -A output -p tcp -d 0/0 80 -t 0x01 0x10
$IPBIN -A output -p tcp -d 0/0 22 -t 0x01 0x10
$IPBIN -A output -p tcp -d 0/0 23 -t 0x01 0x10
$IPBIN -A output -p tcp -d 0/0 21 -t 0x01 0x10
$IPBIN -A output -p tcp -d 0/0 110 -t 0x01 0x10
$IPBIN -A output -p tcp -d 0/0 25 -t 0x01 0x10
# Set ftp-data for maximum throughput
$IPBIN -A output -p tcp -d 0/0 20 -t 0x01 0x08
#Open All ICMP traffic
$IPBIN -A input -p icmp -d $NIC -j ACCEPT
$IPBIN -A output -p icmp -d $NIC -j ACCEPT
# If no rules exist, packets are dropped as Default setting
$IPBIN -P input DENY
$IPBIN -P forward DENY
#allow my computer unrestricted access
$IPBIN -A input -p tcp -s $MASTER -d $NIC -j ACCEPT
$IPBIN -A input -s $MASTER -d $NIC -j ACCEPT
#Open FTP port 21
$IPBIN -A input -p tcp -d $NIC 20 -j ACCEPT
$IPBIN -A input -p tcp -d $NIC 21 -j ACCEPT
#Open SMTP port 25 and POP port 110
$IPBIN -A input -p tcp -d $NIC 25 -j ACCEPT
$IPBIN -A input -p udp -d $NIC 25 -j ACCEPT
$IPBIN -A input -p tcp -d $NIC 110 -j ACCEPT
$IPBIN -A input -p udp -d $NIC 110 -j ACCEPT
#Web server port 80
$IPBIN -A input -p tcp -d $NIC 80 -j ACCEPT
#MySQL port 3306 open
$IPBIN -A input -p tcp -d $NIC 3306 -j ACCEPT
#some custom ports for administration
$IPBIN -A input -p tcp -d $NIC 1968 -j ACCEPT
$IPBIN -A input -p tcp -d $NIC 1969 -j ACCEPT
$IPBIN -A input -p tcp -d $NIC 1970 -j ACCEPT
$IPBIN -A input -p tcp -d $NIC 1971 -j ACCEPT
$IPBIN -A input -p tcp -d $NIC 1972 -j ACCEPT
$IPBIN -A input -p tcp -d $NIC 1973 -j ACCEPT
$IPBIN -A input -p tcp -d $NIC 1974 -j ACCEPT
$IPBIN -A input -p tcp -d $NIC 1975 -j ACCEPT
--EOF
thanks in advance,
Martin.
> -----Original Message-----
> From: lists.humbug.org.au Mailing List Manager
> [mailto:mdlishum at zerlargal.humbug.org.au]On Behalf Of Robert Brockway
> Sent: Tuesday, 24 July 2001 9:40 AM
> To: HUMBUG General List
> Subject: [H-GEN] Need a 2nd (3rd...) opinion.
>
>
> [ Humbug *General* list - semi-serious discussions about Humbug and ]
> [ Unix-related topics. Please observe the list's charter. ]
> [ Worthwhile understanding: http://www.humbug.org.au/netiquette.html ]
>
> Hi all. I'm doing up a firewall using iptables for a
> squid proxycache/dns/mail server.
>
> The proxycache is working fine, but the dns/mail isn't working as
> expected.
>
> I can't see what is wrong with the firewall rules below :)
>
> The box is a slave dns server and won't accept zone transfers.
> Dns queries fail either locally or from a remote client.
>
> These things work with the firewall down of course :)
>
> I expect it'll be the same problem with smtp.
>
> Telnetting to port 25 & 53 works fine.
>
> IPs have been changed to protect the guilty :)
>
> I'm sure it is something simple but I just can't see it :)
>
> Any help greatly appreciated :)
> Rob
>
> -- Robert Brockway B.Sc. email: robert at timetraveller.org ICQ: 104781119
> Linux counter project ID #16440 (http://www.li.org)
> blake: up 18 days, 6:15, 11 users, load average: 1.00, 1.00, 1.00
> "The earth is but one country and mankind its citizens" -Baha'u'llah
>
> ---------- Forwarded message ----------
> # Flush the rules
> /sbin/iptables -F INPUT
> /sbin/iptables -F FORWARD
> /sbin/iptables -F OUTPUT
>
> # Drop all packets by default
> /sbin/iptables -P INPUT DROP
> /sbin/iptables -P FORWARD DROP
> /sbin/iptables -P OUTPUT DROP
>
> # Let the localhost have full access
> /sbin/iptables -A INPUT -j ACCEPT -p all -s 127.0.0.1 -d 127.0.0.1
> /sbin/iptables -A OUTPUT -j ACCEPT -p all -s 127.0.0.1 -d 127.0.0.1
>
> # Let ernie have full access
> /sbin/iptables -A INPUT -j ACCEPT -p all -s 192.168.219.65
> -d 192.168.219.70
> /sbin/iptables -A OUTPUT -j ACCEPT -p all -s 192.168.219.70
> -d 192.168.219.65
> # The world needs access to named as grover is an authorative server
> /sbin/iptables -A INPUT -j ACCEPT -p tcp -s 0.0.0.0/0 -d
> 192.168.219.70 --dport 53
> /sbin/iptables -A OUTPUT -j ACCEPT -p tcp -s 192.168.219.70
> -d 0.0.0.0/0 --sport 53
> /sbin/iptables -A INPUT -j ACCEPT -p udp -s 0.0.0.0/0 -d
> 192.168.219.70 --dport 53
> /sbin/iptables -A OUTPUT -j ACCEPT -p udp -s 192.168.219.70
> -d 0.0.0.0/0 --sport 53
>
> # The world needs access to smtp as grover is a secondary mail server
> /sbin/iptables -A INPUT -j ACCEPT -p tcp -s 0.0.0.0/0 -d
> 192.168.219.70 --dport 25
> /sbin/iptables -A OUTPUT -j ACCEPT -p tcp -s 192.168.219.70
> -d 0.0.0.0/0 --sport 25
>
> # Let anyone access a non privileged port
> # NB: includes the proxy cache listener (8080)
> /sbin/iptables -A INPUT -j ACCEPT -p tcp -s 0.0.0.0/0
> -d 192.168.219.70 --dport 1024:65535
> /sbin/iptables -A OUTPUT -j ACCEPT -p tcp -s 192.168.219.70
> -d 0.0.0.0/0 --sport 1024:65535
>
> # Print Firewall rules
> clear
> /sbin/iptables -L
>
>
> --
> * This is list (humbug) general handled by majordomo at lists.humbug.org.au .
> * Postings to this list are only accepted from subscribed addresses of
> * lists 'general' or 'general-post'.
>
--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.
More information about the General
mailing list