[H-GEN] Need a 2nd (3rd...) opinion.

Martin mczaplej at bigpond.net.au
Tue Jul 24 11:15:20 EDT 2001


[ Humbug *General* list - semi-serious discussions about Humbug and  ]
[ Unix-related topics.  Please observe the list's charter.           ]
[ Worthwhile understanding: http://www.humbug.org.au/netiquette.html ]

Hello ;]

Im sorry I havent an answer for your problem, I am having similiar problems
with the rules pasted below.  When I close off the unrestricted access to my
workstation and scan the ports on this machine, it comes up with 2 open
ports, 25 and 80, how can that be????

this rules were written by me this morning, but do not seem to work, icq or
apt-get just times out, can anyone point out anything obvious in the below?

Meanwhile, ive reverted to pre-built Pmfirewall scripts which seem to work
fine for the time beeing.

(ive changed the ip and hostname for security reasons)


--------------------------------------
#!/bin/sh
#Firewall IP chains rules for host.dyn.dhs.org 24 July 2001

NIC=192.168.101.20
IPBIN=/sbin/ipchains
MASTER=192.168.101.30

#Flush All rules sets.
$IPBIN -F input
$IPBIN -F output
$IPBIN -F forward

#enable forwarding Gateway setup [optional] disabled here
# echo 1 > /proc/sys/net/ipv4/ip_forward

###Allow Loopback interface
$IPBIN -A input -i lo -s 0/0 -d 0/0 -j ACCEPT
$IPBIN -A output -i lo -s 0/0 -d 0/0 -j ACCEPT

###Block incoming IP spoofing
###Turn on Source Address Verification
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
 then
  for f in /proc/sys/net/ipv4/conf/*/rp_filter
  do
   echo 1 > $f
  done
fi

#Turn on SYN COOKIES PROTECTION
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]
 then
  echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi

#set common services for minimum delay
$IPBIN -A output -p tcp -d 0/0 80 -t 0x01 0x10
$IPBIN -A output -p tcp -d 0/0 22 -t 0x01 0x10
$IPBIN -A output -p tcp -d 0/0 23 -t 0x01 0x10
$IPBIN -A output -p tcp -d 0/0 21 -t 0x01 0x10
$IPBIN -A output -p tcp -d 0/0 110 -t 0x01 0x10
$IPBIN -A output -p tcp -d 0/0 25 -t 0x01 0x10

# Set ftp-data for maximum throughput
$IPBIN -A output -p tcp -d 0/0 20 -t 0x01 0x08

#Open All ICMP traffic
$IPBIN -A input -p icmp -d $NIC -j ACCEPT
$IPBIN -A output -p icmp -d $NIC -j ACCEPT

# If no rules exist, packets are dropped as Default setting
$IPBIN -P input DENY
$IPBIN -P forward DENY

#allow my computer unrestricted access
$IPBIN -A input -p tcp -s $MASTER -d $NIC -j ACCEPT
$IPBIN -A input  -s $MASTER -d $NIC -j ACCEPT

#Open FTP port 21
$IPBIN -A input -p tcp -d $NIC 20 -j ACCEPT
$IPBIN -A input -p tcp -d $NIC 21 -j ACCEPT

#Open SMTP port 25 and POP port 110
$IPBIN -A input -p tcp -d $NIC 25 -j ACCEPT
$IPBIN -A input -p udp -d $NIC 25 -j ACCEPT
$IPBIN -A input -p tcp -d $NIC 110 -j ACCEPT
$IPBIN -A input -p udp -d $NIC 110 -j ACCEPT

#Web server port 80
$IPBIN -A input -p tcp -d $NIC 80 -j ACCEPT

#MySQL port 3306 open
$IPBIN -A input -p tcp -d $NIC 3306 -j ACCEPT

#some custom ports for administration
$IPBIN -A input -p tcp -d $NIC 1968 -j ACCEPT
$IPBIN -A input -p tcp -d $NIC 1969 -j ACCEPT
$IPBIN -A input -p tcp -d $NIC 1970 -j ACCEPT
$IPBIN -A input -p tcp -d $NIC 1971 -j ACCEPT
$IPBIN -A input -p tcp -d $NIC 1972 -j ACCEPT
$IPBIN -A input -p tcp -d $NIC 1973 -j ACCEPT
$IPBIN -A input -p tcp -d $NIC 1974 -j ACCEPT
$IPBIN -A input -p tcp -d $NIC 1975 -j ACCEPT


--EOF


thanks in advance,

Martin.

> -----Original Message-----
> From: lists.humbug.org.au Mailing List Manager
> [mailto:mdlishum at zerlargal.humbug.org.au]On Behalf Of Robert Brockway
> Sent: Tuesday, 24 July 2001 9:40 AM
> To: HUMBUG General List
> Subject: [H-GEN] Need a 2nd (3rd...) opinion.
>
>
> [ Humbug *General* list - semi-serious discussions about Humbug and  ]
> [ Unix-related topics.  Please observe the list's charter.           ]
> [ Worthwhile understanding: http://www.humbug.org.au/netiquette.html ]
>
> Hi all.  I'm doing up a firewall using iptables for a
> squid proxycache/dns/mail server.
>
> The proxycache is working fine, but the dns/mail isn't working as
> expected.
>
> I can't see what is wrong with the firewall rules below :)
>
> The box is a slave dns server and won't accept zone transfers.
> Dns queries fail either locally or from a remote client.
>
> These things work with the firewall down of course :)
>
> I expect it'll be the same problem with smtp.
>
> Telnetting to port 25 & 53 works fine.
>
> IPs have been changed to protect the guilty :)
>
> I'm sure it is something simple but I just can't see it :)
>
> Any help greatly appreciated :)
> Rob
>
> -- Robert Brockway B.Sc. email: robert at timetraveller.org  ICQ: 104781119
>    Linux counter project ID #16440 (http://www.li.org)
>    blake: up 18 days,  6:15, 11 users,  load average: 1.00, 1.00, 1.00
>    "The earth is but one country and mankind its citizens" -Baha'u'llah
>
> ---------- Forwarded message ----------
>      # Flush the rules
>      /sbin/iptables -F INPUT
>      /sbin/iptables -F FORWARD
>      /sbin/iptables -F OUTPUT
>
>      # Drop all packets by default
>      /sbin/iptables -P INPUT DROP
>      /sbin/iptables -P FORWARD DROP
>      /sbin/iptables -P OUTPUT DROP
>
>      # Let the localhost have full access
>      /sbin/iptables -A INPUT  -j ACCEPT -p all  -s 127.0.0.1 -d 127.0.0.1
>      /sbin/iptables -A OUTPUT -j ACCEPT -p all  -s 127.0.0.1 -d 127.0.0.1
>
>      # Let ernie have full access
>      /sbin/iptables -A INPUT  -j ACCEPT -p all -s 192.168.219.65
> -d 192.168.219.70
>      /sbin/iptables -A OUTPUT -j ACCEPT -p all -s 192.168.219.70
> -d 192.168.219.65
>      # The world needs access to named as grover is an authorative server
>      /sbin/iptables -A INPUT  -j ACCEPT -p tcp -s 0.0.0.0/0 -d
> 192.168.219.70 --dport 53
>      /sbin/iptables -A OUTPUT -j ACCEPT -p tcp -s 192.168.219.70
> -d 0.0.0.0/0 --sport 53
>      /sbin/iptables -A INPUT  -j ACCEPT -p udp -s 0.0.0.0/0 -d
> 192.168.219.70 --dport 53
>      /sbin/iptables -A OUTPUT -j ACCEPT -p udp -s 192.168.219.70
> -d 0.0.0.0/0 --sport 53
>
>      # The world needs access to smtp as grover is a secondary mail server
>      /sbin/iptables -A INPUT  -j ACCEPT -p tcp -s 0.0.0.0/0 -d
> 192.168.219.70 --dport 25
>      /sbin/iptables -A OUTPUT -j ACCEPT -p tcp -s 192.168.219.70
> -d 0.0.0.0/0 --sport 25
>
>      # Let anyone access a non privileged port
>      # NB: includes the proxy cache listener (8080)
>      /sbin/iptables -A INPUT  -j ACCEPT -p tcp -s 0.0.0.0/0
> -d 192.168.219.70 --dport 1024:65535
>      /sbin/iptables -A OUTPUT -j ACCEPT -p tcp -s 192.168.219.70
> -d 0.0.0.0/0      --sport 1024:65535
>
>      # Print Firewall rules
>      clear
>      /sbin/iptables -L
>
>
> --
> * This is list (humbug) general handled by majordomo at lists.humbug.org.au .
> * Postings to this list are only accepted from subscribed addresses of
> * lists 'general' or 'general-post'.
>


--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.



More information about the General mailing list