[H-GEN] Need a 2nd (3rd...) opinion.
Marshall, Joshua
marshallj at switch.aust.com
Tue Jul 24 19:38:05 EDT 2001
[ Humbug *General* list - semi-serious discussions about Humbug and ]
[ Unix-related topics. Please observe the list's charter. ]
[ Worthwhile understanding: http://www.humbug.org.au/netiquette.html ]
Hi Martin,
A few comments on your configuration:
1. You don't have a default policy for the output chain. You may wish to set
this to ACCEPT.
2. You have specified the ports in the wrong direction for the services, that's
why you are seeing the port 25 and 80 open.
e.g. Change:
$IPBIN -A input -p tcp -d $NIC 80 -j ACCEPT
to
3.
Martin wrote:
> [ Humbug *General* list - semi-serious discussions about Humbug and ]
> [ Unix-related topics. Please observe the list's charter. ]
> [ Worthwhile understanding: http://www.humbug.org.au/netiquette.html ]
>
> Hello ;]
>
> Im sorry I havent an answer for your problem, I am having similiar problems
> with the rules pasted below. When I close off the unrestricted access to my
> workstation and scan the ports on this machine, it comes up with 2 open
> ports, 25 and 80, how can that be????
>
> this rules were written by me this morning, but do not seem to work, icq or
> apt-get just times out, can anyone point out anything obvious in the below?
>
> Meanwhile, ive reverted to pre-built Pmfirewall scripts which seem to work
> fine for the time beeing.
>
> (ive changed the ip and hostname for security reasons)
>
> --------------------------------------
> #!/bin/sh
> #Firewall IP chains rules for host.dyn.dhs.org 24 July 2001
>
> NIC=192.168.101.20
> IPBIN=/sbin/ipchains
> MASTER=192.168.101.30
>
> #Flush All rules sets.
> $IPBIN -F input
> $IPBIN -F output
> $IPBIN -F forward
>
> #enable forwarding Gateway setup [optional] disabled here
> # echo 1 > /proc/sys/net/ipv4/ip_forward
>
> ###Allow Loopback interface
> $IPBIN -A input -i lo -s 0/0 -d 0/0 -j ACCEPT
> $IPBIN -A output -i lo -s 0/0 -d 0/0 -j ACCEPT
>
> ###Block incoming IP spoofing
> ###Turn on Source Address Verification
> if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
> then
> for f in /proc/sys/net/ipv4/conf/*/rp_filter
> do
> echo 1 > $f
> done
> fi
>
> #Turn on SYN COOKIES PROTECTION
> if [ -e /proc/sys/net/ipv4/tcp_syncookies ]
> then
> echo 1 > /proc/sys/net/ipv4/tcp_syncookies
> fi
>
> #set common services for minimum delay
> $IPBIN -A output -p tcp -d 0/0 80 -t 0x01 0x10
> $IPBIN -A output -p tcp -d 0/0 22 -t 0x01 0x10
> $IPBIN -A output -p tcp -d 0/0 23 -t 0x01 0x10
> $IPBIN -A output -p tcp -d 0/0 21 -t 0x01 0x10
> $IPBIN -A output -p tcp -d 0/0 110 -t 0x01 0x10
> $IPBIN -A output -p tcp -d 0/0 25 -t 0x01 0x10
>
> # Set ftp-data for maximum throughput
> $IPBIN -A output -p tcp -d 0/0 20 -t 0x01 0x08
>
> #Open All ICMP traffic
> $IPBIN -A input -p icmp -d $NIC -j ACCEPT
> $IPBIN -A output -p icmp -d $NIC -j ACCEPT
>
> # If no rules exist, packets are dropped as Default setting
> $IPBIN -P input DENY
> $IPBIN -P forward DENY
>
> #allow my computer unrestricted access
> $IPBIN -A input -p tcp -s $MASTER -d $NIC -j ACCEPT
> $IPBIN -A input -s $MASTER -d $NIC -j ACCEPT
>
> #Open FTP port 21
> $IPBIN -A input -p tcp -d $NIC 20 -j ACCEPT
> $IPBIN -A input -p tcp -d $NIC 21 -j ACCEPT
>
> #Open SMTP port 25 and POP port 110
> $IPBIN -A input -p tcp -d $NIC 25 -j ACCEPT
> $IPBIN -A input -p udp -d $NIC 25 -j ACCEPT
> $IPBIN -A input -p tcp -d $NIC 110 -j ACCEPT
> $IPBIN -A input -p udp -d $NIC 110 -j ACCEPT
>
> #Web server port 80
> $IPBIN -A input -p tcp -d $NIC 80 -j ACCEPT
>
> #MySQL port 3306 open
> $IPBIN -A input -p tcp -d $NIC 3306 -j ACCEPT
>
> #some custom ports for administration
> $IPBIN -A input -p tcp -d $NIC 1968 -j ACCEPT
> $IPBIN -A input -p tcp -d $NIC 1969 -j ACCEPT
> $IPBIN -A input -p tcp -d $NIC 1970 -j ACCEPT
> $IPBIN -A input -p tcp -d $NIC 1971 -j ACCEPT
> $IPBIN -A input -p tcp -d $NIC 1972 -j ACCEPT
> $IPBIN -A input -p tcp -d $NIC 1973 -j ACCEPT
> $IPBIN -A input -p tcp -d $NIC 1974 -j ACCEPT
> $IPBIN -A input -p tcp -d $NIC 1975 -j ACCEPT
>
> --EOF
>
> thanks in advance,
>
> Martin.
>
> > -----Original Message-----
> > From: lists.humbug.org.au Mailing List Manager
> > [mailto:mdlishum at zerlargal.humbug.org.au]On Behalf Of Robert Brockway
> > Sent: Tuesday, 24 July 2001 9:40 AM
> > To: HUMBUG General List
> > Subject: [H-GEN] Need a 2nd (3rd...) opinion.
> >
> >
> > [ Humbug *General* list - semi-serious discussions about Humbug and ]
> > [ Unix-related topics. Please observe the list's charter. ]
> > [ Worthwhile understanding: http://www.humbug.org.au/netiquette.html ]
> >
> > Hi all. I'm doing up a firewall using iptables for a
> > squid proxycache/dns/mail server.
> >
> > The proxycache is working fine, but the dns/mail isn't working as
> > expected.
> >
> > I can't see what is wrong with the firewall rules below :)
> >
> > The box is a slave dns server and won't accept zone transfers.
> > Dns queries fail either locally or from a remote client.
> >
> > These things work with the firewall down of course :)
> >
> > I expect it'll be the same problem with smtp.
> >
> > Telnetting to port 25 & 53 works fine.
> >
> > IPs have been changed to protect the guilty :)
> >
> > I'm sure it is something simple but I just can't see it :)
> >
> > Any help greatly appreciated :)
> > Rob
> >
> > -- Robert Brockway B.Sc. email: robert at timetraveller.org ICQ: 104781119
> > Linux counter project ID #16440 (http://www.li.org)
> > blake: up 18 days, 6:15, 11 users, load average: 1.00, 1.00, 1.00
> > "The earth is but one country and mankind its citizens" -Baha'u'llah
> >
> > ---------- Forwarded message ----------
> > # Flush the rules
> > /sbin/iptables -F INPUT
> > /sbin/iptables -F FORWARD
> > /sbin/iptables -F OUTPUT
> >
> > # Drop all packets by default
> > /sbin/iptables -P INPUT DROP
> > /sbin/iptables -P FORWARD DROP
> > /sbin/iptables -P OUTPUT DROP
> >
> > # Let the localhost have full access
> > /sbin/iptables -A INPUT -j ACCEPT -p all -s 127.0.0.1 -d 127.0.0.1
> > /sbin/iptables -A OUTPUT -j ACCEPT -p all -s 127.0.0.1 -d 127.0.0.1
> >
> > # Let ernie have full access
> > /sbin/iptables -A INPUT -j ACCEPT -p all -s 192.168.219.65
> > -d 192.168.219.70
> > /sbin/iptables -A OUTPUT -j ACCEPT -p all -s 192.168.219.70
> > -d 192.168.219.65
> > # The world needs access to named as grover is an authorative server
> > /sbin/iptables -A INPUT -j ACCEPT -p tcp -s 0.0.0.0/0 -d
> > 192.168.219.70 --dport 53
> > /sbin/iptables -A OUTPUT -j ACCEPT -p tcp -s 192.168.219.70
> > -d 0.0.0.0/0 --sport 53
> > /sbin/iptables -A INPUT -j ACCEPT -p udp -s 0.0.0.0/0 -d
> > 192.168.219.70 --dport 53
> > /sbin/iptables -A OUTPUT -j ACCEPT -p udp -s 192.168.219.70
> > -d 0.0.0.0/0 --sport 53
> >
> > # The world needs access to smtp as grover is a secondary mail server
> > /sbin/iptables -A INPUT -j ACCEPT -p tcp -s 0.0.0.0/0 -d
> > 192.168.219.70 --dport 25
> > /sbin/iptables -A OUTPUT -j ACCEPT -p tcp -s 192.168.219.70
> > -d 0.0.0.0/0 --sport 25
> >
> > # Let anyone access a non privileged port
> > # NB: includes the proxy cache listener (8080)
> > /sbin/iptables -A INPUT -j ACCEPT -p tcp -s 0.0.0.0/0
> > -d 192.168.219.70 --dport 1024:65535
> > /sbin/iptables -A OUTPUT -j ACCEPT -p tcp -s 192.168.219.70
> > -d 0.0.0.0/0 --sport 1024:65535
> >
> > # Print Firewall rules
> > clear
> > /sbin/iptables -L
> >
> >
> > --
> > * This is list (humbug) general handled by majordomo at lists.humbug.org.au .
> > * Postings to this list are only accepted from subscribed addresses of
> > * lists 'general' or 'general-post'.
> >
>
> --
> * This is list (humbug) general handled by majordomo at lists.humbug.org.au .
> * Postings to this list are only accepted from subscribed addresses of
> * lists 'general' or 'general-post'.
--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.
More information about the General
mailing list