| View previous topic :: View next topic |
| Author |
Message |
zbled
Apprentice
Joined: 18 Jun 2002
Posts: 216
Location: Bukowski's Piano Bar
|
 Posted: Sun Feb 23, 2003 3:08 am Post subject: weird: open ports => iptables |
 |
|
Hi everybody,
I'm using an iptables script and changed everything to reject-with anything... when being port scanned, it seems that my ports 53, 67, 111, 137-139 and 445 are open for udp traffic. I'm not running a portmapper, a dns server, there's no windows on my pc anymore etc... there aren't any services running, which need f.eg. a portmapper
| Quote: | root@heisl # ls /mnt/.init.d/started/
backupclock iptables modules serial net.eth0
bootmisc consolefont keymaps ntpd sumtraffic net.lo
checkfs fcron local numlock syslog-ng
checkroot hostname localmount rmnologin urandom |
could someone please have a look at my iptables script and tell me, what I'm doing wrong? I guess, it's something to do with the "abweisen" chain.
Thanks in Advance
| Code: |
#!/sbin/runscript
depend() {
need net
}
start() {
ebegin "Loading iptables"
#allgemeines
#modprobe ip_conntrack
modprobe ip_conntrack_ftp
IPTABLES="/sbin/iptables"
#dynamische kernelparameter setzen
#Erklärungen gibts hier: http://www.linuxguruz.org/iptables/scripts/rc.firewall_010.txt
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo "1" > ${interface}
done
echo "0" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "0" > /proc/sys/net/ipv4/tcp_timestamps
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout
echo "2400" > /proc/sys/net/ipv4/tcp_keepalive_time
echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
echo "0" > /proc/sys/net/ipv4/tcp_sack
#einträge in der filter tabelle löschen
$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F
$IPTABLES -t nat -X
#standardregeln löschen
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
#vorerst alles verbieten
$IPTABLES -A INPUT -j DROP
$IPTABLES -A OUTPUT -j DROP
$IPTABLES -A FORWARD -j DROP
#reject
$IPTABLES -N abweisen
$IPTABLES -F abweisen
$IPTABLES -A abweisen -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A abweisen -p udp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A abweisen -p icmp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A abweisen -j REJECT
#loopback
$IPTABLES -A INPUT -s "127.0.0.1" -i lo -d "127.0.0.1" -j ACCEPT
$IPTABLES -A OUTPUT -d "127.0.0.1" -o lo -s "127.0.0.1" -j ACCEPT
#eingehende regel
#================
$IPTABLES -A INPUT -m state --state INVALID -j REJECT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#icmp
$IPTABLES -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
#ident
$IPTABLES -A INPUT -p tcp --dport 113 -j abweisen
#netbios
$IPTABLES -A INPUT -p tcp -i eth0 --dport 137:139 -j REJECT
$IPTABLES -A INPUT -p udp -i eth0 --dport 137:139 -j REJECT
#rest verbieten
$IPTABLES -A INPUT -m limit --limit 1/s -j LOG --log-prefix "verboten <= "
$IPTABLES -A INPUT -j abweisen
#ausgehende regel
#================
$IPTABLES -A OUTPUT -m state --state INVALID -j REJECT
$IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#dns
for dns in `gawk '/^nameserver/ { print $2 }' /etc/resolv.conf`; do $IPTABLES -A OUTPUT -p udp --dport 53 -d $dns -j ACCEPT; done
#icmp
$IPTABLES -A OUTPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
#time => ntpd
$IPTABLES -A OUTPUT -p udp --dport 123 -j ACCEPT
#rsync
$IPTABLES -A OUTPUT -p tcp --dport 873 -j ACCEPT
#gaim & irc
$IPTABLES -A OUTPUT -p tcp --dport 1863 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 4000:4100 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 5190 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 5190 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 5050 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 5222 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 6667:7000 -j ACCEPT
#http(s)
$IPTABLES -A OUTPUT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 443 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 8000 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 8080 -j ACCEPT
#ftp, telnet & ssh
$IPTABLES -A OUTPUT -p tcp --dport 20 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 21 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 22 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 23 -j ACCEPT
#mail & news
$IPTABLES -A OUTPUT -p tcp --dport 25 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 110 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 119 -j ACCEPT
#rest verbieten
$IPTABLES -A OUTPUT -m limit --limit 1/s -j LOG --log-prefix "verboten => "
$IPTABLES -A OUTPUT -j REJECT
#default regel löschen
$IPTABLES -D INPUT 1
$IPTABLES -D FORWARD 1
$IPTABLES -D OUTPUT 1
eend $? "Failed to load iptables"
}
stop() {
ebegin "Unloading iptables"
iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
eend $?
}
|
|
|
| Back to top |
|
 |
krt
Tux's lil' helper
Joined: 27 Nov 2002
Posts: 102
Location: Earth
|
| Posted: Sun Feb 23, 2003 7:22 am Post subject: |
|
|
those ports are set to return a message, you can change the target to "DROP" instead of "REJECT" if you wish to see nothing turn up in a port scan.. i.e.:
from this:
#netbios
$IPTABLES -A INPUT -p tcp -i eth0 --dport 137:139 -j REJECT
$IPTABLES -A INPUT -p udp -i eth0 --dport 137:139 -j REJECT
to this:
#netbios
$IPTABLES -A INPUT -p tcp -i eth0 --dport 137:139 -j DROP
$IPTABLES -A INPUT -p udp -i eth0 --dport 137:139 -j DROP
_________________
Everyone has something clever for a signature but me. |
|
| Back to top |
|
|
zbled
Apprentice
Joined: 18 Jun 2002
Posts: 216
Location: Bukowski's Piano Bar
|
| Posted: Sun Feb 23, 2003 12:13 pm Post subject: |
|
|
I've changed 137:139 to DROP and added these lines
| Quote: |
$IPTABLES -A INPUT -p udp -i eth0 --dport 53 -j DROP
$IPTABLES -A INPUT -p udp -i eth0 --dport 67 -j DROP
$IPTABLES -A INPUT -p udp -i eth0 --dport 111 -j DROP
$IPTABLES -A INPUT -p udp -i eth0 --dport 445 -j DROP
|
but the ports still seem to be open... it seems that the iptables script doesn't even guard these ports :( still any ideas?
thanks advance |
|
| Back to top |
|
|
leemc
n00b
Joined: 17 Feb 2003
Posts: 42
Location: Austria
|
| Posted: Sun Feb 23, 2003 1:38 pm Post subject: |
|
|
Hi!
| zbled wrote: | but the ports still seem to be open... it seems that the iptables script doesn't even guard these ports  still any ideas? |
How do you scan your ports? You won't get useful results when you scan within your network. Let your ports be scanned from the outsite by one of the various web-scanners like at https://grc.com/x/ne.dll?bh0bkyd2 or at http://check.lfd.niedersachsen.de/start.php (German).
Best regards,
leemc |
|
| Back to top |
|
|
darktux
Veteran
Joined: 16 Nov 2002
Posts: 1086
Location: Coimbra, Portugal
|
| Posted: Sun Feb 23, 2003 1:51 pm Post subject: |
|
|
| krt wrote: | those ports are set to return a message, you can change the target to "DROP" instead of "REJECT" if you wish to see nothing turn up in a port scan.. i.e.:
from this:
#netbios
$IPTABLES -A INPUT -p tcp -i eth0 --dport 137:139 -j REJECT
$IPTABLES -A INPUT -p udp -i eth0 --dport 137:139 -j REJECT
to this:
#netbios
$IPTABLES -A INPUT -p tcp -i eth0 --dport 137:139 -j DROP
$IPTABLES -A INPUT -p udp -i eth0 --dport 137:139 -j DROP |
A SyN scan will detect the ports either way....
_________________
Lego my ego, and I'll lego your knowledge
www.tuxslare.org - My reborn website  |
|
| Back to top |
|
|
zbled
Apprentice
Joined: 18 Jun 2002
Posts: 216
Location: Bukowski's Piano Bar
|
| Posted: Sun Feb 23, 2003 3:49 pm Post subject: |
|
|
| leemc wrote: | Hi!
| zbled wrote: | | but the ports still seem to be open... it seems that the iptables script doesn't even guard these ports :( still any ideas? |
How do you scan your ports? You won't get useful results when you scan within your network. Let your ports be scanned from the outsite by one of the various web-scanners like at https://grc.com/x/ne.dll?bh0bkyd2 or at http://check.lfd.niedersachsen.de/start.php (German).
Best regards,
leemc |
I've tried grc, scan.sygate.com (udp) and i've also asked a buddy to use nmap on my ip. grc does no udp-scan. these ports seems to be stealth for a tcp scan, but as stated, the problem is udp :(... |
|
| Back to top |
|
|
zbled
Apprentice
Joined: 18 Jun 2002
Posts: 216
Location: Bukowski's Piano Bar
|
| Posted: Mon Feb 24, 2003 9:16 am Post subject: |
|
|
I've been scanned again with nmap. Here are the results. Really noone knows, why these ports seem to be open? even if there's no service listening on it - or how to close them anyway?
| Quote: | Interesting ports on chello*********.vie.surfer.at:
(The 1441 ports scanned but not shown below are in state: closed)
Port State Service
53/udp open domain
67/udp open dhcp
69/udp open tftp
111/udp open sunrpc
137/udp open netbios-ns
138/udp open netbios-dgm
139/udp open netbios-ssn
161/udp open snmp
162/udp open snmptrap
201/udp open at-rtmp
202/udp open at-nbp
203/udp open at-3
204/udp open at-echo
205/udp open at-5
206/udp open at-zis
207/udp open at-7
208/udp open at-8
445/udp open microsoft-ds
|
| Quote: |
Port State Service
53/tcp filtered domain
67/tcp filtered dhcp
69/tcp filtered tftp
111/tcp filtered sunrpc
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
161/tcp filtered snmp
162/tcp filtered snmptrap
201/tcp filtered at-rtmp
202/tcp filtered at-nbp
203/tcp filtered at-3
204/tcp filtered at-echo
205/tcp filtered at-5
206/tcp filtered at-zis
207/tcp filtered at-7
208/tcp filtered at-8
445/tcp filtered microsoft-ds
|
Results from iptables -L -n: click
I'm using the wolk kernel (v2.4.20-wolk4.0s-pre9 ). Could it be responsible for this problem? |
|
| Back to top |
|
|
water
Guru
Joined: 19 Jun 2002
Posts: 387
Location: Zierikzee, The Netherlands
|
| Posted: Mon Feb 24, 2003 9:27 am Post subject: |
|
|
What happens if you delete/comment all rules after:
| Code: |
#vorerst alles verbieten
$IPTABLES -A INPUT -j DROP
$IPTABLES -A OUTPUT -j DROP
$IPTABLES -A FORWARD -j DROP
|
?
If it works the way it should do, all ports would be blocked. If that is ok, you could add the rules, to open ports, one by one and see what's happening.
_________________
Groeten uit Holland |
|
| Back to top |
|
|
zbled
Apprentice
Joined: 18 Jun 2002
Posts: 216
Location: Bukowski's Piano Bar
|
| Posted: Mon Feb 24, 2003 9:43 am Post subject: |
|
|
I've already done that.. I've commented every INPUT rule apart from this one:
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
The Ports were shown as being open anyway. |
|
| Back to top |
|
|
leemc
n00b
Joined: 17 Feb 2003
Posts: 42
Location: Austria
|
| Posted: Mon Feb 24, 2003 12:36 pm Post subject: |
|
|
Hi!
| zbled wrote: |
Results from iptables -L -n: click
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 127.0.0.1 127.0.0.1
REJECT all -- 0.0.0.0/0 0.0.0.0/0 state INVALID reject-with icmp-port-unreachable
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
syn-flood tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02 state NEW
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
abweisen tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:113
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:111
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:445
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:137:139
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix `verboten <= '
abweisen all -- 0.0.0.0/0 0.0.0.0/0
|
IMHO only the second and the third rules are actually working. The second one processes all invalid state packets and sends back an error packet wich indicates the scanner that there is a service running (maybe not at the moment of scanning) at the port specified. I guess that's why your scanner reports them as filtered/open. The third one accepts all related and established packets. Both rules process all incoming packets. So IMHO your LOG-rule won't ever be reached in the chain table. Basically you should place LOG-rules before every rule you want to be logged with the same parameters (man iptables). A possible soltution could be placing the second and third rule to the end of the INPUT table.
Best regards,
leemc |
|
| Back to top |
|
|
zbled
Apprentice
Joined: 18 Jun 2002
Posts: 216
Location: Bukowski's Piano Bar
|
| Posted: Mon Feb 24, 2003 9:13 pm Post subject: |
|
|
thanks for your help, but all rules should be working - including the log, cause it logs a lot ;-).. the only weird thing 's still this damn udp crap
i really think there's something wrong with the "abweisen" chain |
|
| Back to top |
|
|
ragger
n00b
Joined: 10 Feb 2003
Posts: 21
|
| Posted: Mon Feb 24, 2003 10:44 pm Post subject: |
|
|
nmap and probably other udp port scanners will report a udp port open if it gets no response at all from that port,
since normal closed udp ports respond with a port-unreachable icmp message.
If your firewall silently drops udp packets (not sending icmp error messages)
the udp scanner will think it's an open port and report it as that, even if it's
not really open.
Even if it's not your firewall that is dropping the packets, it can be your isp
filtering some traffic on specific ports to your ip (like mine does).
But the effect will be the same.
For example try an udp scan on your ip with iptables set to accept all traffic.
If you still get open udp port reports while they're not really open on your pc,
then it's probably your isp filtering those ports and there's no reason for concern. |
|
| Back to top |
|
|
zbled
Apprentice
Joined: 18 Jun 2002
Posts: 216
Location: Bukowski's Piano Bar
|
| Posted: Tue Feb 25, 2003 9:25 am Post subject: |
|
|
| ragger wrote: | nmap and probably other udp port scanners will report a udp port open if it gets no response at all from that port,
since normal closed udp ports respond with a port-unreachable icmp message.
If your firewall silently drops udp packets (not sending icmp error messages)
the udp scanner will think it's an open port and report it as that, even if it's
not really open.
Even if it's not your firewall that is dropping the packets, it can be your isp
filtering some traffic on specific ports to your ip (like mine does).
But the effect will be the same.
For example try an udp scan on your ip with iptables set to accept all traffic.
If you still get open udp port reports while they're not really open on your pc,
then it's probably your isp filtering those ports and there's no reason for concern. |
Thank you so much, you were absolutely right.. These Ports are being blocked from my provider |
|
| Back to top |
|
|
|
Networking & Security
