SUN RPC viewable toe veryone.. and IPTables cant stop it?

Message

HydroSan · Post by **HydroSan** » Sun Sep 25, 2005 8:17 pm

I did two separate portscans from websites to see if I were vulnerable. Currently, they say Port 111 on both TCP and UDP is open, which is the SUN RPC protocol.

So I thought, alright, just add a simple IPTables rule:

Code: Select all

iptables -A INPUT -i $INTERNET -p tcp --dport 111 -j DROP
iptables -A INPUT -i $INTERNET -p udp --dport 111 -j DROP

... But Port 111 is still open.

Also, on a scary note, Port 138 and 137 are open as well, and the above rules don't work for them.

Is there anything I'm doing wrong?

HydroSan · Post by **HydroSan** » Mon Sep 26, 2005 1:36 am

bump.

roarinelk · Post by **roarinelk** » Mon Sep 26, 2005 7:01 am

a bit strange that it doesn't work for you.

Try this, I use this on my router box:

Code: Select all

iptables -I INPUT -i eth0 -m multiport -p tcp --dports 137,139,445,631,53 -j DROP
iptables -I INPUT -i eth0 -m multiport -p udp --dports 137,138,139,445,631 -j DROP

needs the ipt_multiport netfilter module.

as far as i can tell, those ports are shut. you could create a separate chain with a logging
directive inside, to see if it works, and then let the filter line above jump to it, something like this:

Code: Select all

iptables -t filter -N DEBUGLOG >/dev/null 2>&1
iptables -t filter -A DEBUGLOG -j LOG --log-prefix "++FILTERED: "
iptables -t filter -A DEBUGLOG -j DROP

iptables -I INPUT -i eth0 -m multiport -p tcp --dports 137,139,445,631,53 -j DEBUGLOG
iptables -I INPUT -i eth0 -m multiport -p udp --dports 137,138,139,445,631 -j DEBUGLOG

and then scan your host again. you should see a few "++FILTERED: ..." messages in dmesg.

good luck,

--
mlau

PaulBredbury · Post by **PaulBredbury** » Mon Sep 26, 2005 7:28 am

What is the value of "$INTERNET"? Perhaps you have a preceding "ACCEPT" iptables rule which takes precedence. To list the active rules:

Code: Select all

iptables -L -n