Dear Ansgar, Firstly, thank you very much for you reply.
It still does not give any change. So I start from a very simple, namely: "Just opening some ports I need". But which opened are not mentioned in my script. But the port of 21,23,53,10883 are always close. I don't mention port of 111,113 and 515 in my iptables-script and I want they're be closed but in fact they are stay open. Sigh...!!! But this is the output of my iptables script: pat...@debbylap:~$ nmap 219.83.114.180 Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2009-01-31 06:31 WIT Interesting ports on 219.83.114.180: Not shown: 1676 closed ports PORT STATE SERVICE 22/tcp open ssh 111/tcp open rpcbind 113/tcp open auth 515/tcp open printer Nmap finished: 1 IP address (1 host up) scanned in 9.345 seconds ====== This is my complete script: #!/bin/bash #Zero...zero...from beginning iptables -F iptables -t nat -F iptables -t mangle -F iptables -X iptables -t nat -X iptables -t mangle -X echo "0" > /proc/sys/net/ipv4/ip_forward #route add default gateway 219.83.114.177 #Basic policy iptables -P INPUT DROP iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT iptables -A INPUT -m state --state INVALID -j DROP iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A FORWARD -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P POSTROUTING ACCEPT iptables -t nat -P OUTPUT ACCEPT echo "1" > /proc/sys/net/ipv4/ip_forward #Log....them iptables -A INPUT -j LOG iptables -A OUTPUT -j LOG iptables -A FORWARD -j LOG iptables -A INPUT -p tcp -m multiport --source-port 20,22,23,53,10883 -j ACCEPT iptables -A INPUT -p udp -m multiport --source-port 20,22,23,53,10883 -j ACCEPT iptables -A INPUT -p tcp -m multiport --sport 21 -j ACCEPT iptables -A INPUT -p udp -m multiport --sport 21 -j ACCEPT iptables -A OUTPUT -p tcp -m multiport --destination-port 20,22,23,53,10883 -j ACCEPT iptables -A OUTPUT -p udp -m multiport --destination-port 20,22,23,53,10883 -j ACCEPT iptables -A OUTPUT -p tcp -m multiport --dport 21 -j ACCEPT iptables -A OUTPUT -p udp -m multiport --dport 21 -j ACCEPT ============ mydebian:/etc/apt# iptables -L -n Chain INPUT (policy DROP) target prot opt source destination DROP 0 -- 0.0.0.0/0 0.0.0.0/0 state INVALID ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED LOG 0 -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport sports 20,22,23,53,10883 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport sports 20,22,23,53,10883 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport sports 21 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport sports 21 Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED LOG 0 -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED LOG 0 -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 20,22,23,53,10883 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 20,22,23,53,10883 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 21 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 21 mydebian:/etc/apt# --- Pada Rab, 28/1/09, Ansgar Wiechers <[email protected]> menulis: > Dari: Ansgar Wiechers <[email protected]> > Topik: Re: my debian does not read my own iptables script > Kepada: [email protected] > Tanggal: Rabu, 28 Januari, 2009, 11:51 AM > On 2009-01-28 Patrik Hasibuan wrote: > > I am building a firewall with Debian Sarge on my > internet gateway. But > > lookslike my debian does not read my iptables script > after I run my > > own iptables script. > [...] > > I haven't open the rpcbind,auth,printer. And the > 21,23,53 are not > > opened by my iptables. Where is the mistake? Please > tell me. I am new > > in debian and iptables. Usually I use OpenSuSE and > SuSEfirewall2 and I > > configure the firewall with YaST2 so easily. But now I > want to get > > close to debian too. And I am stucked on this case. > [...] > > #!/bin/bash > > #Zero...zero...from beginning > > iptables -F > > You are not setting default policies (bad idea), so your > chains probably > accept all incoming packets. As others have told you > before: please post > the output of "iptables -nL" and "iptables > -t nat -nL" (and perhaps the > output of "iptables -t mangle -nL" and > "iptables -t raw -nL"). > > As a starting point, my iptables scripts usually begin like > this: > > ----8<---- > # 1) Disable IP forwarding. > echo "0" > /proc/sys/net/ipv4/ip_forward > > # 2) Set default policies > iptables -P INPUT DROP > iptables -P OUTPUT ACCEPT > iptables -P FORWARD DROP > > iptables -t nat -P PREROUTING ACCEPT > iptables -t nat -P POSTROUTING ACCEPT > iptables -t nat -P OUTPUT ACCEPT > > # 3) Flush chains > iptables -F > iptables -t nat -F > > # 4) Delete user-defined chains > iptables -X > iptables -t nat -X > > # 5) Re-enable IP forwarding (if required) > echo "1" > /proc/sys/net/ipv4/ip_forward > > # ... > ---->8---- > > Regards > Ansgar Wiechers > -- > "The Mac OS X kernel should never panic because, when > it does, it > seriously inconveniences the user." > --http://developer.apple.com/technotes/tn2004/tn2118.html > > > -- > To UNSUBSCRIBE, email to > [email protected] > with a subject of "unsubscribe". Trouble? Contact > [email protected] ___________________________________________________________________________ Dapatkan nama yang Anda sukai! Sekarang Anda dapat memiliki email di @ymail.com dan @rocketmail.com. http://mail.promotions.yahoo.com/newdomains/id/ -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
