> > Here's the output of 'iptables -L -n -v': > > Chain INPUT (policy ACCEPT 1613 packets, 96669 bytes)
Even though you are specifically allowing port 135 without the syn the default rules will accept packets that do not match any REJECT or DROP rules. I bet you are running ethereal from the FW machine. looking at the rules it should DROP packets from port 135 that are sent to the FORWARD table. I recommend you change the default INPUT table to DENY and specifically allow only the protocols you need to connect. IIRC: $IPTABLES -P INPUT DENY you may also need to allow dhcp trafic 67:68 this should help you quite a bit http://iptables-tutorial.frozentux.net/ man iptables is also quite helpful for the basics > pkts bytes target prot opt in out source destination > 2891 258K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 > > state RELATED,ESTABLISHED > 0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 > > tcp flags:!0x16/0x02 > > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 > udp dpt:137 > 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 > > tcp dpt:137 > 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 > > tcp dpt:135 > 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 DROPs packets to port 135 in the FORWARD table > > tcp dpt:4444 > 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 > > tcp spt:4444 > 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 > > udp spt:631 > 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 > > tcp spt:631 > 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 > > tcp dpt:901 > 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 > > tcp spt:901 > 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 > > tcp spt:6346 > 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 > > tcp dpt:6346 > 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 > > tcp spt:6350 > 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 > > tcp dpt:6350 > 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 > > tcp spts:1213:1214 > 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 > > udp spts:1213:1214 > 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 > > udp spt:1542 > 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 > > tcp dpts:3470:3476 > 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 > > tcp dpts:1433:1434 > 0 0 ACCEPT all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 > 0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 > > Chain OUTPUT (policy ACCEPT 4485 packets, 427K bytes) > > This would seem to imply that none of the FORWARD rules had any hits. Niether > has the INPUT rule to block SYN packets. If I understand this correctly > though, the first INPUT rule should not allow any incoming packet unless the > connection was established from inside. > > What puzzles me is that things like the SYN packets and NBNS requests cause a > response from my gateway machine, like an ACK or a DNS lookup on the > requesting IP. While these packets are apparently not being forwarded to my > local network, the activity on the PPP connection keeps the connection open > when I'm not using it and causes me some concern about its vulnerability. -- Kiran <[EMAIL PROTECTED]>
signature.asc
Description: This is a digitally signed message part
