Re: iptables question

Fri, 23 May 2008 01:10:56 -0700 

Hetz Ben Hamo wrote:

Hi,

I'm playing here with iptables, and I have a small problem:

Here's my iptables config:

FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:test-fw-INPUT - [0:0] 
:OUTPUT ACCEPT [0:0]
-A INPUT -j test-fw-INPUT
-A FORWARD -j test-fw-INPUT
-A test-fw-INPUT -i lo -j ACCEPT
-A test-fw-INPUT -i eth0 -j ACCEPT
-A test-fw-INPUT -i eth0-range0 -j ACCEPT
-A test-fw-INPUT -p icmp --icmp-type any -j ACCEPT
-A test-fw-INPUT -p 50 -j ACCEPT
-A test-fw-INPUT -p 51 -j ACCEPT
-A test-fw-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A test-fw-INPUT -p tcp -m state -m tcp --dport 5901 --state NEW -j ACCEPT
-A test-fw-INPUT -p tcp -m state -m tcp --dport 10000 --state NEW -j ACCEPT
-A test-fw-INPUT -p tcp -m state -m tcp --dport 22 --state NEW -j ACCEPT
-A test-fw-INPUT -p tcp -m state -m tcp --dport 80 --state NEW -j ACCEPT
-A test-fw-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

All those rules work. However, when I'm trying to scan this VM machine
with NMAP, I can still see other ports open (such as X, VNC etc).

Do I need to specifically add rules to reject them? or am I doing
something wrong here? the last rule should reject any attempts to
connect from outside..

Any suggestions are welcome..

Thanks,
Hetz

My "reject" rule looks like this (it's a different chain):
:_REJECT - [0:0]
-A _REJECT -p tcp -j REJECT --reject-with tcp-reset
-A _REJECT -p udp -j REJECT --reject-with icmp-port-unreachable
-A _REJECT -j DROP
Then I can do "-j _REJECT" and it acts as if the port was closed (using whatever the protocol usually uses to notify of a closed port).
As for your ruleset, if something goes through that shouldn't, try adding "iptables -A INPUT -j LOG --log-prefix 'Runaway packet'". Then just run the port scan and do "iptables -L -v", and see which rule catches those packets that reported "open". If it's the runaway packet rule, check out the logs what the actual packet was, and then try to debug why it was not caught on anything earlier. 

Shachar


=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Reply via email to