On Thu, Mar 21, 2002 at 10:46:57AM -0500, Val Schmidt wrote:
> iptables -A INPUT -i $PUBLIC_IFACE -j public-if
The target name here doesn't match the chain name below:
> The following is a list of rules for the "public-if" chain:
>
> # Both Directions
> iptables -A land-if -p icmp -j ACCEPT
> # Incoming
> iptables -A land-if -p tcp --dport ssh -j ACCEPT
> # Outgoing
> iptables -A land-if -p tcp --sport ssh -j ACCEPT
> iptables -A land-if -p tcp --sport smtp -j ACCEPT
> iptables -A land-if -p udp --sport domain -j ACCEPT
> iptables -A land-if -p tcp --sport http -j ACCEPT
> iptables -A land-if -p tcp --sport https -j ACCEPT
> # Default (This must be the last rule in the chain.)
> iptables -A land-if -j DROP
Filtering based on source port is a generally poor choice. You'd do
better to just use connection-tracking, and use a 'state' match to match
any ESTABLISHED or RELATED packets. All someone would need to do is use
one of those ports as a source port, and they could then access any port
they care to. And of course, you don't have to be admin on a Windows box
to do that...
> HOWEVER, if I do a port scan from the public side I get the following:
Do 'iptables -L [chain] -nv', and look at the packet counters, to see
what's matching. Also, keep in mind that a blind DROP of packets like
that will cause many port scanners to see the ports as open (or
filtered) - since the port scanner sees no response one way or the
other, the assumption is of a delayed reply.
> Here's the crazy thing, while I can telnet to both port 389 and port
> 1002 and make a connection (although no login prompt of course) the
> results of netstat show no services listening on those ports. I'm not
> running an ldap server and I've no idea what is keeping port 1002 open.
> Anyone have any ideas or suggestions on things to check?
My guess is, as I said, that the port scanner is just guessing. Since
it's showing everything else as being filtered, you probably just need
to use the 'REJECT' target. The best way would be like this:
iptables -A land-if -p tcp -j REJECT --reject-with tcp-reset
iptables -A land-if -p udp -j REJECT --reject-with port-unreach
iptables -A land-if -j REJECT --reject-with proto-unreach
That'll make sure to send a reply saying "no, I'm not accepting packets
on this port/protocol, please FOAD". I personally use the 'limit' match
to rate-limit the replies for stuff like this, to make life more
difficult for would-be port scanners (doesn't make it impossible, just
harder - if they try to scan too fast, they'll get different results
each time, and they'd have to scan really slow to get the actual
arrangement).
--
Derrik Pates | Sysadmin, Douglas School | #linuxOS on EFnet
[EMAIL PROTECTED] | District (dsdk12.net) | #linuxOS on OPN
