I (but that's only me) always get nervous when there are lines like "input accept". So yes, drop everything that it's not necessary. Best regards, S -----Original Message----- From: Sasa Stupar To: Netfilter-List Sent: 2004-02-26 14:48 Subject: Re: SV: Ports opened without request So I should change default policy to DROP on FORWARD chain for filter only or also for mangle? Ray Leach pravi: >Your default policy on the FORWARD chain is accept. > >On Thu, 2004-02-26 at 14:24, Sasa Stupar wrote: > > >>I have scanned from another machine. Yes, I allow ICMP packets. I have >>droped them and rescanned the machine but still the same issue. >>My current ruleset is: >>--------------------- >># Generated by webmin >>*filter >>:FORWARD ACCEPT [0:0] >>:OUTPUT ACCEPT [0:0] >>:INPUT DROP [0:0] >># Loopback >>-A OUTPUT -o lo -j ACCEPT >># Allow self access by loopback interface >>-A INPUT -i lo -j ACCEPT >># Accept established connections >>-A INPUT -m state -i eth0 --state ESTABLISHED,RELATED -j ACCEPT >>-A INPUT -p tcp -m tcp ! --tcp-option 2 -j REJECT --reject-with tcp-reset >># FTP >>-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT >># Telnet >>-A INPUT -p tcp -m tcp --dport 23 -j ACCEPT >># SMTP >>-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT >># NTP >>-A INPUT -p tcp -m tcp --dport 37 -j ACCEPT >># DNS >>-A INPUT -p udp -m udp -s 192.168.10.111 -d 0/0 --sport 53 -j ACCEPT >># HTTP >>-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT --syn >># POP3 >>-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT >># Samba >>-A INPUT -p udp -m udp --dport 137 -j ACCEPT >># Samba >>-A INPUT -p udp -m udp --dport 138 -j ACCEPT >># Samba >>-A INPUT -p tcp -m tcp --dport 139 -j ACCEPT --syn >># HTTPS >>-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT >># SMTP-SSL >>-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT >># POP3-SSL >>-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT >># Squid Proxy >>-A INPUT -p tcp -m tcp --dport 3128 -j ACCEPT >># Xmail CtrlClnt >>-A INPUT -p tcp -m tcp --dport 6017 -j ACCEPT >># XQM agent >>-A INPUT -p tcp -m tcp --dport 8888 -j ACCEPT >># Webmin >>-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT >># Drop all other connection attempts >>-A INPUT -j DROP >>COMMIT >># Generated by webmin >>*mangle >>:POSTROUTING ACCEPT [0:0] >>:OUTPUT ACCEPT [0:0] >>:PREROUTING ACCEPT [0:0] >>:FORWARD ACCEPT [0:0] >>:INPUT ACCEPT [0:0] >>COMMIT >># Completed >># Generated by webmin >>*nat >>:OUTPUT ACCEPT [0:0] >>:POSTROUTING ACCEPT [0:0] >>:PREROUTING ACCEPT [0:0] >>COMMIT >># Completed >>------------------------ >> >>As you can see I have made this rules with webmin. >>Any hints what is wrong here? BTW I am very very new at firewall. >> >>Sasa >> >> >>Sven-Ake Larsson pravi: >> >> >> >>>How did you make scan, from the machine itself or from another machine on >>>the outside? Some rulesets doesn't really work when you are at the same >>>machine. >>>Do you allow any ICMP packets? If so, try to drop them too and scan the >>>machine again. >>>What is your current ruleset? It helps a lot if you can add it to the list. >>> >>>I believe you'll have the masters answers soon... ;-) >>> >>>Regards, >>>S >>> >>>-----Ursprungligt meddelande----- >>>Fran: netfilter-admin@xxxxxxxxxxxxxxxxxxx >>>[mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx]För Sasa Stupar >>>Skickat: den 25 februari 2004 18:01 >>>Till: netfilter@xxxxxxxxxxxxxxxxxxx >>>Ämne: Ports opened without request >>> >>> >>>Hi! >>> >>>I have linux RH8 with kernel 2.4.20-28.8, iptables v1.2.8. I have setup >>>a firewall with some tcp ports opened (21,25,80,110,443) for servers. >>>Then I have ran a port scan and scanned all 65535 tcp and udp ports. I >>>was suprised that 3 ports were opened even if I didn't opened them in >>>the configuration. These ports are tcp 389,1002 and 1720. >>>I have tried to block them manually by entering a drop command for these >>>three ports but no success-they are still open. >>>What am I missing here? Is this some problem with iptables? >>> >>>Sasa >>> >>> >>> >>> >>> >>> >>> >> >> >>
