Thank you for your reply, turns out the problem I was having was with the virtual interface, that out of the way I realised I
forgot a couple of things (FTP for everyone and LDAP for local folks), anyway I followed your advice and changed FORWARD policy to drop as well as allowing related traffic. Now a port scan from the outside world looks a lot nicer:
Thank you again,
Bernardo
21 ftp File Transfer [Control] 22 ssh Secure Shell Login 25 smtp Simple Mail Transfer 80 http World Wide Web HTTP 10000 snet-sensor-mgmt SecureNet Pro Sensor https management server
# Generated by iptables-save v1.2.7a on Thu Dec 9 15:09:33 2004 *filter :INPUT DROP [22:2426] :FORWARD DROP [0:0] :OUTPUT ACCEPT [699:339758] :SMB - [0:0] # Openwebmail uses lo to send emails -A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp -m state --state ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp -m state --state RELATED -j ACCEPT
# DNS, traceroute -A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT
# ping, echo, etc... -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
# FTP -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
# SSH -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# SMTP -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
# HTTP -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
# Webmin -A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
# Samba on local network only -A INPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -j SMB -A OUTPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -j SMB
# SMB Chain
-A SMB -s ! 192.168.1.3 -d ! 192.168.1.3 -p tcp -m tcp -m multiport --dports loc-srv,profile,netbios-ns,netbios-dgm,netbios-ssn,microsoft-ds -j ACCEPT
-A SMB -s ! 192.168.1.3 -d ! 192.168.1.3 -p udp -m udp -m multiport --sports loc-srv,profile,netbios-ns,netbios-dgm,netbios-ssn,microsoft-ds -j ACCEPT
-A SMB -s ! 192.168.1.3 -d ! 192.168.1.3 -p tcp -m tcp --dport 489 -j ACCEPT
COMMIT
# Completed on Thu Dec 9 15:09:33 2004
# Generated by iptables-save v1.2.7a on Thu Dec 9 15:09:33 2004
*mangle
:PREROUTING ACCEPT [9015:2497990]
:INPUT ACCEPT [9015:2497990]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [11144:9023879]
:POSTROUTING ACCEPT [11187:9029227]
COMMIT
# Completed on Thu Dec 9 15:09:33 2004
# Generated by iptables-save v1.2.7a on Thu Dec 9 15:09:33 2004
*nat
:PREROUTING ACCEPT [354:37372]
:POSTROUTING ACCEPT [55:3972]
:OUTPUT ACCEPT [55:3972]
COMMIT
# Completed on Thu Dec 9 15:09:33 2004
Gary W. Smith wrote:
Bernardo,
Where are you performing the scan from? You need to do it externally if you want to see how it's operating. Also, if you're not port forwarding the you can just do default DROP but allow related back in, which would drop you down to about 6 rules on this list.
Also, it's more readable if you do a iptables-save and send that output
(IMHO).
Gary
Can anyone shed some light on this?
Thanx.
--- avast! Antivirus: Outbound message clean. Virus Database (VPS): 0450-1, 09/12/2004 Tested on: 9/12/2004 13:47:30 avast! - copyright (c) 2000-2004 ALWIL Software. http://www.avast.com
Esta mensagem foi verificada pelo E-mail Protegido Terra. Scan engine: McAfee VirusScan / Atualizado em 09/12/2004 / Versão: 4.4.00 - Dat 4413 Proteja o seu e-mail Terra: http://www.emailprotegido.terra.com.br/
E-mail classificado pelo Identificador de Spam Inteligente Terra. Para alterar a categoria classificada, visite http://www.terra.com.br/centralunificada/emailprotegido/imail/imail.cgi?+_u=bernardo.vieira&_l=1,1102609970.605061.3486.mongu.terra.com.br,1958,Des15,Des15
--- avast! Antivirus: Inbound message clean. Virus Database (VPS): 0450-1, 09/12/2004 Tested on: 9/12/2004 14:38:45 avast! - copyright (c) 2000-2004 ALWIL Software. http://www.avast.com
--- avast! Antivirus: Outbound message clean. Virus Database (VPS): 0450-1, 09/12/2004 Tested on: 9/12/2004 15:29:43 avast! - copyright (c) 2000-2004 ALWIL Software. http://www.avast.com
