no ftp access on port 20 ? make sure you arent allowing port fwding via ssh. its not a best practice to do so unless you like your life complicated. -----Original Message----- From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx]On Behalf Of Bernardo Vieira Sent: Thursday, December 09, 2004 9:30 AM To: Netfilter Subject: Re: Newbie iptables question Gary, Thank you for your reply, turns out the problem I was having was with the virtual interface, that out of the way I realised I forgot a couple of things (FTP for everyone and LDAP for local folks), anyway I followed your advice and changed FORWARD policy to drop as well as allowing related traffic. Now a port scan from the outside world looks a lot nicer: Thank you again, Bernardo 21 ftp File Transfer [Control] 22 ssh Secure Shell Login 25 smtp Simple Mail Transfer 80 http World Wide Web HTTP 10000 snet-sensor-mgmt SecureNet Pro Sensor https management server # Generated by iptables-save v1.2.7a on Thu Dec 9 15:09:33 2004 *filter :INPUT DROP [22:2426] :FORWARD DROP [0:0] :OUTPUT ACCEPT [699:339758] :SMB - [0:0] # Openwebmail uses lo to send emails -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp -m state --state ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp -m state --state RELATED -j ACCEPT # DNS, traceroute -A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT # ping, echo, etc... -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT # FTP -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT # SSH -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT # SMTP -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT # HTTP -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT # Webmin -A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT # Samba on local network only -A INPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -j SMB -A OUTPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -j SMB # SMB Chain -A SMB -s ! 192.168.1.3 -d ! 192.168.1.3 -p tcp -m tcp -m multiport --dports loc-srv,profile,netbios-ns,netbios-dgm,netbios-ssn,microsoft-ds -j ACCEPT -A SMB -s ! 192.168.1.3 -d ! 192.168.1.3 -p udp -m udp -m multiport --sports loc-srv,profile,netbios-ns,netbios-dgm,netbios-ssn,microsoft-ds -j ACCEPT -A SMB -s ! 192.168.1.3 -d ! 192.168.1.3 -p tcp -m tcp --dport 489 -j ACCEPT COMMIT # Completed on Thu Dec 9 15:09:33 2004 # Generated by iptables-save v1.2.7a on Thu Dec 9 15:09:33 2004 *mangle :PREROUTING ACCEPT [9015:2497990] :INPUT ACCEPT [9015:2497990] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [11144:9023879] :POSTROUTING ACCEPT [11187:9029227] COMMIT # Completed on Thu Dec 9 15:09:33 2004 # Generated by iptables-save v1.2.7a on Thu Dec 9 15:09:33 2004 *nat :PREROUTING ACCEPT [354:37372] :POSTROUTING ACCEPT [55:3972] :OUTPUT ACCEPT [55:3972] COMMIT # Completed on Thu Dec 9 15:09:33 2004 Gary W. Smith wrote: >Bernardo, > >Where are you performing the scan from? You need to do it externally if >you want to see how it's operating. Also, if you're not port forwarding >the you can just do default DROP but allow related back in, which would >drop you down to about 6 rules on this list. > >Also, it's more readable if you do a iptables-save and send that output >(IMHO). > >Gary > > > > >>Can anyone shed some light on this? >> >>Thanx. >> >> >> >> >>--- >>avast! Antivirus: Outbound message clean. >>Virus Database (VPS): 0450-1, 09/12/2004 >>Tested on: 9/12/2004 13:47:30 >>avast! - copyright (c) 2000-2004 ALWIL Software. >>http://www.avast.com >> >> >> >> >> > > >Esta mensagem foi verificada pelo E-mail Protegido Terra. >Scan engine: McAfee VirusScan / Atualizado em 09/12/2004 / Versão: 4.4.00 - Dat 4413 >Proteja o seu e-mail Terra: http://www.emailprotegido.terra.com.br/ > >E-mail classificado pelo Identificador de Spam Inteligente Terra. >Para alterar a categoria classificada, visite >http://www.terra.com.br/centralunificada/emailprotegido/imail/imail.cgi?+_u=bernardo.vieira&_l=1,1102609970.605061.3486.mongu.terra.com.br,1958,Des15,Des15 > > > > >--- >avast! Antivirus: Inbound message clean. >Virus Database (VPS): 0450-1, 09/12/2004 >Tested on: 9/12/2004 14:38:45 >avast! - copyright (c) 2000-2004 ALWIL Software. >http://www.avast.com > > > > > > --- avast! Antivirus: Outbound message clean. Virus Database (VPS): 0450-1, 09/12/2004 Tested on: 9/12/2004 15:29:43 avast! - copyright (c) 2000-2004 ALWIL Software. http://www.avast.com
