Portscan reports port 139 Open and Unsecure, why?
Christer Arledal
christer.arledal@telia.com
Fri, 11 Jan 2002 20:42:14 +0100
This is a multi-part message in MIME format.
------=_NextPart_000_005C_01C19AE0.73488990
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
No I haven't samba installed. Even if I had, the firewall (iptables) =
should take care of that.
----- Original Message -----=20
From: Bara Zani=20
To: Christer Arledal=20
Sent: Friday, January 11, 2002 8:37 PM
Subject: Re: Portscan reports port 139 Open and Unsecure, why?
my best bet , yyou have samba installed=20
----- Original Message -----=20
From: Christer Arledal=20
To: Bara Zani ; netfilter@lists.samba.org=20
Sent: Friday, January 11, 2002 2:08 PM
Subject: Re: Portscan reports port 139 Open and Unsecure, why?
Maybe I was unclear.=20
My question was why the port is open. If it's open?
Christer
----- Original Message -----=20
From: Bara Zani=20
To: Christer Arledal=20
Sent: Friday, January 11, 2002 6:06 PM
Subject: Re: Portscan reports port 139 Open and Unsecure, why?
http://www.users.globalnet.co.uk/~testest/faq/9.html
----- Original Message -----=20
From: Christer Arledal=20
To: netfilter@lists.samba.org=20
Sent: Friday, January 11, 2002 10:53 AM
Subject: Portscan reports port 139 Open and Unsecure, why?
Hi,
I did a portscan on my system from =
http://probe.hackerwatch.org/probe/probe.asp and it reported that port =
139(NetBIOS) is Open and Unsecure. Is that really true? If so, why?
The firewall is based on Redhat 7.2 with iptables. Behind it i =
have a couple of windows machines.
Thanks in advance!
Christer Arledal
Here is my iptables script and the output from iptables -L -n
***** rc.firewall (called from the end of rc.local)
#!/bin/sh
IPTABLES=3D/sbin/iptables
/sbin/modprobe iptable_nat
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_nat_ftp
# Flush the tables
$IPTABLES -F
$IPTABLES -X
#Default policy drop
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#
# POSTROUTING chain
#
echo 1 > /proc/sys/net/ipv4/ip_forward
$IPTABLES -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j =
MASQUERADE
#
# BAD TCP packets
#
$IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG =
\
--log-prefix "FORWARD New not syn:"
$IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
#
# Accept the packets we actually want to forward
#
$IPTABLES -A FORWARD -i eth1 -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j =
ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 \
-j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died:"
# Droppa invalid packets 2002-01-11 kl 14.55
$IPTABLES -A INPUT -s 0/0 -d 0/0 -m state --state INVALID -j =
DROP
#
# Create separate chains for ICMP, TCP and UDP
#
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets
#
# The allowed chain for TCP connections
#
$IPTABLES -N allowed
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED =
-j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP
#
#ICMP rules
#
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j =
ACCEPT
#
#TCP rules
#
#dns?
#$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 53 -j allowed
#softronic ssh
$IPTABLES -A tcp_packets -p TCP -s 194.71.244.98 --dport 22 -j =
allowed
#Removed 2002-01-11 kl 14.55
#$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
#
#UDP ports
#
#DNS
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 =
-j ACCEPT
#NTP network time protocol
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 =
-j ACCEPT
#Telia DHCP ?
$IPTABLES -A udpincoming_packets -p UDP -s 10.0.0.6 =
--source-port 67 -j ACCEPT
#
# PREROUTING chain
#
# Do some checks for obviously spoofed IP's
#
$IPTABLES -t nat -A PREROUTING -i eth0 -s 192.168.0.0/16 -j DROP
$IPTABLES -t nat -A PREROUTING -i eth0 -s 172.16.0.0/12 -j DROP
#
#INPUT chain
#
#BAd TCP packets
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "INPUT New not syn:"
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
#
#Rules for incoming packets from the Internet
#
$IPTABLES -A INPUT -p ICMP -i eth0 -j icmp_packets
$IPTABLES -A INPUT -p TCP -i eth0 -j tcp_packets
$IPTABLES -A INPUT -p UDP -i eth0 -j udpincoming_packets
#
# Accept packets from locals and established
#
$IPTABLES -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
$IPTABLES -A INPUT -p ALL -i eth1 -s 192.168.1.0/24 -j ACCEPT
$IPTABLES -A INPUT -p ALL -i eth0 -m state --state =
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 \
-j LOG --log-level DEBUG --log-prefix "IPT_INPUT packet died"
#
#OUPUT chain
# not removed 2001-01-11 14.55=20
$IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "OUTPUT New not syn:"
$IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o eth1 -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o eth0 -j ACCEPT
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 \
-j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died"
echo "Brandvaggen uppe"
******************************************************
Here is output from iptables -L -n:
Chain INPUT (policy DROP)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 =
state INVALID
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp =
flags:!0x16/0x02 state NEW LOG flags 0 level 4 prefix `INPUT New not =
syn:'
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp =
flags:!0x16/0x02 state NEW
icmp_packets icmp -- 0.0.0.0/0 0.0.0.0/0
tcp_packets tcp -- 0.0.0.0/0 0.0.0.0/0
udpincoming_packets udp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 127.0.0.1 0.0.0.0/0
ACCEPT all -- 192.168.1.0/24 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 =
state RELATED,ESTABLISHED
LOG all -- 0.0.0.0/0 0.0.0.0/0 =
limit: avg 3/min burst 3 LOG flags 0 level 7 prefix `IPT_INPUT packet =
died'
Chain FORWARD (policy DROP)
target prot opt source destination
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp =
flags:!0x16/0x02 state NEW LOG flags 0 level 4 prefix `FORWARD New not =
syn:'
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp =
flags:!0x16/0x02 state NEW
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 =
state RELATED,ESTABLISHED
LOG all -- 0.0.0.0/0 0.0.0.0/0 =
limit: avg 3/min burst 3 LOG flags 0 level 7 prefix `IPT FORWARD packet =
died:'
Chain OUTPUT (policy DROP)
target prot opt source destination
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp =
flags:!0x16/0x02 state NEW LOG flags 0 level 4 prefix `OUTPUT New not =
syn:'
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp =
flags:!0x16/0x02 state NEW
ACCEPT all -- 127.0.0.1 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 =
limit: avg 3/min burst 3 LOG flags 0 level 7 prefix `IPT OUTPUT packet =
died'
Chain allowed (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp =
flags:0x16/0x02
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 =
state RELATED,ESTABLISHED
DROP tcp -- 0.0.0.0/0 0.0.0.0/0
Chain icmp_packets (1 references)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp =
type 8
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp =
type 11
Chain tcp_packets (1 references)
target prot opt source destination
allowed tcp -- 194.71.244.98 0.0.0.0/0 tcp =
dpt:22
Chain udpincoming_packets (1 references)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp =
spt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp =
spt:123
ACCEPT udp -- 10.0.0.6 0.0.0.0/0 udp =
spt:67
[root@h109n2fls32o953 rc.d]#
------=_NextPart_000_005C_01C19AE0.73488990
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2600.0" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>No I haven't samba installed. Even =
if I=20
had, the firewall (iptables) should take care of =
that.</FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV=20
style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
<A title=3Dbara_zani@yahoo.com =
href=3D"mailto:bara_zani@yahoo.com">Bara Zani</A>=20
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>To:</B> <A =
title=3Dchrister.arledal@telia.com=20
href=3D"mailto:christer.arledal@telia.com">Christer Arledal</A> </DIV>
<DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Friday, January 11, 2002 =
8:37=20
PM</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Subject:</B> Re: Portscan reports =
port 139=20
Open and Unsecure, why?</DIV>
<DIV><BR></DIV>
<DIV><FONT face=3DArial size=3D2>my best bet , yyou have samba =
installed=20
</FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV=20
style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
<A title=3Dchrister.arledal@telia.com=20
href=3D"mailto:christer.arledal@telia.com">Christer Arledal</A> =
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>To:</B> <A =
title=3Dbara_zani@yahoo.com=20
href=3D"mailto:bara_zani@yahoo.com">Bara Zani</A> ; <A=20
title=3Dnetfilter@lists.samba.org=20
=
href=3D"mailto:netfilter@lists.samba.org">netfilter@lists.samba.org</A> =
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Friday, January 11, =
2002 2:08=20
PM</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Subject:</B> Re: Portscan reports =
port 139=20
Open and Unsecure, why?</DIV>
<DIV><BR></DIV>
<DIV><FONT face=3DArial size=3D2>Maybe I was unclear. =
</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>My question was why the port is =
open. If=20
it's open?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Christer</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt arial">----- Original Message ----- =
</DIV>
<DIV=20
style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
<A title=3Dbara_zani@yahoo.com =
href=3D"mailto:bara_zani@yahoo.com">Bara=20
Zani</A> </DIV>
<DIV style=3D"FONT: 10pt arial"><B>To:</B> <A=20
title=3Dchrister.arledal@telia.com=20
href=3D"mailto:christer.arledal@telia.com">Christer Arledal</A> =
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Friday, January 11, =
2002 6:06=20
PM</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Subject:</B> Re: Portscan =
reports port=20
139 Open and Unsecure, why?</DIV>
<DIV><BR></DIV>
<DIV><FONT face=3DArial size=3D2><A=20
=
href=3D"http://www.users.globalnet.co.uk/~testest/faq/9.html">http://www.=
users.globalnet.co.uk/~testest/faq/9.html</A></FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt arial">----- Original Message ----- =
</DIV>
<DIV=20
style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
<A title=3Dchrister.arledal@telia.com=20
href=3D"mailto:christer.arledal@telia.com">Christer Arledal</A> =
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>To:</B> <A=20
title=3Dnetfilter@lists.samba.org=20
=
href=3D"mailto:netfilter@lists.samba.org">netfilter@lists.samba.org</A>=20
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Friday, January 11, =
2002=20
10:53 AM</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Subject:</B> Portscan reports =
port 139=20
Open and Unsecure, why?</DIV>
<DIV><BR></DIV>
<DIV><FONT face=3DArial size=3D2>Hi,</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>I did a portscan on=20
my system from <A=20
href=3D"http://probe.hackerwatch.org/probe/probe.asp"><FONT=20
face=3D"Times New Roman"=20
=
size=3D3>http://probe.hackerwatch.org/probe/probe.asp</FONT></A> and=
=20
it reported that port 139(NetBIOS) is Open and Unsecure. Is that =
really=20
true? If so, why?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>The firewall is based on Redhat =
7.2 with=20
iptables. Behind it i have a couple of windows =
machines.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Thanks in advance!</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Christer Arledal</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV>
<DIV><FONT face=3DArial size=3D2>Here is my iptables script and =
the output=20
from iptables -L -n</FONT></DIV></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>***** rc.firewall (called =
from the=20
end of rc.local)</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>#!/bin/sh</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial =
size=3D2>IPTABLES=3D/sbin/iptables</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>/sbin/modprobe=20
iptable_nat<BR>/sbin/modprobe ip_conntrack_ftp<BR>/sbin/modprobe =
ip_conntrack_irc<BR>/sbin/modprobe ip_nat_ftp</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV><FONT =
face=3DArial size=3D2>
<DIV><BR># Flush the tables<BR>$IPTABLES -F<BR>$IPTABLES =
-X</DIV>
<DIV> </DIV>
<DIV>#Default policy drop<BR>$IPTABLES -P INPUT =
DROP<BR>$IPTABLES -P=20
OUTPUT DROP<BR>$IPTABLES -P FORWARD DROP</DIV>
<DIV> </DIV>
<DIV><BR>#<BR># POSTROUTING chain<BR>#<BR>echo 1 >=20
/proc/sys/net/ipv4/ip_forward<BR>$IPTABLES -t nat -A POSTROUTING =
-s=20
192.168.1.0/24 -o eth0 -j MASQUERADE</DIV>
<DIV> </DIV>
<DIV><BR>#<BR># BAD TCP packets<BR>#<BR>$IPTABLES -A FORWARD -p =
tcp !=20
--syn -m state --state NEW -j LOG \<BR>--log-prefix "FORWARD New =
not=20
syn:"<BR>$IPTABLES -A FORWARD -p tcp ! --syn -m state --state =
NEW -j=20
DROP</DIV>
<DIV> </DIV>
<DIV>#<BR># Accept the packets we actually want to=20
forward<BR>#<BR>$IPTABLES -A FORWARD -i eth1 -j =
ACCEPT<BR>$IPTABLES -A=20
FORWARD -m state --state ESTABLISHED,RELATED -j =
ACCEPT<BR>$IPTABLES -A=20
FORWARD -m limit --limit 3/minute --limit-burst 3 \<BR>-j LOG=20
--log-level DEBUG --log-prefix "IPT FORWARD packet died:"</DIV>
<DIV> </DIV>
<DIV><BR># Droppa invalid packets 2002-01-11 kl =
14.55<BR>$IPTABLES -A=20
INPUT -s 0/0 -d 0/0 -m state --state INVALID -j DROP</DIV>
<DIV> </DIV>
<DIV>#<BR># Create separate chains for ICMP, TCP and=20
UDP<BR>#<BR>$IPTABLES -N icmp_packets<BR>$IPTABLES -N=20
tcp_packets<BR>$IPTABLES -N udpincoming_packets</DIV>
<DIV> </DIV>
<DIV>#<BR># The allowed chain for TCP =
connections<BR>#<BR>$IPTABLES -N=20
allowed<BR>$IPTABLES -A allowed -p TCP --syn -j =
ACCEPT<BR>$IPTABLES -A=20
allowed -p TCP -m state --state ESTABLISHED,RELATED -j=20
ACCEPT<BR>$IPTABLES -A allowed -p TCP -j DROP</DIV>
<DIV> </DIV>
<DIV>#<BR>#ICMP rules<BR>#<BR>$IPTABLES -A icmp_packets -p ICMP =
-s 0/0=20
--icmp-type 8 -j ACCEPT<BR>$IPTABLES -A icmp_packets -p ICMP -s =
0/0=20
--icmp-type 11 -j ACCEPT</DIV>
<DIV> </DIV>
<DIV>#<BR>#TCP rules<BR>#<BR>#dns?<BR>#$IPTABLES -A tcp_packets =
-p TCP=20
-s 0/0 --dport 53 -j allowed<BR>#softronic ssh<BR>$IPTABLES -A=20
tcp_packets -p TCP -s 194.71.244.98 --dport 22 -j =
allowed<BR>#Removed=20
2002-01-11 kl 14.55<BR>#$IPTABLES -A tcp_packets -p TCP -s 0/0 =
--dport=20
113 -j allowed</DIV>
<DIV> </DIV>
<DIV>#<BR>#UDP ports<BR>#<BR>#DNS<BR>$IPTABLES -A =
udpincoming_packets -p=20
UDP -s 0/0 --source-port 53 -j ACCEPT<BR>#NTP network time=20
protocol<BR>$IPTABLES -A udpincoming_packets -p UDP -s 0/0 =
--source-port=20
123 -j ACCEPT<BR>#Telia DHCP ?<BR>$IPTABLES -A =
udpincoming_packets -p=20
UDP -s 10.0.0.6 --source-port 67 -j ACCEPT</DIV>
<DIV> </DIV>
<DIV><BR>#<BR># PREROUTING chain<BR>#<BR># Do some checks for =
obviously=20
spoofed IP's<BR>#<BR>$IPTABLES -t nat -A PREROUTING -i eth0 -s=20
192.168.0.0/16 -j DROP<BR>$IPTABLES -t nat -A PREROUTING -i eth0 =
-s=20
172.16.0.0/12 -j DROP</DIV>
<DIV> </DIV>
<DIV>#<BR>#INPUT chain<BR>#</DIV>
<DIV> </DIV>
<DIV>#BAd TCP packets<BR>$IPTABLES -A INPUT -p tcp ! --syn -m =
state=20
--state NEW -j LOG \<BR>--log-prefix "INPUT New not =
syn:"<BR>$IPTABLES=20
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP</DIV>
<DIV> </DIV>
<DIV><BR>#<BR>#Rules for incoming packets from the=20
Internet<BR>#<BR>$IPTABLES -A INPUT -p ICMP -i eth0 -j=20
icmp_packets<BR>$IPTABLES -A INPUT -p TCP -i eth0 -j=20
tcp_packets<BR>$IPTABLES -A INPUT -p UDP -i eth0 -j=20
udpincoming_packets</DIV>
<DIV> </DIV>
<DIV><BR>#<BR># Accept packets from locals and=20
established<BR>#<BR>$IPTABLES -A INPUT -p ALL -i lo -s 127.0.0.1 =
-j=20
ACCEPT<BR>$IPTABLES -A INPUT -p ALL -i eth1 -s 192.168.1.0/24 -j =
ACCEPT<BR>$IPTABLES -A INPUT -p ALL -i eth0 -m state --state=20
ESTABLISHED,RELATED -j ACCEPT<BR>$IPTABLES -A INPUT -m limit =
--limit=20
3/minute --limit-burst 3 \<BR>-j LOG --log-level DEBUG =
--log-prefix=20
"IPT_INPUT packet died"</DIV>
<DIV> </DIV>
<DIV><BR>#<BR>#OUPUT chain<BR># not removed 2001-01-11 14.55=20
<BR>$IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j =
LOG=20
\<BR>--log-prefix "OUTPUT New not syn:"<BR>$IPTABLES -A OUTPUT =
-p tcp !=20
--syn -m state --state NEW -j DROP</DIV>
<DIV> </DIV>
<DIV>$IPTABLES -A OUTPUT -p ALL -s 127.0.0.1 -j =
ACCEPT<BR>$IPTABLES -A=20
OUTPUT -p ALL -o eth1 -j ACCEPT<BR>$IPTABLES -A OUTPUT -p ALL -o =
eth0 -j=20
ACCEPT<BR>$IPTABLES -A OUTPUT -m limit --limit 3/minute =
--limit-burst 3=20
\<BR>-j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet=20
died"</DIV>
<DIV> </DIV>
<DIV>echo "Brandvaggen uppe"<BR></DIV>
=
<DIV>******************************************************</DIV>
<DIV> </DIV>
<DIV>Here is output from iptables -L -n:</DIV>
<DIV> </DIV>
<DIV>Chain INPUT (policy DROP)<BR>target =
prot=20
opt=20
=
source &=
nbsp; =20
destination<BR>DROP =
all =20
-- =20
=
0.0.0.0/0 &nbs=
p;=20
0.0.0.0/0 =
state=20
INVALID<BR>LOG =
tcp =20
-- =20
=
0.0.0.0/0 &nbs=
p;=20
0.0.0.0/0 =
tcp=20
flags:!0x16/0x02 state NEW LOG flags 0 level 4 prefix `INPUT New =
not=20
syn:'<BR>DROP tcp =
-- =20
=
0.0.0.0/0 &nbs=
p;=20
0.0.0.0/0 =
tcp=20
flags:!0x16/0x02 state NEW<BR>icmp_packets icmp -- =20
=
0.0.0.0/0 &nbs=
p;=20
0.0.0.0/0<BR>tcp_packets tcp -- =20
=
0.0.0.0/0 &nbs=
p;=20
0.0.0.0/0<BR>udpincoming_packets udp -- =20
=
0.0.0.0/0 &nbs=
p;=20
0.0.0.0/0<BR>ACCEPT all -- =20
=
127.0.0.1 &nbs=
p;=20
0.0.0.0/0<BR>ACCEPT all -- =20
192.168.1.0/24 =20
0.0.0.0/0<BR>ACCEPT all -- =20
=
0.0.0.0/0 &nbs=
p;=20
0.0.0.0/0 =
state=20
=
RELATED,ESTABLISHED<BR>LOG =20
all -- =20
=
0.0.0.0/0 &nbs=
p;=20
0.0.0.0/0 =
limit:=20
avg 3/min burst 3 LOG flags 0 level 7 prefix `IPT_INPUT packet=20
died'</DIV>
<DIV> </DIV>
<DIV>Chain FORWARD (policy =
DROP)<BR>target prot=20
opt=20
=
source &=
nbsp; =20
destination<BR>LOG =
tcp =20
-- =20
=
0.0.0.0/0 &nbs=
p;=20
0.0.0.0/0 =
tcp=20
flags:!0x16/0x02 state NEW LOG flags 0 level 4 prefix `FORWARD =
New not=20
syn:'<BR>DROP tcp =
-- =20
=
0.0.0.0/0 &nbs=
p;=20
0.0.0.0/0 =
tcp=20
flags:!0x16/0x02 state NEW<BR>ACCEPT =
all =20
-- =20
=
0.0.0.0/0 &nbs=
p;=20
0.0.0.0/0<BR>ACCEPT all -- =20
=
0.0.0.0/0 &nbs=
p;=20
0.0.0.0/0 =
state=20
=
RELATED,ESTABLISHED<BR>LOG =20
all -- =20
=
0.0.0.0/0 &nbs=
p;=20
0.0.0.0/0 =
limit:=20
avg 3/min burst 3 LOG flags 0 level 7 prefix `IPT FORWARD packet =
died:'</DIV>
<DIV> </DIV>
<DIV>Chain OUTPUT (policy =
DROP)<BR>target prot=20
opt=20
=
source &=
nbsp; =20
destination<BR>LOG =
tcp =20
-- =20
=
0.0.0.0/0 &nbs=
p;=20
0.0.0.0/0 =
tcp=20
flags:!0x16/0x02 state NEW LOG flags 0 level 4 prefix `OUTPUT =
New not=20
syn:'<BR>DROP tcp =
-- =20
=
0.0.0.0/0 &nbs=
p;=20
0.0.0.0/0 =
tcp=20
flags:!0x16/0x02 state NEW<BR>ACCEPT =
all =20
-- =20
=
127.0.0.1 &nbs=
p;=20
0.0.0.0/0<BR>ACCEPT all -- =20
=
0.0.0.0/0 &nbs=
p;=20
0.0.0.0/0<BR>ACCEPT all -- =20
=
0.0.0.0/0 &nbs=
p;=20
0.0.0.0/0<BR>LOG =
all =20
-- =20
=
0.0.0.0/0 &nbs=
p;=20
0.0.0.0/0 =
limit:=20
avg 3/min burst 3 LOG flags 0 level 7 prefix `IPT OUTPUT packet=20
died'</DIV>
<DIV> </DIV>
<DIV>Chain allowed (1 =
references)<BR>target prot=20
opt=20
=
source &=
nbsp; =20
destination<BR>ACCEPT tcp -- =
=
0.0.0.0/0 &nbs=
p;=20
0.0.0.0/0 =
tcp=20
flags:0x16/0x02<BR>ACCEPT tcp =
-- =20
=
0.0.0.0/0 &nbs=
p;=20
0.0.0.0/0 =
state=20
RELATED,ESTABLISHED<BR>DROP =20
tcp -- =20
=
0.0.0.0/0 &nbs=
p;=20
0.0.0.0/0</DIV>
<DIV> </DIV>
<DIV>Chain icmp_packets (1 =
references)<BR>target =20
prot opt=20
=
source &=
nbsp; =20
destination<BR>ACCEPT icmp -- =20
=
0.0.0.0/0 &nbs=
p;=20
0.0.0.0/0 =
icmp=20
type 8<BR>ACCEPT icmp -- =20
=
0.0.0.0/0 &nbs=
p;=20
0.0.0.0/0 =
icmp=20
type 11</DIV>
<DIV> </DIV>
<DIV>Chain tcp_packets (1 =
references)<BR>target =20
prot opt=20
=
source &=
nbsp; =20
destination<BR>allowed tcp -- =20
194.71.244.98 =20
0.0.0.0/0 =
tcp=20
dpt:22</DIV>
<DIV> </DIV>
<DIV>Chain udpincoming_packets (1=20
references)<BR>target prot opt=20
=
source &=
nbsp; =20
destination<BR>ACCEPT udp -- =
=
0.0.0.0/0 &nbs=
p;=20
0.0.0.0/0 =
udp=20
spt:53<BR>ACCEPT udp -- =20
=
0.0.0.0/0 &nbs=
p;=20
0.0.0.0/0 =
udp=20
spt:123<BR>ACCEPT udp -- =20
=
10.0.0.6  =
; =20
0.0.0.0/0 =
udp=20
spt:67<BR>[root@h109n2fls32o953=20
=
rc.d]#<BR></DIV></BLOCKQUOTE></BLOCKQUOTE></BLOCKQUOTE></BLOCKQUOTE></FON=
T></BODY></HTML>
------=_NextPart_000_005C_01C19AE0.73488990--