Portscan reports port 139 Open and Unsecure, why?
Aldo S. Lagana
alagana@discmail.com
Wed, 16 Jan 2002 15:34:23 -0500
This is a multi-part message in MIME format.
------=_NextPart_000_002D_01C19EA3.46488460
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Hmm...I noticed that you are using Oskar Andreasson's script (I think),
since I also use it - but when I ran that hackerwatch probe, it said
that port 139 was closed and secure...I haven't gone through your rules,
but I can attest that it only found one open port and that was my web
server on port 80...
-----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org] On Behalf Of Christer Arledal
Sent: Friday, January 11, 2002 2:42 PM
To: Bara Zani
Cc: netfilter@lists.samba.org
Subject: Re: Portscan reports port 139 Open and Unsecure, why?
No I haven't samba installed. Even if I had, the firewall (iptables)
should take care of that.
----- Original Message -----
From: Bara Zani <mailto:bara_zani@yahoo.com>
To: Christer Arledal <mailto:christer.arledal@telia.com>
Sent: Friday, January 11, 2002 8:37 PM
Subject: Re: Portscan reports port 139 Open and Unsecure, why?
my best bet , yyou have samba installed
----- Original Message -----
From: Christer Arledal <mailto:christer.arledal@telia.com>
To: Bara Zani <mailto:bara_zani@yahoo.com> ; netfilter@lists.samba.org
Sent: Friday, January 11, 2002 2:08 PM
Subject: Re: Portscan reports port 139 Open and Unsecure, why?
Maybe I was unclear.
My question was why the port is open. If it's open?
Christer
----- Original Message -----
From: Bara <mailto:bara_zani@yahoo.com> Zani
To: Christer Arledal <mailto:christer.arledal@telia.com>
Sent: Friday, January 11, 2002 6:06 PM
Subject: Re: Portscan reports port 139 Open and Unsecure, why?
http://www.users.globalnet.co.uk/~testest/faq/9.html
----- Original Message -----
From: Christer Arledal <mailto:christer.arledal@telia.com>
To: netfilter@lists.samba.org
Sent: Friday, January 11, 2002 10:53 AM
Subject: Portscan reports port 139 Open and Unsecure, why?
Hi,
I did a portscan on my system from
<http://probe.hackerwatch.org/probe/probe.asp>
http://probe.hackerwatch.org/probe/probe.asp and it reported that port
139(NetBIOS) is Open and Unsecure. Is that really true? If so, why?
The firewall is based on Redhat 7.2 with iptables. Behind it i have a
couple of windows machines.
Thanks in advance!
Christer Arledal
Here is my iptables script and the output from iptables -L -n
***** rc.firewall (called from the end of rc.local)
#!/bin/sh
IPTABLES=/sbin/iptables
/sbin/modprobe iptable_nat
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_nat_ftp
# Flush the tables
$IPTABLES -F
$IPTABLES -X
#Default policy drop
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#
# POSTROUTING chain
#
echo 1 > /proc/sys/net/ipv4/ip_forward
$IPTABLES -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
#
# BAD TCP packets
#
$IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "FORWARD New not syn:"
$IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
#
# Accept the packets we actually want to forward
#
$IPTABLES -A FORWARD -i eth1 -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 \
-j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died:"
# Droppa invalid packets 2002-01-11 kl 14.55
$IPTABLES -A INPUT -s 0/0 -d 0/0 -m state --state INVALID -j DROP
#
# Create separate chains for ICMP, TCP and UDP
#
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets
#
# The allowed chain for TCP connections
#
$IPTABLES -N allowed
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j
ACCEPT
$IPTABLES -A allowed -p TCP -j DROP
#
#ICMP rules
#
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
#
#TCP rules
#
#dns?
#$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 53 -j allowed
#softronic ssh
$IPTABLES -A tcp_packets -p TCP -s 194.71.244.98 --dport 22 -j allowed
#Removed 2002-01-11 kl 14.55
#$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
#
#UDP ports
#
#DNS
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j
ACCEPT
#NTP network time protocol
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j
ACCEPT
#Telia DHCP ?
$IPTABLES -A udpincoming_packets -p UDP -s 10.0.0.6 --source-port 67 -j
ACCEPT
#
# PREROUTING chain
#
# Do some checks for obviously spoofed IP's
#
$IPTABLES -t nat -A PREROUTING -i eth0 -s 192.168.0.0/16 -j DROP
$IPTABLES -t nat -A PREROUTING -i eth0 -s 172.16.0.0/12 -j DROP
#
#INPUT chain
#
#BAd TCP packets
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "INPUT New not syn:"
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
#
#Rules for incoming packets from the Internet
#
$IPTABLES -A INPUT -p ICMP -i eth0 -j icmp_packets
$IPTABLES -A INPUT -p TCP -i eth0 -j tcp_packets
$IPTABLES -A INPUT -p UDP -i eth0 -j udpincoming_packets
#
# Accept packets from locals and established
#
$IPTABLES -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
$IPTABLES -A INPUT -p ALL -i eth1 -s 192.168.1.0/24 -j ACCEPT
$IPTABLES -A INPUT -p ALL -i eth0 -m state --state ESTABLISHED,RELATED
-j ACCEPT
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 \
-j LOG --log-level DEBUG --log-prefix "IPT_INPUT packet died"
#
#OUPUT chain
# not removed 2001-01-11 14.55
$IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "OUTPUT New not syn:"
$IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o eth1 -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o eth0 -j ACCEPT
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 \
-j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died"
echo "Brandvaggen uppe"
******************************************************
Here is output from iptables -L -n:
Chain INPUT (policy DROP)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 state
INVALID
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:!0x16/0x02 state NEW LOG flags 0 level 4 prefix `INPUT New not
syn:'
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:!0x16/0x02 state NEW
icmp_packets icmp -- 0.0.0.0/0 0.0.0.0/0
tcp_packets tcp -- 0.0.0.0/0 0.0.0.0/0
udpincoming_packets udp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 127.0.0.1 0.0.0.0/0
ACCEPT all -- 192.168.1.0/24 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 3 LOG flags 0 level 7 prefix `IPT_INPUT packet died'
Chain FORWARD (policy DROP)
target prot opt source destination
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:!0x16/0x02 state NEW LOG flags 0 level 4 prefix `FORWARD New not
syn:'
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:!0x16/0x02 state NEW
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 3 LOG flags 0 level 7 prefix `IPT FORWARD packet died:'
Chain OUTPUT (policy DROP)
target prot opt source destination
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:!0x16/0x02 state NEW LOG flags 0 level 4 prefix `OUTPUT New not
syn:'
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:!0x16/0x02 state NEW
ACCEPT all -- 127.0.0.1 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 3 LOG flags 0 level 7 prefix `IPT OUTPUT packet died'
Chain allowed (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x16/0x02
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
DROP tcp -- 0.0.0.0/0 0.0.0.0/0
Chain icmp_packets (1 references)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11
Chain tcp_packets (1 references)
target prot opt source destination
allowed tcp -- 194.71.244.98 0.0.0.0/0 tcp dpt:22
Chain udpincoming_packets (1 references)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:123
ACCEPT udp -- 10.0.0.6 0.0.0.0/0 udp spt:67
[root@h109n2fls32o953 rc.d]#
------=_NextPart_000_002D_01C19EA3.46488460
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<TITLE>Message</TITLE>
<META content=3D"MSHTML 6.00.2712.300" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
<DIV></DIV>
<DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr =
align=3Dleft><FONT=20
face=3DTahoma><FONT size=3D2><SPAN class=3D898580520-16012002><FONT =
face=3DArial=20
color=3D#0000ff>Hmm...I noticed that you are using Oskar Andreasson's =
script (I=20
think), since I also use it - but when I ran that hackerwatch =
probe, it=20
said that port 139 was closed and secure...I haven't gone through your =
rules,=20
but I can attest that it only found one open port and that =
was my=20
web server on port 80...</FONT></SPAN></FONT></FONT></DIV>
<DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr =
align=3Dleft><FONT=20
face=3DTahoma><FONT size=3D2><SPAN=20
class=3D898580520-16012002></SPAN></FONT></FONT> </DIV>
<DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr =
align=3Dleft><FONT=20
face=3DTahoma><FONT size=3D2><SPAN=20
class=3D898580520-16012002></SPAN></FONT></FONT><FONT =
face=3DTahoma><FONT=20
size=3D2><SPAN =
class=3D898580520-16012002> </SPAN></FONT></FONT></DIV>
<DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr =
align=3Dleft><FONT=20
face=3DTahoma><FONT size=3D2><SPAN=20
class=3D898580520-16012002> </SPAN>-----Original=20
Message-----<BR><B>From:</B> netfilter-admin@lists.samba.org=20
[mailto:netfilter-admin@lists.samba.org] <B>On Behalf Of </B>Christer=20
Arledal<BR><B>Sent:</B> Friday, January 11, 2002 2:42 PM<BR><B>To:</B> =
Bara=20
Zani<BR><B>Cc:</B> netfilter@lists.samba.org<BR><B>Subject:</B> Re: =
Portscan=20
reports port 139 Open and Unsecure, why?<BR><BR></DIV></FONT></FONT>
<DIV><FONT face=3DArial size=3D2>No I haven't samba installed. =
Even if I=20
had, the firewall (iptables) should take care of =
that.</FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV=20
style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
<A title=3Dbara_zani@yahoo.com =
href=3D"mailto:bara_zani@yahoo.com">Bara Zani</A>=20
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>To:</B> <A =
title=3Dchrister.arledal@telia.com=20
href=3D"mailto:christer.arledal@telia.com">Christer Arledal</A> =
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Friday, January 11, =
2002 8:37=20
PM</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Subject:</B> Re: Portscan reports =
port 139=20
Open and Unsecure, why?</DIV>
<DIV><BR></DIV>
<DIV><FONT face=3DArial size=3D2>my best bet , yyou have samba =
installed=20
</FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt arial">----- Original Message ----- =
</DIV>
<DIV=20
style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
<A title=3Dchrister.arledal@telia.com=20
href=3D"mailto:christer.arledal@telia.com">Christer Arledal</A> =
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>To:</B> <A =
title=3Dbara_zani@yahoo.com=20
href=3D"mailto:bara_zani@yahoo.com">Bara Zani</A> ; <A=20
title=3Dnetfilter@lists.samba.org=20
=
href=3D"mailto:netfilter@lists.samba.org">netfilter@lists.samba.org</A>=20
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Friday, January 11, =
2002 2:08=20
PM</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Subject:</B> Re: Portscan =
reports port=20
139 Open and Unsecure, why?</DIV>
<DIV><BR></DIV>
<DIV><FONT face=3DArial size=3D2>Maybe I was unclear. =
</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>My question was why the port is =
open. =20
If it's open?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Christer</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt arial">----- Original Message ----- =
</DIV>
<DIV=20
style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
<A title=3Dbara_zani@yahoo.com =
href=3D"mailto:bara_zani@yahoo.com">Bara=20
Zani</A> </DIV>
<DIV style=3D"FONT: 10pt arial"><B>To:</B> <A=20
title=3Dchrister.arledal@telia.com=20
href=3D"mailto:christer.arledal@telia.com">Christer Arledal</A> =
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Friday, January 11, =
2002 6:06=20
PM</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Subject:</B> Re: Portscan =
reports port=20
139 Open and Unsecure, why?</DIV>
<DIV><BR></DIV>
<DIV><FONT face=3DArial size=3D2><A=20
=
href=3D"http://www.users.globalnet.co.uk/~testest/faq/9.html">http://www.=
users.globalnet.co.uk/~testest/faq/9.html</A></FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: =
5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt arial">----- Original Message ----- =
</DIV>
<DIV=20
style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
<A title=3Dchrister.arledal@telia.com=20
href=3D"mailto:christer.arledal@telia.com">Christer =
Arledal</A> </DIV>
<DIV style=3D"FONT: 10pt arial"><B>To:</B> <A=20
title=3Dnetfilter@lists.samba.org=20
=
href=3D"mailto:netfilter@lists.samba.org">netfilter@lists.samba.org</A>=20
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Friday, January =
11, 2002=20
10:53 AM</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Subject:</B> Portscan =
reports port=20
139 Open and Unsecure, why?</DIV>
<DIV><BR></DIV>
<DIV><FONT face=3DArial size=3D2>Hi,</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>I did a portscan on=20
my system from <A=20
href=3D"http://probe.hackerwatch.org/probe/probe.asp"><FONT=20
face=3D"Times New Roman"=20
=
size=3D3>http://probe.hackerwatch.org/probe/probe.asp</FONT></A> and=
=20
it reported that port 139(NetBIOS) is Open and Unsecure. Is =
that=20
really true? If so, why?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>The firewall is based on =
Redhat 7.2 with=20
iptables. Behind it i have a couple of windows =
machines.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Thanks in =
advance!</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Christer Arledal</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV>
<DIV><FONT face=3DArial size=3D2>Here is my iptables script =
and the output=20
from iptables -L -n</FONT></DIV></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>***** rc.firewall =
(called from the=20
end of rc.local)</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>#!/bin/sh</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial =
size=3D2>IPTABLES=3D/sbin/iptables</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>/sbin/modprobe=20
iptable_nat<BR>/sbin/modprobe =
ip_conntrack_ftp<BR>/sbin/modprobe=20
ip_conntrack_irc<BR>/sbin/modprobe ip_nat_ftp</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV><FONT =
face=3DArial=20
size=3D2>
<DIV><BR># Flush the tables<BR>$IPTABLES -F<BR>$IPTABLES =
-X</DIV>
<DIV> </DIV>
<DIV>#Default policy drop<BR>$IPTABLES -P INPUT =
DROP<BR>$IPTABLES -P=20
OUTPUT DROP<BR>$IPTABLES -P FORWARD DROP</DIV>
<DIV> </DIV>
<DIV><BR>#<BR># POSTROUTING chain<BR>#<BR>echo 1 >=20
/proc/sys/net/ipv4/ip_forward<BR>$IPTABLES -t nat -A =
POSTROUTING -s=20
192.168.1.0/24 -o eth0 -j MASQUERADE</DIV>
<DIV> </DIV>
<DIV><BR>#<BR># BAD TCP packets<BR>#<BR>$IPTABLES -A FORWARD =
-p tcp !=20
--syn -m state --state NEW -j LOG \<BR>--log-prefix "FORWARD =
New not=20
syn:"<BR>$IPTABLES -A FORWARD -p tcp ! --syn -m state --state =
NEW -j=20
DROP</DIV>
<DIV> </DIV>
<DIV>#<BR># Accept the packets we actually want to=20
forward<BR>#<BR>$IPTABLES -A FORWARD -i eth1 -j =
ACCEPT<BR>$IPTABLES -A=20
FORWARD -m state --state ESTABLISHED,RELATED -j =
ACCEPT<BR>$IPTABLES -A=20
FORWARD -m limit --limit 3/minute --limit-burst 3 \<BR>-j LOG=20
--log-level DEBUG --log-prefix "IPT FORWARD packet =
died:"</DIV>
<DIV> </DIV>
<DIV><BR># Droppa invalid packets 2002-01-11 kl =
14.55<BR>$IPTABLES -A=20
INPUT -s 0/0 -d 0/0 -m state --state INVALID -j DROP</DIV>
<DIV> </DIV>
<DIV>#<BR># Create separate chains for ICMP, TCP and=20
UDP<BR>#<BR>$IPTABLES -N icmp_packets<BR>$IPTABLES -N=20
tcp_packets<BR>$IPTABLES -N udpincoming_packets</DIV>
<DIV> </DIV>
<DIV>#<BR># The allowed chain for TCP =
connections<BR>#<BR>$IPTABLES -N=20
allowed<BR>$IPTABLES -A allowed -p TCP --syn -j =
ACCEPT<BR>$IPTABLES -A=20
allowed -p TCP -m state --state ESTABLISHED,RELATED -j=20
ACCEPT<BR>$IPTABLES -A allowed -p TCP -j DROP</DIV>
<DIV> </DIV>
<DIV>#<BR>#ICMP rules<BR>#<BR>$IPTABLES -A icmp_packets -p =
ICMP -s 0/0=20
--icmp-type 8 -j ACCEPT<BR>$IPTABLES -A icmp_packets -p ICMP =
-s 0/0=20
--icmp-type 11 -j ACCEPT</DIV>
<DIV> </DIV>
<DIV>#<BR>#TCP rules<BR>#<BR>#dns?<BR>#$IPTABLES -A =
tcp_packets -p TCP=20
-s 0/0 --dport 53 -j allowed<BR>#softronic ssh<BR>$IPTABLES -A =
tcp_packets -p TCP -s 194.71.244.98 --dport 22 -j =
allowed<BR>#Removed=20
2002-01-11 kl 14.55<BR>#$IPTABLES -A tcp_packets -p TCP -s 0/0 =
--dport=20
113 -j allowed</DIV>
<DIV> </DIV>
<DIV>#<BR>#UDP ports<BR>#<BR>#DNS<BR>$IPTABLES -A =
udpincoming_packets=20
-p UDP -s 0/0 --source-port 53 -j ACCEPT<BR>#NTP network time=20
protocol<BR>$IPTABLES -A udpincoming_packets -p UDP -s 0/0=20
--source-port 123 -j ACCEPT<BR>#Telia DHCP ?<BR>$IPTABLES -A=20
udpincoming_packets -p UDP -s 10.0.0.6 --source-port 67 -j=20
ACCEPT</DIV>
<DIV> </DIV>
<DIV><BR>#<BR># PREROUTING chain<BR>#<BR># Do some checks for=20
obviously spoofed IP's<BR>#<BR>$IPTABLES -t nat -A PREROUTING =
-i eth0=20
-s 192.168.0.0/16 -j DROP<BR>$IPTABLES -t nat -A PREROUTING -i =
eth0 -s=20
172.16.0.0/12 -j DROP</DIV>
<DIV> </DIV>
<DIV>#<BR>#INPUT chain<BR>#</DIV>
<DIV> </DIV>
<DIV>#BAd TCP packets<BR>$IPTABLES -A INPUT -p tcp ! --syn -m =
state=20
--state NEW -j LOG \<BR>--log-prefix "INPUT New not =
syn:"<BR>$IPTABLES=20
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP</DIV>
<DIV> </DIV>
<DIV><BR>#<BR>#Rules for incoming packets from the=20
Internet<BR>#<BR>$IPTABLES -A INPUT -p ICMP -i eth0 -j=20
icmp_packets<BR>$IPTABLES -A INPUT -p TCP -i eth0 -j=20
tcp_packets<BR>$IPTABLES -A INPUT -p UDP -i eth0 -j=20
udpincoming_packets</DIV>
<DIV> </DIV>
<DIV><BR>#<BR># Accept packets from locals and=20
established<BR>#<BR>$IPTABLES -A INPUT -p ALL -i lo -s =
127.0.0.1 -j=20
ACCEPT<BR>$IPTABLES -A INPUT -p ALL -i eth1 -s 192.168.1.0/24 =
-j=20
ACCEPT<BR>$IPTABLES -A INPUT -p ALL -i eth0 -m state --state=20
ESTABLISHED,RELATED -j ACCEPT<BR>$IPTABLES -A INPUT -m limit =
--limit=20
3/minute --limit-burst 3 \<BR>-j LOG --log-level DEBUG =
--log-prefix=20
"IPT_INPUT packet died"</DIV>
<DIV> </DIV>
<DIV><BR>#<BR>#OUPUT chain<BR># not removed 2001-01-11 14.55=20
<BR>$IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j =
LOG=20
\<BR>--log-prefix "OUTPUT New not syn:"<BR>$IPTABLES -A OUTPUT =
-p tcp=20
! --syn -m state --state NEW -j DROP</DIV>
<DIV> </DIV>
<DIV>$IPTABLES -A OUTPUT -p ALL -s 127.0.0.1 -j =
ACCEPT<BR>$IPTABLES -A=20
OUTPUT -p ALL -o eth1 -j ACCEPT<BR>$IPTABLES -A OUTPUT -p ALL =
-o eth0=20
-j ACCEPT<BR>$IPTABLES -A OUTPUT -m limit --limit 3/minute=20
--limit-burst 3 \<BR>-j LOG --log-level DEBUG --log-prefix =
"IPT OUTPUT=20
packet died"</DIV>
<DIV> </DIV>
<DIV>echo "Brandvaggen uppe"<BR></DIV>
=
<DIV>******************************************************</DIV>
<DIV> </DIV>
<DIV>Here is output from iptables -L -n:</DIV>
<DIV> </DIV>
<DIV>Chain INPUT (policy =
DROP)<BR>target prot=20
opt=20
=
source &=
nbsp; =20
destination<BR>DROP =
all =20
-- =20
=
0.0.0.0/0 &nbs=
p;=20
=
0.0.0.0/0 state=20
INVALID<BR>LOG =
tcp =20
-- =20
=
0.0.0.0/0 &nbs=
p;=20
=
0.0.0.0/0 tcp=20
flags:!0x16/0x02 state NEW LOG flags 0 level 4 prefix `INPUT =
New not=20
syn:'<BR>DROP tcp =
-- =20
=
0.0.0.0/0 &nbs=
p;=20
=
0.0.0.0/0 tcp=20
flags:!0x16/0x02 state NEW<BR>icmp_packets icmp -- =
=
0.0.0.0/0 &nbs=
p;=20
0.0.0.0/0<BR>tcp_packets tcp -- =20
=
0.0.0.0/0 &nbs=
p;=20
0.0.0.0/0<BR>udpincoming_packets udp -- =20
=
0.0.0.0/0 &nbs=
p;=20
0.0.0.0/0<BR>ACCEPT all -- =
=
127.0.0.1 &nbs=
p;=20
0.0.0.0/0<BR>ACCEPT all -- =
192.168.1.0/24 =20
0.0.0.0/0<BR>ACCEPT all -- =
=
0.0.0.0/0 &nbs=
p;=20
=
0.0.0.0/0 state=20
=
RELATED,ESTABLISHED<BR>LOG =20
all -- =20
=
0.0.0.0/0 &nbs=
p;=20
=
0.0.0.0/0 limit:=20
avg 3/min burst 3 LOG flags 0 level 7 prefix `IPT_INPUT packet =
died'</DIV>
<DIV> </DIV>
<DIV>Chain FORWARD (policy =
DROP)<BR>target =20
prot opt=20
=
source &=
nbsp; =20
destination<BR>LOG =
tcp =20
-- =20
=
0.0.0.0/0 &nbs=
p;=20
=
0.0.0.0/0 tcp=20
flags:!0x16/0x02 state NEW LOG flags 0 level 4 prefix `FORWARD =
New not=20
syn:'<BR>DROP tcp =
-- =20
=
0.0.0.0/0 &nbs=
p;=20
=
0.0.0.0/0 tcp=20
flags:!0x16/0x02 state NEW<BR>ACCEPT =
all =20
-- =20
=
0.0.0.0/0 &nbs=
p;=20
0.0.0.0/0<BR>ACCEPT all -- =
=
0.0.0.0/0 &nbs=
p;=20
=
0.0.0.0/0 state=20
=
RELATED,ESTABLISHED<BR>LOG =20
all -- =20
=
0.0.0.0/0 &nbs=
p;=20
=
0.0.0.0/0 limit:=20
avg 3/min burst 3 LOG flags 0 level 7 prefix `IPT FORWARD =
packet=20
died:'</DIV>
<DIV> </DIV>
<DIV>Chain OUTPUT (policy =
DROP)<BR>target prot=20
opt=20
=
source &=
nbsp; =20
destination<BR>LOG =
tcp =20
-- =20
=
0.0.0.0/0 &nbs=
p;=20
=
0.0.0.0/0 tcp=20
flags:!0x16/0x02 state NEW LOG flags 0 level 4 prefix `OUTPUT =
New not=20
syn:'<BR>DROP tcp =
-- =20
=
0.0.0.0/0 &nbs=
p;=20
=
0.0.0.0/0 tcp=20
flags:!0x16/0x02 state NEW<BR>ACCEPT =
all =20
-- =20
=
127.0.0.1 &nbs=
p;=20
0.0.0.0/0<BR>ACCEPT all -- =
=
0.0.0.0/0 &nbs=
p;=20
0.0.0.0/0<BR>ACCEPT all -- =
=
0.0.0.0/0 &nbs=
p;=20
0.0.0.0/0<BR>LOG =
all =20
-- =20
=
0.0.0.0/0 &nbs=
p;=20
=
0.0.0.0/0 limit:=20
avg 3/min burst 3 LOG flags 0 level 7 prefix `IPT OUTPUT =
packet=20
died'</DIV>
<DIV> </DIV>
<DIV>Chain allowed (1 =
references)<BR>target =20
prot opt=20
=
source &=
nbsp; =20
destination<BR>ACCEPT tcp =
-- =20
=
0.0.0.0/0 &nbs=
p;=20
=
0.0.0.0/0 tcp=20
flags:0x16/0x02<BR>ACCEPT tcp =
-- =20
=
0.0.0.0/0 &nbs=
p;=20
=
0.0.0.0/0 state=20
=
RELATED,ESTABLISHED<BR>DROP =20
tcp -- =20
=
0.0.0.0/0 &nbs=
p;=20
0.0.0.0/0</DIV>
<DIV> </DIV>
<DIV>Chain icmp_packets (1=20
references)<BR>target prot opt=20
=
source &=
nbsp; =20
destination<BR>ACCEPT icmp -- =20
=
0.0.0.0/0 &nbs=
p;=20
=
0.0.0.0/0 icmp=20
type 8<BR>ACCEPT icmp -- =20
=
0.0.0.0/0 &nbs=
p;=20
=
0.0.0.0/0 icmp=20
type 11</DIV>
<DIV> </DIV>
<DIV>Chain tcp_packets (1=20
references)<BR>target prot opt=20
=
source &=
nbsp; =20
destination<BR>allowed tcp -- =20
194.71.244.98 =20
=
0.0.0.0/0 tcp=20
dpt:22</DIV>
<DIV> </DIV>
<DIV>Chain udpincoming_packets (1=20
references)<BR>target prot opt=20
=
source &=
nbsp; =20
destination<BR>ACCEPT udp =
-- =20
=
0.0.0.0/0 &nbs=
p;=20
=
0.0.0.0/0 udp=20
spt:53<BR>ACCEPT udp -- =20
=
0.0.0.0/0 &nbs=
p;=20
=
0.0.0.0/0 udp=20
spt:123<BR>ACCEPT udp -- =20
=
10.0.0.6  =
; =20
=
0.0.0.0/0 udp=20
spt:67<BR>[root@h109n2fls32o953=20
=
rc.d]#<BR></DIV></BLOCKQUOTE></BLOCKQUOTE></BLOCKQUOTE></BLOCKQUOTE></BLO=
CKQUOTE></FONT></BODY></HTML>
------=_NextPart_000_002D_01C19EA3.46488460--