Page 2 of 2

Re: [question]iptables

Posted: 2005/06/03 14:14:21
by greatguangong
well, this laptop is running centos4. hence i've set the kernel setting "local port ranges" to only 65035:65535, besides the ssh and https standard ports.

dropping everything within the INPUT chain from 1:21,23:442,444:65034 gave me the "filtered" effect via nmap.

but i suppose the best practise is to specifically allow whatever and blocking all the rest? is specifically dropping tcp and udp protocols on these ports considered best practise still?

Re: [question]iptables

Posted: 2005/06/09 16:56:48
by greatguangong
These are the rules used to produce the firewalled/filtered effect. I think I have adhered faithfully to the rule "allow explicitly, drop everything else..."

-A GUANGONG-IN -i all -m state --state INVALID -j LOG --log-level debug --log-prefix "FW-ALL-F-IN-DROP-INVALID " --log-tcp-sequence --log-tcp-options --log-ip-options -m limit --limit 1/sec --limit-burst 3
-A GUANGONG-IN -p tcp ! --syn -m state --state NEW -m limit --limit 1/sec -j LOG --log-level debug --log-prefix "FW-TCP-F-IN-DROP-NEW!SYN " --log-tcp-sequence --log-tcp-options --log-ip-options


-A GUANGONG-IN -i all -m state --state INVALID -j DROP
-A GUANGONG-IN -p tcp ! --syn -m state --state NEW -m limit --limit 1/sec -j DROP

-A GUANGONG-IN -i vmnet+ -p tcp -m multiport --dports http,tftp,bootps,domain -j ACCEPT
-A GUANGONG-IN -i vmnet+ -p udp -m multiport --dports tftp,bootps,domain -j ACCEPT
-A GUANGONG-IN -p tcp --syn -m state --state NEW -m limit --limit 1/sec -m multiport --dports ssh,https -j ACCEPT
-A GUANGONG-IN -p tcp -m state --state ESTABLISHED,RELATED --dport 65035:65535 -j ACCEPT
-A GUANGONG-IN -p udp -m state --state ESTABLISHED,RELATED --dport 65035:65535 -j ACCEPT

-A GUANGONG-IN -m limit --limit 1/sec -j LOG --log-level debug --log-prefix "FW-ALL-F-IN-DROP-FINALLY " --log-tcp-sequence --log-tcp-options --log-ip-options


Scanning from

Starting nmap 3.81 ( ) at 2005-06-10 00:43 UTC
Initiating SYN Stealth Scan against [1663 ports] at 00:43
Discovered open port 53/tcp on
Discovered open port 80/tcp on
The SYN Stealth Scan took 21.39s to scan 1663 total ports.
For OSScan assuming port 53 is open, 67 is closed, and neither are firewalled
Host appears to be up ... good.
Interesting ports on
(The 1659 ports scanned but not shown below are in state: filtered)
53/tcp open domain
67/tcp closed dhcpserver
69/tcp closed tftp
80/tcp open http
Device type: general purpose
Running: Linux 2.4.X|2.5.X|2.6.X
Too many fingerprints match this host to give specific OS details

I'll verify with online nmap scans, which must not see domain,dhcpserver,tftp.

Re: [question]iptables

Posted: 2005/06/10 01:39:42
by greatguangong
Can't find help on blackcode's online scanner, so I don't know if they mean CLOSED is FILTERED or CLOSED as in plain CLOSED, where the OS will send back an RST packet to the origiinator.

FW-ALL-F-IN-DROP-FINALLY did show dropping packets for unopened DPORT on the floor?

other online scanners can never finish their scans. timed out?

need to retry...

Re: [question]iptables

Posted: 2005/06/20 08:44:08
by theorist
If you have modified your iptables ruleset and want to save it as the default for the init script on startup then simply issue the command:

/etc/init.d/iptables save

It saves the current rule set to /etc/sysconfig/iptables which is the one loaded by default from that script.
If you want a graphical method of controlling which startup scripts are used then there is an option in one of the gnome menus:

System Settings -> Server settings -> services

This allows you to chose which startup scripts are started in each run level with some help as to what each one does.