Page 2 of 2
Posted: 2005/06/03 14:14:21
well, this laptop is running centos4. hence i've set the kernel setting "local port ranges" to only 65035:65535, besides the ssh and https standard ports.
dropping everything within the INPUT chain from 1:21,23:442,444:65034 gave me the "filtered" effect via nmap.
but i suppose the best practise is to specifically allow whatever and blocking all the rest? is specifically dropping tcp and udp protocols on these ports considered best practise still?
Posted: 2005/06/09 16:56:48
These are the rules used to produce the firewalled/filtered effect. I think I have adhered faithfully to the rule "allow explicitly, drop everything else..."
-A GUANGONG-IN -i all -m state --state INVALID -j LOG --log-level debug --log-prefix "FW-ALL-F-IN-DROP-INVALID " --log-tcp-sequence --log-tcp-options --log-ip-options -m limit --limit 1/sec --limit-burst 3
-A GUANGONG-IN -p tcp ! --syn -m state --state NEW -m limit --limit 1/sec -j LOG --log-level debug --log-prefix "FW-TCP-F-IN-DROP-NEW!SYN " --log-tcp-sequence --log-tcp-options --log-ip-options
-A GUANGONG-IN -i lo -j ACCEPT
-A GUANGONG-IN -i all -m state --state INVALID -j DROP
-A GUANGONG-IN -p tcp ! --syn -m state --state NEW -m limit --limit 1/sec -j DROP
-A GUANGONG-IN -i vmnet+ -p tcp -m multiport --dports http,tftp,bootps,domain -j ACCEPT
-A GUANGONG-IN -i vmnet+ -p udp -m multiport --dports tftp,bootps,domain -j ACCEPT
-A GUANGONG-IN -p tcp --syn -m state --state NEW -m limit --limit 1/sec -m multiport --dports ssh,https -j ACCEPT
-A GUANGONG-IN -p tcp -m state --state ESTABLISHED,RELATED --dport 65035:65535 -j ACCEPT
-A GUANGONG-IN -p udp -m state --state ESTABLISHED,RELATED --dport 65035:65535 -j ACCEPT
-A GUANGONG-IN -m limit --limit 1/sec -j LOG --log-level debug --log-prefix "FW-ALL-F-IN-DROP-FINALLY " --log-tcp-sequence --log-tcp-options --log-ip-options
-A GUANGONG-IN -j DROP
Scanning from 172.16.255.244:
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-06-10 00:43 UTC
Initiating SYN Stealth Scan against 172.16.249.1 [1663 ports] at 00:43
Discovered open port 53/tcp on 172.16.249.1
Discovered open port 80/tcp on 172.16.249.1
The SYN Stealth Scan took 21.39s to scan 1663 total ports.
For OSScan assuming port 53 is open, 67 is closed, and neither are firewalled
Host 172.16.249.1 appears to be up ... good.
Interesting ports on 172.16.249.1:
(The 1659 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
53/tcp open domain
67/tcp closed dhcpserver
69/tcp closed tftp
80/tcp open http
Device type: general purpose
Running: Linux 2.4.X|2.5.X|2.6.X
Too many fingerprints match this host to give specific OS details
I'll verify with online nmap scans, which must not see domain,dhcpserver,tftp.
Posted: 2005/06/10 01:39:42
Can't find help on blackcode's online scanner, so I don't know if they mean CLOSED is FILTERED or CLOSED as in plain CLOSED, where the OS will send back an RST packet to the origiinator.
FW-ALL-F-IN-DROP-FINALLY did show dropping packets for unopened DPORT on the floor?
other online scanners can never finish their scans. timed out?
need to retry...
Posted: 2005/06/20 08:44:08
If you have modified your iptables ruleset and want to save it as the default for the init script on startup then simply issue the command:
It saves the current rule set to /etc/sysconfig/iptables which is the one loaded by default from that script.
If you want a graphical method of controlling which startup scripts are used then there is an option in one of the gnome menus:
System Settings -> Server settings -> services
This allows you to chose which startup scripts are started in each run level with some help as to what each one does.