I have both iptables and ip6tables configured on my Linode with a default policy to drop everything on input, output, and forward, and have allowed what I need.

Doing an nmap from home, I notice two ports open which I did not allow in iptables: ports 554 and 7070. However, iptables seems unaware that those ports are open:

root@kriskrehart:~# iptables -xnvL
Chain INPUT (policy DROP 21633 packets, 963620 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       3      120 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
     320    29376 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
      42     2179 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED tcp spt:53
      28     2031 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
      46     6609 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED udp spt:53
     354    15608 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
       0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 0 state RELATED,ESTABLISHED
     128     9846 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
      32    81647 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED tcp spt:80
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED tcp spt:443
    7927   575499 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8080
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED tcp spt:8080
       5      380 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED udp spt:123
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:143
      32     2649 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED tcp spt:25
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:465
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:587
     341    19887 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:6667
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:6667

Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy DROP 56 packets, 18368 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
     320    29376 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
      24     1442 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED tcp spt:53
      46     3533 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
      28     3694 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED udp spt:53
     354    14160 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED tcp spt:22
       0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
      28     1986 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
     110    15383 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED tcp spt:80
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED tcp spt:443
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8080
    8216  1796149 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED tcp spt:8080
       6      456 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:123
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED tcp spt:143
      43     6652 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED tcp spt:993
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED tcp spt:25
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED tcp spt:465
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED tcp spt:587
     195    37639 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED tcp spt:6667
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED tcp spt:6667

I can't nmap IPv6 from home (no IPv6 support yet), so I won't bother showing that.

Any ideas why those two ports are shown open from home?

_________________
Kris the Piki Geeker

Have you done a tcpdump to verify that packets from your scan destined for those ports are actually reaching your server?

This also might be of interest, though I can't say I've dealt with this personally: http://blog.nephtaliproject.com/?p=129

It might be your home network is catching these ports. Some ISPs steal ports for admin purposes. Some routers get in the way. If you provide your linode IP address then others can test to see if they see the port open or not.

(And maybe worth you getting a HE tunnelbroker.net IPv6 connection for home; it's free )

_________________
Rgds
Stephen
(Linux user since kernel version 0.11)

You can save yourself a lot of pain and agony by simplifying your iptables rules, and getting rid of your outbound rules (they don't increase security, and prevent you from using your Linode to SSH into other legitimate hosts, among other things). That said, as for your open ports, it's likely your home router is accepting connections for those ports, so that it can provide better NAT-ing for services on those ports (554 is Real-Time Streaming Protocol, which has some issues with NAT, I hear). Apple's AirPort Extreme does this: https://discussions.apple.com/thread/2047569?start=0&tstart=0. If you give us your IP address, we can check from other locations (or our own Linodes) to confirm.

-Doug

Hmm... Didn't know routers would interfere with nmap. I'd appreciate if someone could confirm for me. IPv4 on 97.107.128.171, IPv6 on 2600:3c03::f03c:91ff:fe69:21fa/64 (or at least, as reported by ifconfig -- I'm admittedly an IPv6 newb, so the Linode Manager's reported IPv6 looks like Ancient Egyptian to me).

Thanks.



Google, define:paranoia I don't trust what I can't configure myself. I'll configure my Linode as my IPv6 tunnel, at least when I know enough about it



Sure, outbound rules are useless provided the inbound rules are configured correctly. However, they do provide a safety net in the sense that, if by accident one configures iptables to allow all inbound, the ability of a hacker to send out spammy traffic will be limited -- though nothing beats double-checking one's work to make sure it's configured correctly

Personally I don't consider it a pain to adjust iptables, it's not complicated once one understands the basics.

(edit to correct a sentence (really gotta learn to use the preview))

_________________
Kris the Piki Geeker

Here's an nmap from a Linode in the same datacenter (Newark):

Starting Nmap 6.00 ( http://nmap.org ) at 2013-07-06 03:32 UTC
Nmap scan report for kriskrehart.com (97.107.128.171)
Host is up (0.00043s latency).
Not shown: 989 filtered ports
PORT     STATE  SERVICE
22/tcp   closed ssh
25/tcp   open   smtp
53/tcp   open   domain
80/tcp   open   http
143/tcp  closed imap
443/tcp  closed https
465/tcp  closed smtps
587/tcp  closed submission
993/tcp  open   imaps
6667/tcp open   irc
8080/tcp open   http-proxy

Nmap done: 1 IP address (1 host up) scanned in 4.65 seconds

Looks like you're good.

Your IPv6 address isn't working though. Are you blocking ICMPv6? IPv6 gets extremely unhappy when you do that (it's not as forgiving as IPv4 in that regard).

This is true. Blocking ICMPv6 via ip6tables effectively prevents the system from assigning your Linode its IPv6 address (SLAAC comes to mind here), and just overall causes more problems than its worth, so be sure you're not doing that.

Yup. Another problem is that the Neighbor Discovery Protocol (the successor to ARP) uses ICMPv6, so blocking ICMPv6 is basically equivalent to blocking ARP in IPv4.

Interesting ports on kriskrehart.com (97.107.128.171):
Not shown: 65525 filtered ports
PORT     STATE  SERVICE
22/tcp   closed ssh
53/tcp   open   domain
80/tcp   open   http
143/tcp  closed imap
443/tcp  closed https
465/tcp  closed smtps
587/tcp  closed submission
993/tcp  open   imaps
6667/tcp open   irc
8080/tcp open   http-proxy

No 554 and no 7070 open.



By that logic, you shouldn't be connecting to the Internet. Sarcasm aside, HE tunnels are easy to set up, and are no more of a security risk than connecting to the Internet in the first place. They're quite useful when you're not sure how to use your own Linode for this purpose.



iptables should be thought of a supplement to your main security measures, not a replacement. You should focus on securing your applications at the application level first (key-only auth for SSH, something like fwknop to reduce logspam from brute force attempts, secure passwords for things that only accept password auth, keeping up with system and kernel updates, etc), and use iptables only when your application does not allow you to restrict access as flexibly as you'd like, and there's no other suitable alternative. One such example would be a TCP-based application that is normally only communicated with over loopback, but also needs to be accessed by a remote server, and the application provides no access control lists that allow specifying allowed hosts, or the application has a history of security issues, but no alternative exists (rare). This is one case where iptables becomes useful, and not just a hassle, to prevent unauthorized access while still allowing authorized access.

As an example of my previous point that your outbound rules do not provide increased security, based on your current rules, I see 3 ways that a malicious user that has taken advantage of a security hole in software you run or a misconfiguration of software could use your Linode for malicious purposes that would get you in trouble. Further evaluation of your ruleset shows that you're blocking all inbound ICMP not associated with existing traffic, and all outbound ICMP, unless it's an echo request. ICMP is a completely harmless protocol, and by blocking it you only cause yourself more pain and suffering (most monitoring tools would report your Linode as down, for example, and we have no way of verifying whether your Linode is down or if there's a legitimate issue within our network, or just a problem with the return route from your Linode to you). One example of a way to simplify your iptables rules would be to condense your 10 state related, established rules into 1 that doesn't have a port specified, thus catching all of them at once. Leave out protocol as well, for maximum effectiveness.

As always, these are only suggestions, and we can't force you to implement them, as it's your system, but I generally prefer less pain over more, as well as simplicity and sanity in my rulesets.

-Doug

Thanks.



There's only so far paranoia can go without restricting freedom, so one does have to be reasonable

I'd rather either use my Linode, or wait for my ISP to gain support



I'd never use it as a replacement. Before chewing me out for that, please be certain that's what I'm doing.

I believe in security at every level, including (but not only) the firewall.



Please tell. Aside from IRC, I'm unaware of any other issues in my iptables rules.



Sure, blocking ICMP can make troubleshooting harder, however it also makes it hard for hackers and DoS'ers to see my Linode. Sure, it can be argued that a determined hacker will try anyways, but any hacker that has no reason to target me specifically won't bother if my server appears offline.

That, plus I can easily check if my Linode is online using a service that is allowed, e.g. http or ssh. And, if I need to ask for help from Linode support, I can use Lish to temporarily enable ICMP.



Meh, I'd feel safer keep my iptables as they are.

_________________
Kris the Piki Geeker

For what it's worth, Linode colocates with HE in Fremont. (IPv6 tunnels aren't HE's only service.) You trust Linode, and Linode trusts HE, so that kind of implicitly suggests that you should, too.

If you want to be paranoid, you shouldn't trust the Internet period, which makes the ISPs packets are (supposed to be) traveling through irrelevant.

Anyway, it's up to you, of course. But HE are decent folks.

_________________
Matt Nordhoff (aka Peng on IRC)