Linode Forum :: firewall issue

Linode Forum https://forum.linode.com/

firewall issue https://forum.linode.com/viewtopic.php?f=19&t=3432	Page 1 of 1

Author:	kasper22 [ Sat Aug 09, 2008 1:54 pm ]
Post subject:	firewall issue
Hi, I just setup my Linode server, after a very bad experience with a different hosting provider. So far, I'm impressed. I get more for my money, more OS choice, more memory, more storage, and better tools. So that is very cool. I'm just having one problem. I've setup my iptables and it seems like I have it all configure correctly, but when I do a scan with nmap I'm seeing all ports open. output from iptables -L Quote: Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW ACCEPT tcp -- anywhere anywhere tcp dpt:8888 state NEW ACCEPT tcp -- ------------- anywhere tcp multiport ports rsync state NEW ACCEPT tcp -- anywhere anywhere tcp dpt:www state NEW ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:smtp state NEW ACCEPT tcp -- anywhere anywhere tcp dpt:imaps state NEW DROP tcp -- anywhere anywhere tcp dpt:imap2 state NEW ACCEPT tcp -- anywhere anywhere tcp dpt:ssmtp ACCEPT tcp -- ------------- anywhere tcp dpt:7071 .... Summarized, but you get the point. No errors, everything looks good. But like I said nmap is showing everything open. The one thing that seems off to me is if I run modprobe -l I should see a list of modules, but I see nothing. So I went and looked at /lib/modules and there is nothing there? uname -r outputs 2.6.18.8-x86_64-linode1 So any time I've complied a kernel I've always ended up with a modules folder for that output. So I guess my real question is, should I have a modules folder from when I picked my kernel? Did something go wrong, or I'm I just on the wrong track? If I'm correct how do I get those modules that should be there? Thanks Bryan

Author:	SteveG [ Sat Aug 09, 2008 3:31 pm ]
Post subject:
The kernel you are running has nothing to do with what's on your disk image. It's from the Linode host, and is non-modular, with everything you need built-in. (If not, Caker has been pretty open about building in new features. The rules you posted look okay, but since you wrote that they were "summarized", it's hard to be sure; it's really easy to make one mistaken rule that bypasses all the others.

Author:	kasper22 [ Sat Aug 09, 2008 4:06 pm ]
Post subject:
Hi Steven, So, they build the kernels with everything built in? No modules? Is there a way to confirm that iptables are built in then? I assume they must be there otherwise, iptables would complain when I tried to use it wouldn't it? As for my rules, these are the same ones that worked on my old server, other than I added a couple new rules to work with the ports Zimbra is using. Anything that I chopped out is stuff that was unchanged from the server I took them off of. I'll double check to make sure I didn't mess something up when I created the new rules. Thanks Bryan

Author:	mwalling [ Sat Aug 09, 2008 4:10 pm ]
Post subject:
kasper22 wrote: Is there a way to confirm that iptables are built in then? Code: zcat /proc/config.gz

Author:

MrRx7 [ Sun Aug 10, 2008 3:22 am ]

Post subject:

Some rules you might want to add if you dont have already

Code:

Chain bad_packets (1 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            state INVALID LOG level warning prefix `Invalid packet: '
DROP       all  --  anywhere             anywhere            state INVALID
bad_tcp_packets  tcp  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain bad_tcp_packets (1 references)
target     prot opt source               destination
LOG        tcp  --  anywhere             anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW LOG level warning prefix `New not syn: '
DROP       tcp  --  anywhere             anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
LOG        tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE LOG level warning prefix `Stealth scan: '
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
LOG        tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG LOG level warning prefix `Stealth scan: '
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
LOG        tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG LOG level warning prefix `Stealth scan: '
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
LOG        tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG LOG level warning prefix `Stealth scan: '
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
LOG        tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN,RST LOG level warning prefix `Stealth scan: '
DROP       tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN,RST
LOG        tcp  --  anywhere             anywhere            tcp flags:FIN,SYN/FIN,SYN LOG level warning prefix `Stealth scan: '
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN/FIN,SYN
RETURN     tcp  --  anywhere             anywhere

Author:	kasper22 [ Sun Aug 10, 2008 11:29 am ]
Post subject:
Thanks for the rules, I add those to my list. Ok, I did a little experiment and added a log & drop rule to the end of my rules, and I'm still seeing everything open with nmap. After adding the rules I did a port scan and then did: iptables -L -v and at the end of my list I had 528 27558 LOG all -- any any anywhere anywhere LOG level warning prefix `no match!' 528 27558 DROP all -- any any anywhere anywhere I'm not sure what those numbers mean, but I know the log is getting hit and in my syslog, I have a mountain of "no match" messages. But yet I'm seeing all ports listed as open with nmap. any ideas? Thanks, Bryan

Author:	mwalling [ Sun Aug 10, 2008 1:01 pm ]
Post subject:
Are you running nmap from the same box (i.e. localhost) or from a remote host?

Author:	kasper22 [ Sun Aug 10, 2008 3:48 pm ]
Post subject:
running it from home

Author:	MrRx7 [ Tue Aug 12, 2008 1:12 am ]
Post subject:
yeah it sounds like iptables is not installed correctly, you might just retry reinstalling

Page 1 of 1	All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/