| Linode Forum https://forum.linode.com/ |
|
| firewall issue https://forum.linode.com/viewtopic.php?f=19&t=3432 |
Page 1 of 1 |
| Author: | kasper22 [ Sat Aug 09, 2008 1:54 pm ] |
| Post subject: | firewall issue |
Hi, I just setup my Linode server, after a very bad experience with a different hosting provider. So far, I'm impressed. I get more for my money, more OS choice, more memory, more storage, and better tools. So that is very cool. I'm just having one problem. I've setup my iptables and it seems like I have it all configure correctly, but when I do a scan with nmap I'm seeing all ports open. output from iptables -L Quote: Chain INPUT (policy DROP)
target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW ACCEPT tcp -- anywhere anywhere tcp dpt:8888 state NEW ACCEPT tcp -- ------------- anywhere tcp multiport ports rsync state NEW ACCEPT tcp -- anywhere anywhere tcp dpt:www state NEW ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:smtp state NEW ACCEPT tcp -- anywhere anywhere tcp dpt:imaps state NEW DROP tcp -- anywhere anywhere tcp dpt:imap2 state NEW ACCEPT tcp -- anywhere anywhere tcp dpt:ssmtp ACCEPT tcp -- ------------- anywhere tcp dpt:7071 .... Summarized, but you get the point. No errors, everything looks good. But like I said nmap is showing everything open. The one thing that seems off to me is if I run modprobe -l I should see a list of modules, but I see nothing. So I went and looked at /lib/modules and there is nothing there? uname -r outputs 2.6.18.8-x86_64-linode1 So any time I've complied a kernel I've always ended up with a modules folder for that output. So I guess my real question is, should I have a modules folder from when I picked my kernel? Did something go wrong, or I'm I just on the wrong track? If I'm correct how do I get those modules that should be there? Thanks Bryan |
|
| Author: | SteveG [ Sat Aug 09, 2008 3:31 pm ] |
| Post subject: | |
The kernel you are running has nothing to do with what's on your disk image. It's from the Linode host, and is non-modular, with everything you need built-in. (If not, Caker has been pretty open about building in new features. The rules you posted look okay, but since you wrote that they were "summarized", it's hard to be sure; it's really easy to make one mistaken rule that bypasses all the others. |
|
| Author: | kasper22 [ Sat Aug 09, 2008 4:06 pm ] |
| Post subject: | |
Hi Steven, So, they build the kernels with everything built in? No modules? Is there a way to confirm that iptables are built in then? I assume they must be there otherwise, iptables would complain when I tried to use it wouldn't it? As for my rules, these are the same ones that worked on my old server, other than I added a couple new rules to work with the ports Zimbra is using. Anything that I chopped out is stuff that was unchanged from the server I took them off of. I'll double check to make sure I didn't mess something up when I created the new rules. Thanks Bryan |
|
| Author: | mwalling [ Sat Aug 09, 2008 4:10 pm ] |
| Post subject: | |
kasper22 wrote: Is there a way to confirm that iptables are built in then?
Code: zcat /proc/config.gz |
|
| Author: | MrRx7 [ Sun Aug 10, 2008 3:22 am ] |
| Post subject: | |
Some rules you might want to add if you dont have already Code: Chain bad_packets (1 references) |
|
| Author: | kasper22 [ Sun Aug 10, 2008 11:29 am ] |
| Post subject: | |
Thanks for the rules, I add those to my list. Ok, I did a little experiment and added a log & drop rule to the end of my rules, and I'm still seeing everything open with nmap. After adding the rules I did a port scan and then did: iptables -L -v and at the end of my list I had 528 27558 LOG all -- any any anywhere anywhere LOG level warning prefix `no match!' 528 27558 DROP all -- any any anywhere anywhere I'm not sure what those numbers mean, but I know the log is getting hit and in my syslog, I have a mountain of "no match" messages. But yet I'm seeing all ports listed as open with nmap. any ideas? Thanks, Bryan |
|
| Author: | mwalling [ Sun Aug 10, 2008 1:01 pm ] |
| Post subject: | |
Are you running nmap from the same box (i.e. localhost) or from a remote host? |
|
| Author: | kasper22 [ Sun Aug 10, 2008 3:48 pm ] |
| Post subject: | |
running it from home |
|
| Author: | MrRx7 [ Tue Aug 12, 2008 1:12 am ] |
| Post subject: | |
yeah it sounds like iptables is not installed correctly, you might just retry reinstalling |
|
| Page 1 of 1 | All times are UTC-04:00 |
| Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |
|