| View previous topic :: View next topic |
| Author |
Message |
somethin
n00b
Joined: 19 Jan 2016
Posts: 37
|
 Posted: Fri Jun 10, 2016 4:39 pm Post subject: [SOLVED] Can't configure iptables |
 |
|
I can't understand how to configure iptables.
I use the following script to configure it:
| Code: | #!/bin/bash
iptables -F
iptables -X
iptables -Z
iptables -N TCP
iptables -N UDP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable |
This script is from Arch Linux Wiki and I should be able to open ports only by adding rules to the TCP (or UDP) chain.
But nmap says that some ports are open
| Code: | $ nmap $(wget http://ipinfo.io/ip -qO -)
Starting Nmap 7.01 ( https://nmap.org ) at 2016-06-10 19:37 EEST
Nmap scan report for litenet1.ett.ua (78.154.164.202)
Host is up (0.017s latency).
Not shown: 990 closed ports
PORT STATE SERVICE
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp filtered telnet
53/tcp open domain
80/tcp open http
1723/tcp open pptp
3784/tcp filtered bfd-control
8001/tcp open vcom-tunnel
8009/tcp open ajp13
8291/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 1.28 seconds |
Why are these ports open and how can I open only specific ports ?
Last edited by somethin on Mon Jun 13, 2016 4:26 pm; edited 1 time in total |
|
| Back to top |
|
 |
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3491
|
| Posted: Fri Jun 10, 2016 5:00 pm Post subject: |
|
|
| Code: | | nmap $(wget http://ipinfo.io/ip -qO -) |
Are you aware that you're testing your ISP's router?
By the services it discovered I'm almost sure that it's not your own PC, and you're behind NAT |
|
| Back to top |
|
|
somethin
n00b
Joined: 19 Jan 2016
Posts: 37
|
| Posted: Fri Jun 10, 2016 5:09 pm Post subject: |
|
|
| ...So, Do I need to run "nmap localhost" or "nmap 192.168.0.100" ? |
|
| Back to top |
|
|
somethin
n00b
Joined: 19 Jan 2016
Posts: 37
|
| Posted: Fri Jun 10, 2016 5:12 pm Post subject: |
|
|
| Btw, I can acces internet with web browser, so port 80 is still open. |
|
| Back to top |
|
|
cboldt
Veteran
Joined: 24 Aug 2005
Posts: 1046
|
| Posted: Fri Jun 10, 2016 7:32 pm Post subject: |
|
|
You should scan your computer from an unrelated network, if you want to see what is open to others on unrelated networks.
http://www.whatsmyip.org/port-scanner/ has a selection of scanning routines. |
|
| Back to top |
|
|
somethin
n00b
Joined: 19 Jan 2016
Posts: 37
|
| Posted: Fri Jun 10, 2016 8:49 pm Post subject: |
|
|
1. http://www.whatsmyip.org/port-scanner/ show that ports 53,80,1723,,8001,8009,8291 are open.
2. Here is an experiment:
| Code: | $ sudo iptables-save
# Generated by iptables-save v1.4.21 on Fri Jun 10 23:41:19 2016
*mangle
:PREROUTING ACCEPT [3:640]
:INPUT ACCEPT [2:64]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Fri Jun 10 23:41:19 2016
# Generated by iptables-save v1.4.21 on Fri Jun 10 23:41:19 2016
*filter
:INPUT DROP [2:64]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Fri Jun 10 23:41:19 2016
$ netstat -t
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
$ sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$ chromium-browser https://google.com &> /dev/null & disown
[1] 3280
$ netstat -t
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.168.0.100:57476 173.194.113.215:https ESTABLISHED
tcp 0 0 192.168.0.100:36760 bud02s23-in-f13.1:https TIME_WAIT
tcp 398 0 192.168.0.100:32774 bud02s22-in-f3.1e:https ESTABLISHED
tcp 398 0 192.168.0.100:57480 173.194.113.215:https ESTABLISHED
tcp 398 0 192.168.0.100:57478 173.194.113.215:https ESTABLISHED
tcp 0 0 192.168.0.100:36774 bud02s23-in-f13.1:https ESTABLISHED
tcp 0 0 192.168.0.100:48004 bud02s23-in-f14.1:https ESTABLISHED
tcp 0 0 192.168.0.100:41708 lf-in-f239.1e100.:https ESTABLISHED
tcp 0 0 192.168.0.100:41694 lf-in-f239.1e100.:https TIME_WAIT
tcp 0 0 192.168.0.100:47994 bud02s23-in-f14.1:https TIME_WAIT
tcp 0 0 192.168.0.100:32772 bud02s22-in-f3.1e:https ESTABLISHED
tcp 0 0 192.168.0.100:58260 173.194.113.216:https TIME_WAIT |
It seems that "sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT" opens every port, but it shouldn't. |
|
| Back to top |
|
|
cboldt
Veteran
Joined: 24 Aug 2005
Posts: 1046
|
| Posted: Fri Jun 10, 2016 9:15 pm Post subject: |
|
|
| Quote: | | It seems that "sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT" opens every port, but it shouldn't. |
It opens all the ports, but only for traffic that started at the firewalled machine. Otherwise, you'd have had to make firewall rules for incoming to those higher number ports like 57576, or incoming from 443 (https).
As for your router/network showing ports 3,80,1723,,8001,8009,8291 as open, your netstat command isn't showing the inactive but open and listening ports, and it isn't showing the UDP ports. Try `netstat -tul` to see both TCP and UDP packets, but only the ports that are LISTENING. You can also do `netstat -tua` to see all the ports, LISTENING, ESTABLISHED, and WAITING. Depending on your preference for reading the report, you can add a "n" to show the numeric port instead of named, and you can add a "p" to show the program that has that port open. |
|
| Back to top |
|
|
somethin
n00b
Joined: 19 Jan 2016
Posts: 37
|
| Posted: Fri Jun 10, 2016 9:58 pm Post subject: |
|
|
1. sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT should allow traffic that is already ESTABLISHED or RELATED to established connection. There is different state for NEW connections. See man iptables-extensions(8 ).
2. netstat -tua before applying rule right after the reboot shows only udp 0 0 0.0.0.0:bootpc 0.0.0.0:* . |
|
| Back to top |
|
|
cboldt
Veteran
Joined: 24 Aug 2005
Posts: 1046
|
| Posted: Fri Jun 10, 2016 10:54 pm Post subject: |
|
|
So far, so good. When you open chromium, or another browser, and hook up to a website or three, you will have connections between the firewalled computer and http/https ports at the websites.
Still a mystery as to what is opening that handful of ports (53,80,1723,,8001,8009,8291), but `netstat -tuap`will show what is running on the firewalled machine, that might be LISTENING for packets destined for those ports. Your router might offer some ports to the outside world too. |
|
| Back to top |
|
|
somethin
n00b
Joined: 19 Jan 2016
Posts: 37
|
| Posted: Fri Jun 10, 2016 11:49 pm Post subject: |
|
|
Just to clarify the problem.
What I do:
| Code: | sudo iptables -F
sudo iptables -X
sudo iptables -Z
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT
sudo iptables -P INTPUT DROP
sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
What I expect to happen: All ports are closed unless I do
| Code: | sudo iptables -N TCP
sudo iptables -N UDP
sudo iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
sudo iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
sudo iptables -A <TCP/UDP> -p <tcp/udp> --dport <port> -j ACCEPT
|
What happens: All ports are open (not all ports because, maybe, I am behind my router's firewall). |
|
| Back to top |
|
|
cboldt
Veteran
Joined: 24 Aug 2005
Posts: 1046
|
| Posted: Sat Jun 11, 2016 12:01 am Post subject: |
|
|
How do you reach the conclusion that any port is open?
If you leave the firewall in the condition you just described, and use the port scanner form an external website, any ports that the port scanner sees are NOT on the computer running the firewall. You can prove that with `netstat -tua`.
If you want all the ports to the outside closed, including RELATED and ESTABLISHED connections, you won't be able to do much on the external network. |
|
| Back to top |
|
|
somethin
n00b
Joined: 19 Jan 2016
Posts: 37
|
| Posted: Sat Jun 11, 2016 12:13 am Post subject: |
|
|
Well, when I leave the firewall in the condition I just described, I am able to use web browser to load any page, which means ports 80 and 443 are open and can be further proven with netstat -tua.
And, why open ports determined via port scanner are NOT on my computer, which is running firewall ? |
|
| Back to top |
|
|
cboldt
Veteran
Joined: 24 Aug 2005
Posts: 1046
|
| Posted: Sat Jun 11, 2016 12:27 am Post subject: |
|
|
From the `netstat -tua` lines you gave before, ports 80 and 443 are open on the HOST computer (website server, "Foreign address" column in the netstat report), not the computer that the browser/firewall are running on (Local address).
We haven't figured out why ports 53,80,1723,8001,8009,8291 are shown as open when you probe from the outside, but if those ports don't show up in the "Local address" column of `netstat -tua`, then those ports aren't open on your computer.
Where are they open? Well, your router is a separate computer, and you are going to have to learn how to read its configuration. On the system I have here, the router can forward certain NEW packets to any computer I choose, on the local network. My router forwards SSH packets to one computer on the inside, and forwards TELNET and FTP packets to a separate machine that runs as a honeypot (no telnet or ftp service running, but the packets come through - persistent attempts result in closing the firewall to blocks of IP address). When I portscan from the outside, it looks like the system has live TELNET and FTP services, the ports are opern, but there is nobody home (`netstat -tua` shows no open TELNET or FTP port, no service running there). |
|
| Back to top |
|
|
Ant P.
Watchman
Joined: 18 Apr 2009
Posts: 6920
|
| Posted: Sat Jun 11, 2016 5:16 pm Post subject: |
|
|
| somethin wrote: | | 1. sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT should allow traffic that is already ESTABLISHED or RELATED to established connection. |
Such as the connection you establish by sending a SYN packet from your web browser... |
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3491
|
| Posted: Sun Jun 12, 2016 9:05 am Post subject: |
|
|
| Quote: | | Well, when I leave the firewall in the condition I just described, I am able to use web browser to load any page, which means ports 80 and 443 are open |
No, it doesn't.
When you use web browser to load "any page", it means that the "any" machine hosting that any page has port 80 open. You are using random port to initiate the connection, and firewalls are usually set to allow outgoing traffic (output policy accept) and accept incoming traffic you expected (conntrac ESTABLISHED,RELATED accept).
Still, if you want to test your firewall, you must first ensure you're testing the correct machine.
Use another computer within your LAN to scan your machine's IP. Within LAN you can compare MAC reported by nmap to the one assigned to the interface you want to scan.
Also, make sure to accept all traffic incoming via local loopback. |
|
| Back to top |
|
|
somethin
n00b
Joined: 19 Jan 2016
Posts: 37
|
| Posted: Mon Jun 13, 2016 4:25 pm Post subject: |
|
|
| Ok, thanks, I understand now. And, I guess, open ports are because of the router. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
