| View previous topic :: View next topic |
| Author |
Message |
alnash
n00b
Joined: 20 Nov 2016
Posts: 21
|
 Posted: Sun Mar 06, 2022 7:43 pm Post subject: Why my iptables block connections? |
 |
|
On my server I see nearly all the ports on its public IP are closed.
But in my Iptables rules I see they all should be open:
| Code: |
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- localhost localhost tcp dpt:smtp
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere 127.0.0.0/8 reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- 10.0.0.0/24 anywhere
ACCEPT udp -- anywhere anywhere udp dpt:220
ACCEPT tcp -- anywhere anywhere tcp dpt:225
ACCEPT udp -- anywhere anywhere udp dpt:344
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
|
Why the ports are closed? What I'm missing? |
|
| Back to top |
|
 |
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23343
|
| Posted: Sun Mar 06, 2022 7:52 pm Post subject: |
|
|
First, please use iptables-save -c when sharing rules for public review. It is more thorough.
Second, why are you trying to reject traffic to localhost? That is usually not a good idea.
Third, since that is your only reject rule, why do you have all these ACCEPT rules?
What told you the ports are closed? |
|
| Back to top |
|
|
alnash
n00b
Joined: 20 Nov 2016
Posts: 21
|
| Posted: Sun Mar 06, 2022 8:20 pm Post subject: |
|
|
| Hu wrote: | First, please use iptables-save -c when sharing rules for public review. It is more thorough.
Second, why are you trying to reject traffic to localhost? That is usually not a good idea.
Third, since that is your only reject rule, why do you have all these ACCEPT rules?
What told you the ports are closed? |
I didn't make this config, I was given it along with the server. Now I'm trying to figure out how it all works there and why.
I checked ports with nmap. |
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3605
|
| Posted: Sun Mar 06, 2022 8:33 pm Post subject: |
|
|
| Quote: | | Now I'm trying to figure out how it all works |
Well, I guess it doesn't work at all.
| Quote: | | Code: | | ACCEPT all -- anywhere anywhere |
|
Is your second rule restricted in any way? Bound to an interface for example? iptables -L doesn't contain this information.
That's why iptables-save is better: it creates an exact dump of firewall's state, which can be loaded back.
Anyway, those rules are a mess, so the one I copies probably is not restricted. You can expect all incoming traffic to go through your firewall and hit some ports.
And then, said traffic will be rejected (with a negative response - reported as "closed") by the kernel - because nothing is listening on those ports. All ports without services bound to them are actually closed.
And the vast majority of ports are supposed to be closed.
If my assumption regarding rule #2 is correct, none of the rules that follow matters. Not a single packet will ever reach them anyway. |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 55172
Location: 56N 3W
|
| Posted: Sun Mar 06, 2022 8:47 pm Post subject: |
|
|
... and that begs the question, what is your Iptables supposed to do?
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 5614
Location: Bavaria
|
| Posted: Sun Mar 06, 2022 8:56 pm Post subject: Re: Why my iptables block connections? |
|
|
| alnash wrote: | all the ports on its public IP are closed.
But in my Iptables rules I see they all should be open: |
(accentuation by me)
If you do a nmap scan to your public ip packets will travel over your router/sdl-modem which may have a firewall also. What happens if you do the nmap scan to your local ip address ?
BTW: This rules are a mess. Throw it far away.
P.S: Best is to do an "iptables -L -v -n" to see packets count and interface (in/out).
(Maybe you are interested in this: https://forums.gentoo.org/viewtopic-t-1135566-highlight-privoxy+personal+firewall+guide.html) |
|
| Back to top |
|
|
alnash
n00b
Joined: 20 Nov 2016
Posts: 21
|
| Posted: Sun Mar 06, 2022 9:00 pm Post subject: |
|
|
| NeddySeagoon wrote: | | ... and that begs the question, what is your Iptables supposed to do? |
Actually, it's the very question I keep asking myself over and over again.  It's that's why I started this topic, afterall.
It should be something about vpn routing and general security.
I'll do suggested checks when I'm at the server in a couple of days. |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 55172
Location: 56N 3W
|
| Posted: Sun Mar 06, 2022 10:20 pm Post subject: |
|
|
alnash,
At home, I I have paranoid firewall. Nothing is allowed in or out unless its expressly permitted.
That mostly means allowing out the services I want/need and allowing in the responses.
The idea is to make it difficult for anything nasty that does get in to phone home.
Being paranoid, means untrusted devices, like Android and Windows systems are kept separate, on their own LAN segment, from trusted devices.
I get a lot of dropped packets in my logs from Android devices trying to phone home on strange ports.
My server is currently exposed to the world. There is no firewall there. I just make sure I don't run any services I don't want to.
The wider you open the window, the more the dirt blows in. :)
Its also kept up to date.
I've thought about some geo-ip filtering to cut down on the logspam but there are more interesting things to do.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
alnash
n00b
Joined: 20 Nov 2016
Posts: 21
|
| Posted: Mon Mar 07, 2022 11:20 am Post subject: |
|
|
iptables -L -v -n:
| Code: |
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 127.0.0.1 127.0.0.1 tcp dpt:25
624M 532G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- !lo * 0.0.0.0/0 127.0.0.0/8 reject-with icmp-port-unreachable
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 10.0.0.0/24 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:220
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:225
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:344
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
81M 58G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 127.0.0.1 127.0.0.1 tcp spt:25
639M 578G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
|
iptables-save -c:
| Code: |
# Generated by iptables-save v1.8.4 on Mon Mar 7 14:07:48 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
[0:0] -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -p tcp -m tcp --dport 25 -j ACCEPT
[624346816:531973937149] -A INPUT -j ACCEPT
[0:0] -A INPUT -i lo -j ACCEPT
[0:0] -A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
[0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A INPUT -s 10.0.0.0/24 -j ACCEPT
[0:0] -A INPUT -p udp -m udp --dport 220 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 225 -j ACCEPT
[0:0] -A INPUT -p udp -m udp --dport 344 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
[81253399:58385648482] -A FORWARD -j ACCEPT
[0:0] -A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -p tcp -m tcp --sport 25 -j ACCEPT
[639175411:578067353888] -A OUTPUT -j ACCEPT
COMMIT
|
|
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 5614
Location: Bavaria
|
| Posted: Mon Mar 07, 2022 11:51 am Post subject: |
|
|
alnash,
a firewall works very simple. It compares a packet with a rule and if it fits it (-j)umps to a target. Mainly there are three targets: ACCEPT, DROP and LOG. The first two targets are "endstation" targets. If a packet fit to a rule and it jumps to ACCEPT, no other rule after will be proofed (compared). Only LOG is not an endstation. Kernel just logs something and proceed. IF NO rule fits, the kernel is doing what the DEFAULT policy says. Now look to your rules:
The default action for all incoming packets is:
| Code: | | Chain INPUT (policy ACCEPT ... |
(This is set by "iptables -P INPUT ACCEPT")
Usually the opposite is set: "iptables -P INPUT DROP"
But it comes better. Look to your second rule for all incoming packets:
| Code: | 624M 532G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
- or -
624346816:531973937149] -A INPUT -j ACCEPT |
This means: EVERY packet is ALLOWED. After this rule your kernel will NEVER proof any rule later ... you will see this also when looking to the counted packets: 624M packets and all rules later: zero.
Now, again: Throw it far away ... |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 55172
Location: 56N 3W
|
| Posted: Mon Mar 07, 2022 12:06 pm Post subject: |
|
|
alnash,
In less words, iptables is not blocking anything.
Why do you believe that it is?
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
alnash
n00b
Joined: 20 Nov 2016
Posts: 21
|
| Posted: Mon Mar 07, 2022 3:31 pm Post subject: |
|
|
| NeddySeagoon wrote: | alnash,
In less words, iptables is not blocking anything.
Why do you believe that it is? |
Well, actually I dont "believe" it that much.
I see nmap reports that ports are "closed" and I cant figure out why they're closed, besides iptables. |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 5614
Location: Bavaria
|
| Posted: Mon Mar 07, 2022 3:34 pm Post subject: |
|
|
| alnash wrote: | | I see nmap reports that ports are "closed" and I cant figure out why they're closed, besides iptables. |
Do you know the difference between "closed" and "filtered" ?
Maybe you want to read this: https://nmap.org/book/man-port-scanning-basics.html |
|
| Back to top |
|
|
alnash
n00b
Joined: 20 Nov 2016
Posts: 21
|
| Posted: Mon Mar 07, 2022 3:41 pm Post subject: |
|
|
| pietinger wrote: | | alnash wrote: | | I see nmap reports that ports are "closed" and I cant figure out why they're closed, besides iptables. |
Do you know the difference between "closed" and "filtered" ?
Maybe you want to read this: https://nmap.org/book/man-port-scanning-basics.html |
Yup, I think now I misunderstand wording... |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 55172
Location: 56N 3W
|
| Posted: Mon Mar 07, 2022 3:45 pm Post subject: |
|
|
alnash,
Ports are 'closed' when there is nothing listening on the port.
When you have a webserver running, port 80 will be open. That's http:// and maybe port 443 too, which is https://
iptables can filter access to any port, in either direction and make otherwise open ports appear to be closed to some subset of potential users.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
|
Networking & Security
