Search This Blog

Friday, January 30, 2009

Re: my debian does not read my own iptables script

Dear Ansgar,

Firstly, thank you very much for you reply.

It still does not give any change. So I start from a very simple, namely: "Just opening some ports I need". But which opened are not mentioned in my script.

But the port of 21,23,53,10883 are always close. I don't mention port of 111,113 and 515 in my iptables-script and I want they're be closed but in fact they are stay open. Sigh...!!!

But this is the output of my iptables script:
patrik@debbylap:~$ nmap 219.83.114.180

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2009-01-31 06:31 WIT
Interesting ports on 219.83.114.180:
Not shown: 1676 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
113/tcp open auth
515/tcp open printer

Nmap finished: 1 IP address (1 host up) scanned in 9.345 seconds
======
This is my complete script:
#!/bin/bash
#Zero...zero...from beginning
iptables -F
iptables -t nat -F
iptables -t mangle -F

iptables -X
iptables -t nat -X
iptables -t mangle -X

echo "0" > /proc/sys/net/ipv4/ip_forward

#route add default gateway 219.83.114.177

#Basic policy
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT

echo "1" > /proc/sys/net/ipv4/ip_forward

#Log....them
iptables -A INPUT -j LOG
iptables -A OUTPUT -j LOG
iptables -A FORWARD -j LOG

iptables -A INPUT -p tcp -m multiport --source-port 20,22,23,53,10883 -j ACCEPT
iptables -A INPUT -p udp -m multiport --source-port 20,22,23,53,10883 -j ACCEPT
iptables -A INPUT -p tcp -m multiport --sport 21 -j ACCEPT
iptables -A INPUT -p udp -m multiport --sport 21 -j ACCEPT

iptables -A OUTPUT -p tcp -m multiport --destination-port 20,22,23,53,10883 -j ACCEPT
iptables -A OUTPUT -p udp -m multiport --destination-port 20,22,23,53,10883 -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --dport 21 -j ACCEPT
iptables -A OUTPUT -p udp -m multiport --dport 21 -j ACCEPT
============
mydebian:/etc/apt# iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
DROP 0 -- 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED
LOG 0 -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport sports 20,22,23,53,10883
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport sports 20,22,23,53,10883
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport sports 21
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport sports 21

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED
LOG 0 -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED
LOG 0 -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 20,22,23,53,10883
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 20,22,23,53,10883
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 21
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 21
mydebian:/etc/apt#
--- Pada Rab, 28/1/09, Ansgar Wiechers <lists@planetcobalt.net> menulis:

> Dari: Ansgar Wiechers <lists@planetcobalt.net>
> Topik: Re: my debian does not read my own iptables script
> Kepada: debian-firewall@lists.debian.org
> Tanggal: Rabu, 28 Januari, 2009, 11:51 AM
> On 2009-01-28 Patrik Hasibuan wrote:
> > I am building a firewall with Debian Sarge on my
> internet gateway. But
> > lookslike my debian does not read my iptables script
> after I run my
> > own iptables script.
> [...]
> > I haven't open the rpcbind,auth,printer. And the
> 21,23,53 are not
> > opened by my iptables. Where is the mistake? Please
> tell me. I am new
> > in debian and iptables. Usually I use OpenSuSE and
> SuSEfirewall2 and I
> > configure the firewall with YaST2 so easily. But now I
> want to get
> > close to debian too. And I am stucked on this case.
> [...]
> > #!/bin/bash
> > #Zero...zero...from beginning
> > iptables -F
>
> You are not setting default policies (bad idea), so your
> chains probably
> accept all incoming packets. As others have told you
> before: please post
> the output of "iptables -nL" and "iptables
> -t nat -nL" (and perhaps the
> output of "iptables -t mangle -nL" and
> "iptables -t raw -nL").
>
> As a starting point, my iptables scripts usually begin like
> this:
>
> ----8<----
> # 1) Disable IP forwarding.
> echo "0" > /proc/sys/net/ipv4/ip_forward
>
> # 2) Set default policies
> iptables -P INPUT DROP
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD DROP
>
> iptables -t nat -P PREROUTING ACCEPT
> iptables -t nat -P POSTROUTING ACCEPT
> iptables -t nat -P OUTPUT ACCEPT
>
> # 3) Flush chains
> iptables -F
> iptables -t nat -F
>
> # 4) Delete user-defined chains
> iptables -X
> iptables -t nat -X
>
> # 5) Re-enable IP forwarding (if required)
> echo "1" > /proc/sys/net/ipv4/ip_forward
>
> # ...
> ---->8----
>
> Regards
> Ansgar Wiechers
> --
> "The Mac OS X kernel should never panic because, when
> it does, it
> seriously inconveniences the user."
> --http://developer.apple.com/technotes/tn2004/tn2118.html
>
>
> --
> To UNSUBSCRIBE, email to
> debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org


___________________________________________________________________________
Dapatkan nama yang Anda sukai!
Sekarang Anda dapat memiliki email di @ymail.com dan @rocketmail.com.
http://mail.promotions.yahoo.com/newdomains/id/


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

No comments: