Re: iptables and nmap

Thu, 07 Jun 2007 14:55:51 -0700 

Ok,

        thank you for your answers. I will try to sum up mine.
It is true that it is not me who wrote the firewall script and that I do not understand what all rules do. I tried different solutions that you proposed but none works, from localhost, local network or from the internet. The 8080 port remains closed. i did not try to upgrade my kernel. Actually, I am a little bit frightened to this idea. is it really riskless ? 
        Finally this is the result of 'iptables -t filter -L -n -v' command:


Chain INPUT (policy DROP 17 packets, 1088 bytes)
pkts bytes target prot opt in out source destination 1 64 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 225 18816 bad_tcp_packets tcp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- eth1 * 192.168.0.3 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- eth1 * 192.168.0.12 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- eth1 * 192.168.0.31 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- eth1 * 192.168.0.28 0.0.0.0/0 tcp dpt:22 0 0 REJECT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 reject-with icmp-port-unreachable 162 18088 ACCEPT all -- eth1 * 192.168.0.0/24 0.0.0.0/0 10 1219 ACCEPT all -- lo * 127.0.0.1 0.0.0.0/0 4 156 ACCEPT all -- lo * 192.168.0.1 0.0.0.0/0 8 528 ACCEPT all -- lo * 193.51.128.146 0.0.0.0/0 0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 udp spts:67:68 dpts:67:68 140 10422 ACCEPT all -- * * 0.0.0.0/0 193.51.128.146 state RELATED,ESTABLISHED 20 1280 tcp_packets tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 udp_packets udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 10 640 icmp_packets icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- eth0 * 0.0.0.0/0 224.0.0.0/8 3 192 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 3 LOG flags 0 level 7 prefix `IPT INPUT packet died: ' 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination 0 0 bad_tcp_packets tcp -- * * 0.0.0.0/0 0.0.0.0/0 2 152 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 2 152 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 3 LOG flags 0 level 7 prefix `IPT FORWARD packet died: ' 

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination 169 22018 bad_tcp_packets tcp -- * * 0.0.0.0/0 0.0.0.0/0 10 1219 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0 166 16632 ACCEPT all -- * * 192.168.0.1 0.0.0.0/0 120 16559 ACCEPT all -- * * 193.51.128.146 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 3 LOG flags 0 level 7 prefix `IPT OUTPUT packet died: ' 

Chain allowed (20 references)
pkts bytes target prot opt in out source destination 3 192 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 

Chain bad_tcp_packets (3 references)
pkts bytes target prot opt in out source destination 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x12/0x12 state NEW reject-with tcp-reset 1 40 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02 state NEW LOG flags 0 level 4 prefix `New not syn:' 1 40 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02 state NEW 

Chain icmp_packets (1 references)
pkts bytes target prot opt in out source destination 10 640 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11 

Chain tcp_packets (1 references)
pkts bytes target prot opt in out source destination 0 0 allowed tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 0 0 allowed tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:51000:52000 0 0 allowed tcp -- eth0 * 195.221.162.126 0.0.0.0/0 tcp dpt:22 0 0 allowed tcp -- eth0 * 81.57.83.190 0.0.0.0/0 tcp dpt:22 0 0 allowed tcp -- eth0 * 193.52.24.125 0.0.0.0/0 tcp dpt:22 0 0 allowed tcp -- eth0 * 129.175.58.218 0.0.0.0/0 tcp dpt:22 0 0 allowed tcp -- eth0 * 82.230.68.31 0.0.0.0/0 tcp dpt:22 0 0 allowed tcp -- eth0 * 82.246.152.215 0.0.0.0/0 tcp dpt:22 0 0 allowed tcp -- eth0 * 86.67.133.75 0.0.0.0/0 tcp dpt:22 0 0 allowed tcp -- eth0 * 88.171.133.128 0.0.0.0/0 tcp dpt:22 0 0 allowed tcp -- eth0 * 157.136.22.133 0.0.0.0/0 tcp dpt:22 0 0 allowed tcp -- eth0 * 129.104.48.4 0.0.0.0/0 tcp dpt:22 0 0 allowed tcp -- eth0 * 129.104.48.5 0.0.0.0/0 tcp dpt:22 0 0 allowed tcp -- eth0 * 129.104.48.3 0.0.0.0/0 tcp dpt:22 0 0 LOG tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 LOG flags 0 level 7 prefix `IPT INPUT SSH FORBIDDEN: ' 1 64 allowed tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 2 128 allowed tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 0 0 allowed tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 multiport ports 143,993,110,995 0 0 allowed tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 0 0 allowed tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 0 0 allowed tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 

Chain udp_packets (1 references)
pkts bytes target prot opt in out source destination 0 0 REJECT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:515 reject-with icmp-port-unreachable 0 0 DROP udp -- eth0 * 0.0.0.0/0 193.51.128.151 multiport ports 513,631 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:443 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 multiport ports 143,993,110,995 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:10000 0 0 DROP udp -- eth0 * 0.0.0.0/0 193.51.128.151 udp dpts:135:139 0 0 DROP udp -- eth0 * 0.0.0.0/0 255.255.255.255 udp dpts:67:68 



Joan

_________________

Post-doc GENNETEC
Programme d'Épigénomique, Genopole®
Tour Évry2, 10è étage
523 Terrasses de l'Agora
91034 ÉVRY cedex

Tél : +33 (0)1 69 47 44 34
Fax : +33 (0)1 69 47 44 37
Web : http://www.epigenomique.genopole.fr/opencms/opencms/ epigenomique/en/perso/joe/ 
________________________________________________________________________



Le 7 juin 07 à 16:51, Németh Tamás a écrit :


'iptables -t filter -L -n -v

Reply via email to