| |
| |
| |
|
Page: 1 2 3 4
Comments:
<0> It is there. And it doesn't work.
<1> what does your rule set look like? pastebin it
<0> The problem has to be with routing.
<0> Mmmkay. Just a sec
<1> if everything else is working except dns then i don't think so
<0> http://pastebin.com/582580
<0> That is a good point about dns vs ping. dns should work.
<2> good evening
<0> good afternoon
<2> I'm unable to find relevant google results for the topic of using iptables to drop port scanning of various types, including icmp and stealth
<0> Lazydog: Note that my logging does not show an inbound packet hitting FORWARD
<0> e.g. Nothing prefixed with FwdSport53
<1> is forwarding turned on?
<2> I don't want my server to appear to have open ports
<0> Yes. I just double checked.
<2> so far I have -A INPUT -p icmp -j REJECT
<0> Marticus: Is this just one computer on the internet?
<3> Marticus: that will show "closed" in nmap - I'd use DROP
<2> is that good or bad?
<0> I didn't catch that. Yeah, drop it.
<2> what about for the tcp scans?
<3> Marticus: it tells that your computer is on
<3> Marticus: just allow the things you want open and DROP the rest
<2> I realize that is the best way, but...
<2> it is a long list
<2> I'd much rather just block scanning
<2> so I can drop the icmp stuff
<3> long list of open ports?
<2> but what about the stealth scans?
<2> danieldg, like, I want to allow all the IM transports and stuff
<2> actually, it is a NAT box anyway...
<2> but it is running a mail server
<2> and I Want it to not show up as a mail server
<1> onweald_tim: where is your ACCEPT statement for forwarding NEW dns requests?
<3> Marticus: anyone scanning for mail servers will find it; you'd only be able to block a general nmap
<4> could iptables affect a serial console?
<0> Lazydog: -A FORWARD -s 10.1.0.0/255.255.0.0 -p udp -m udp --dport 53 -j ACCEPT
<2> ***uming they aren't look specifically for a mail server...
<2> I want to be as restrictive as possible when it comes to scanning
<1> how many boxes behind this firewall?
<0> Marticus: Default to dropping everything, then only accept the ports you want to allow.
<2> I understand that you could use another method for looking specifically for mail servers, like scanning for incoming packets and such
<2> onweald_tim: will that break NAT?
<0> Lazydog: Unlimited. I am hosting customer systems.
<3> Marticus: for portscan blocking, see http://daniel.6dns.org/info/iptables/#recent but it's really a good idea to block everything but what you need to allow
<2> I realise this
<0> Marticus: You accept established,related packets.
<1> onweald_tim: so you are not planning on blocking any outgoing packets then
<0> Lazydog: Not until I get this figured out.
<2> onweald_tim: I want to allow NAT to do its thing
<0> The customer systems are web servers.
<2> which is to allow established connections
<0> Marticus: That is why you have -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
<2> so do I need to do a statefull filter of non established incoming connections?
<2> oops spoke too soon
<2> is the FORWARD chain before INPUT?
<2> I Want to block as close to the isp as possible
<1> onweald_tim: how about removing -o br-dmz from your postrouting setup and put in the interface it is traveling out.
<0> Marticus: PREROUTING, then splits to INPUT if destined locally or FORWARD if being routed elsewhere
<2> I suppose what I'm asking is, I want to allow incoming packets on port 25 and 22 for instance, and disallow everything else by default, where in the list shall I place the related,established rule?
<0> Lazydog: I'll try that out
<3> Marticus: you should have a related,established rule at the start of INPUT and FORWARD
<2> okay I think I;m beginning to understand
<1> onweald_tim: this file doesn't look like a script file so that would not translate to the correct interface
<2> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
<2> like that also/
<2> ?
<0> Lazydog: ???
<3> Marticus: yes
<0> You are saying br-dmz wouldn't translate to eth0?
<1> correct not in this file
<2> so, unless they are attempting to connect on port 25, they won't be able to see it in any scans?
<0> Lazydog: I just removed -o completely and it didn't help.
<1> onweald_tim: no you have to supply the direction
<2> ***uming I have that rule along with allow tcp 25 default drop
<0> Marticus: yes
<0> Lazydog: Mmmkay. Just a sec
<1> onweald_tim: if you don't supply the interface then all packet no matter what interface they go out will get postrouting done to them
<2> very simple
<2> http://iptables.pastebin.com/582601
<0> Lazydog: eth0 doesn't work. I have to use br-dmz
<2> is that going to break anything?
<1> onweald_tim: the file you showed me looks like a iptables save file is this the one you are editting?
<0> See pastebin: http://pastebin.com/582602
<0> ^^^ for Lazydog
<0> Lazydog: No, I edit the shell script.
<1> then that is why it is not working. i'm looking at this saved file
<4> could iptables affect a serial console?
<1> onweald_tim: do this..... run your script and then do an iptables save and then pastbin this file
<2> onweald_tim: I really appreciate all the help you have given me
<0> http://pastebin.com/582609
<0> Marticus: your welcome.
<2> can you do one last thing please and confirm the accuracy of my script? http://iptables.pastebin.com/582607
<2> it's a very small one compared to those I have seen on the web
<5> hello
<5> i set up iptables using the instructions of a gentoo howto.
<1> onweald_tim: on your machine did you change the interface name from eth0 to br-dmz?
<5> my iptables linux box is connected to a linksys router, but my lan cannot access the internet
<5> can anybody help me troubleshoot it?
<2> I've never had default DROP before, so I don't know if the six -Ps will break anything
<0> Marticus: I'm relatively new but did take a look. I didn't think you could specify two ports for --port. I think you can specify a range like 22:25 but that doesn't look like what you are trying to do.
<2> thats fine
<2> what about the -P rules?
<2> will those for -t nat break nat?
<0> Default policy is to drop. That is good.
<1> Steve973: forward is turned on?
<2> now I will explain myself
<5> there's a "1" in the ip_forward file :)
<5> if that's what you're asking
<2> insightbb in their infinate wisdom has decided to suspend my account after several years of running a personal mail server
<1> can the lan ping the linux box?
<0> Lazydog: I did not rename eth0. If this helps, eth0 has no ip address. The ip address resides on br-dmz.
<2> and I wanted to prevent them from detecting open ports
<5> Lazydog: give me one second. i wanna try one thing from the router
<5> Lazydog: i can ping stuff directly from the router
<0> Marticus: Ahhh
<5> i wanna try that
<2> ***uming they are doing simple scans, I hope that this will allow me to have my service back up
<2> until I can find a better place for my mail server
<0> Marticus: What you might want to do is monitor for their scans and then drop port scans from their ip addresses.
<2> understandably, one would not want to run a mail server on a dynamic ip
<2> onweald_tim: that is what I originally wanted to do, but that is beyond my level
<1> onweald_tim: everything is working except dns request?
<0> Marticus: I guess you could use something like -A INPUT -p tcp --dport 25 -j LOG "Mail attempt "
<2> firstly, I don't know how to monitor their scans, and secondly, I don't know how to trigger a drop when they are detected
<5> Lazydog: one thing before i try that. my linux box hands out a 192.168.0.x address to the router. my router hands out 192.168.1.x to the lan. is this okay as far as you know?
<0> Lazydog: "Everything" is relative. I have only tried ping.
<0> Without name resolution, the rest is pointless.
<2> so I could check for --dport from their ip block?
<2> I should have been checking for scans form the beginning
<0> Marticus: Yes.
<1> Steve973: so what does your network look like?
<2> I could have headed this off at the p***
<2> onweald_tim: well, with the file I pasted, shouldn't that be enough?
<2> or should I go ahead and setup an IDS for their ip block
<5> cable modem connected to eth0 of linux box. eth1 of linux box connected to wrt54g-v5. wireless lan
<5> Lazydog: does that answer your question?
<2> that is, intrusion detection
<1> Steve973: yep
<2> because really, that is what they are doing
<2> intruding upon my privacy
<2> heh
<0> Marticus: You are accepting port 22 (and maybe 22-25 if that syntax works) So anyone connecting to port 25 would be allowed in.
<0> They would see the port open
<5> Lazydog: sound fine?
<2> onweald_tim: except for scans
<0> Marticus: A port scan is when you try to initiate a connection to the port. That is what youa re detecting here.
<2> if I blocked port 25 from their ip space, then I would be preventing incoming email from their clients
<1> Steve973: sure . what is the ip address of eth1?
<0> Well, actually if you wanted to detect that initial request you would use the state and check for "NEW"
<2> onweald_tim: errm, so my existing rules would allow scans on port 25 then?
Return to
#iptables
or
Go to some related
logs:
#fedora
#math
akcom hdd record
keyboardlayout ubuntu
libdevread3
permit illegal address syntax with postfix
#perl
minimum number of moves required to sort
Error opening the selected video_out gentoo
#math
|
|