firewall issue
I just setup my Linode server, after a very bad experience with a different hosting provider. So far, I'm impressed. I get more for my money, more OS choice, more memory, more storage, and better tools. So that is very cool.
I'm just having one problem. I've setup my iptables and it seems like I have it all configure correctly, but when I do a scan with nmap I'm seeing all ports open.
output from iptables -L
> Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all – anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:8888 state NEW
ACCEPT tcp -- ------------- anywhere tcp multiport ports rsync state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:www state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps state NEW
DROP tcp -- anywhere anywhere tcp dpt:imap2 state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:ssmtp
ACCEPT tcp -- ------------- anywhere tcp dpt:7071
….
Summarized, but you get the point. No errors, everything looks good. But like I said nmap is showing everything open.
The one thing that seems off to me is if I run
modprobe -l
I should see a list of modules, but I see nothing. So I went and looked at /lib/modules and there is nothing there?
uname -r outputs
2.6.18.8-x86_64-linode1
So any time I've complied a kernel I've always ended up with a modules folder for that output. So I guess my real question is, should I have a modules folder from when I picked my kernel? Did something go wrong, or I'm I just on the wrong track? If I'm correct how do I get those modules that should be there?
Thanks
Bryan
8 Replies
The rules you posted look okay, but since you wrote that they were "summarized", it's hard to be sure; it's really easy to make one mistaken rule that bypasses all the others.
So, they build the kernels with everything built in? No modules? Is there a way to confirm that iptables are built in then? I assume they must be there otherwise, iptables would complain when I tried to use it wouldn't it?
As for my rules, these are the same ones that worked on my old server, other than I added a couple new rules to work with the ports Zimbra is using. Anything that I chopped out is stuff that was unchanged from the server I took them off of.
I'll double check to make sure I didn't mess something up when I created the new rules.
Thanks
Bryan
@kasper22:
Is there a way to confirm that iptables are built in then?
zcat /proc/config.gz
Chain bad_packets (1 references)
target prot opt source destination
LOG all -- anywhere anywhere state INVALID LOG level warning prefix `Invalid packet: '
DROP all -- anywhere anywhere state INVALID
bad_tcp_packets tcp -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain bad_tcp_packets (1 references)
target prot opt source destination
LOG tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW LOG level warning prefix `New not syn: '
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE LOG level warning prefix `Stealth scan: '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG LOG level warning prefix `Stealth scan: '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG LOG level warning prefix `Stealth scan: '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG LOG level warning prefix `Stealth scan: '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
LOG tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST LOG level warning prefix `Stealth scan: '
DROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN LOG level warning prefix `Stealth scan: '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
RETURN tcp -- anywhere anywhere
Ok, I did a little experiment and added a log & drop rule to the end of my rules, and I'm still seeing everything open with nmap.
After adding the rules I did a port scan and then did:
iptables -L -v and at the end of my list I had
528 27558 LOG all – any any anywhere anywhere LOG level warning prefix `no match!'
528 27558 DROP all -- any any anywhere anywhere
I'm not sure what those numbers mean, but I know the log is getting hit and in my syslog, I have a mountain of "no match" messages. But yet I'm seeing all ports listed as open with nmap.
any ideas?
Thanks,
Bryan