firewall issue

Hi,

I just setup my Linode server, after a very bad experience with a different hosting provider. So far, I'm impressed. I get more for my money, more OS choice, more memory, more storage, and better tools. So that is very cool.

I'm just having one problem. I've setup my iptables and it seems like I have it all configure correctly, but when I do a scan with nmap I'm seeing all ports open.

output from iptables -L
> Chain INPUT (policy DROP)

target prot opt source destination

ACCEPT all – anywhere anywhere state RELATED,ESTABLISHED

ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW

ACCEPT tcp -- anywhere anywhere tcp dpt:8888 state NEW

ACCEPT tcp -- ------------- anywhere tcp multiport ports rsync state NEW

ACCEPT tcp -- anywhere anywhere tcp dpt:www state NEW

ACCEPT tcp -- anywhere anywhere tcp dpt:https

ACCEPT tcp -- anywhere anywhere tcp dpt:smtp state NEW

ACCEPT tcp -- anywhere anywhere tcp dpt:imaps state NEW

DROP tcp -- anywhere anywhere tcp dpt:imap2 state NEW

ACCEPT tcp -- anywhere anywhere tcp dpt:ssmtp

ACCEPT tcp -- ------------- anywhere tcp dpt:7071

….
Summarized, but you get the point. No errors, everything looks good. But like I said nmap is showing everything open.

The one thing that seems off to me is if I run

modprobe -l

I should see a list of modules, but I see nothing. So I went and looked at /lib/modules and there is nothing there?

uname -r outputs

2.6.18.8-x86_64-linode1

So any time I've complied a kernel I've always ended up with a modules folder for that output. So I guess my real question is, should I have a modules folder from when I picked my kernel? Did something go wrong, or I'm I just on the wrong track? If I'm correct how do I get those modules that should be there?

Thanks

Bryan

8 Replies

The kernel you are running has nothing to do with what's on your disk image. It's from the Linode host, and is non-modular, with everything you need built-in. (If not, Caker has been pretty open about building in new features.

The rules you posted look okay, but since you wrote that they were "summarized", it's hard to be sure; it's really easy to make one mistaken rule that bypasses all the others.

Hi Steven,

So, they build the kernels with everything built in? No modules? Is there a way to confirm that iptables are built in then? I assume they must be there otherwise, iptables would complain when I tried to use it wouldn't it?

As for my rules, these are the same ones that worked on my old server, other than I added a couple new rules to work with the ports Zimbra is using. Anything that I chopped out is stuff that was unchanged from the server I took them off of.

I'll double check to make sure I didn't mess something up when I created the new rules.

Thanks

Bryan

@kasper22:

Is there a way to confirm that iptables are built in then?

zcat /proc/config.gz

Some rules you might want to add if you dont have already

Chain bad_packets (1 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            state INVALID LOG level warning prefix `Invalid packet: '
DROP       all  --  anywhere             anywhere            state INVALID
bad_tcp_packets  tcp  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain bad_tcp_packets (1 references)
target     prot opt source               destination
LOG        tcp  --  anywhere             anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW LOG level warning prefix `New not syn: '
DROP       tcp  --  anywhere             anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
LOG        tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE LOG level warning prefix `Stealth scan: '
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
LOG        tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG LOG level warning prefix `Stealth scan: '
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
LOG        tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG LOG level warning prefix `Stealth scan: '
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
LOG        tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG LOG level warning prefix `Stealth scan: '
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
LOG        tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN,RST LOG level warning prefix `Stealth scan: '
DROP       tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN,RST
LOG        tcp  --  anywhere             anywhere            tcp flags:FIN,SYN/FIN,SYN LOG level warning prefix `Stealth scan: '
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN/FIN,SYN
RETURN     tcp  --  anywhere             anywhere

Thanks for the rules, I add those to my list.

Ok, I did a little experiment and added a log & drop rule to the end of my rules, and I'm still seeing everything open with nmap.

After adding the rules I did a port scan and then did:

iptables -L -v and at the end of my list I had

528 27558 LOG all – any any anywhere anywhere LOG level warning prefix `no match!'

528 27558 DROP all -- any any anywhere anywhere

I'm not sure what those numbers mean, but I know the log is getting hit and in my syslog, I have a mountain of "no match" messages. But yet I'm seeing all ports listed as open with nmap.

any ideas?

Thanks,

Bryan

Are you running nmap from the same box (i.e. localhost) or from a remote host?

yeah it sounds like iptables is not installed correctly, you might just retry reinstalling

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct