Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Debian IPTABLES not blocking

Status
Not open for further replies.
garwain

garwain

Programmer
Jan 30, 2002
461
CA
I have a debian server that I'm trying to set up a firewall on. I have set up my rules so that the sever is working almost right, using the rules displayed below. My main problems are that if I have the INPUT default policy to block (iptables -p INPUT DROP) I can no longer resolve domain names for some reason, and a portscan will still show other ports as open (ie 389 UDP, which is ldap). If I set the default policy to allow, the domain name resolution (named) will resolve external domains properly.

I'm fairly new to IPTABLES,and would appreciate it if someone could point out whatever I'm doing wrong.

also, I have changed SSHD over to port 2222

iptables -L
Code: 
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:2222
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:imap2 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain 
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  localhost            localhost           

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
 
Sort by date Sort by votes
Try changing "tcp dpt:domain" to "tcp dpt:53" for both tcp and udp. Maybe "domain" is the wrong label.
 
Upvote 0 Downvote
Thanks for the suggestions. I recreated the rule using dpt:53 which still returns dpt:domain when I run iptables -L . I did find a solutions to my problem with DNS (named) though. I added a new rule for spt:53. Now that much is working fine.

However the 2nd part of my problem still exists, If I run a port scanner on my IP, I still come out with UDP port 389 and a bunch of higher level ports being marked as open. Is there anything I'm missing here, or is it more likely the port scanner is acting up on my? I'm going to try another port scanner this afternoon to see, but if anyone has any ideas I'd appreciate it.

Code: 
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:2222 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:imap2 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain 
ACCEPT     all  --  localhost            localhost           
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:domain 
ACCEPT     udp  --  anywhere             anywhere            udp spt:domain 

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain

 
Upvote 0 Downvote
I think the problem is on your

ACCEPT icmp packets from anywhere to anywhere. icmp do not have a specefic port hence, according to the way each port is probed (and the tool), they may return an error message that could be interpreted as a port reply.

If your firewall has to protect a windoz network then icmp should well be blocked as windoz networks may overamplify traffic of icmp packets. In that case you would get the typical "crazy hub" situation where noone is doing anything on the network yet you have a high volume of traffic on your switches/hubs


QatQat




Life is what happens when you are making other plans.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Steve Bowman
  • Locked
  • Question
I have a Debian server (buster) I h
Replies
0
Views
171
Steve Bowman
Steve Bowman
hobbytech
  • Locked
  • Question
Internet not connecting
Replies
5
Views
345
Stephen_Hawk
Stephen_Hawk
CecilXavier
  • Locked
  • Question
RHEL IDM with Radius not authenticating
Replies
0
Views
207
CecilXavier
CecilXavier
kjv1611
  • Locked
  • Question
RAID 5 Data Recovery? (Debian / OpenMediaVault) 1
Replies
2
Views
168
kjv1611
kjv1611
1in10
  • Locked
  • Question
debian 8.3 second hdd in fstab
Replies
0
Views
118
1in10
1in10

Part and Inventory Search

Sponsor

Back
Top