Aloa
Ich habe per iptable-Generator über "Harris Linux Seite" mir einen Regelsatz für eine Firewall eines Webservers generieren lassen.
Mir fällt auf, dass wenn ich ein Telnet auf Port 11 oder 15 für den Rechner mache, die Pakete nicht verworfen werden. Stattdessen gibt es ein Timeout und keinen Log-Eintrag.
Woran liegt das? Eigentlich sollten nur Port 22,80 und Port 8080 offen sein:
Code:
iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere state INVALID limit: avg 2/sec burst 5 LOG level warning prefix `INPUT INVALID '
DROP all -- anywhere anywhere state INVALID
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
MY_DROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,RST/FIN,RST
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,ACK/FIN
MY_DROP tcp -- anywhere anywhere tcp flags:PSH,ACK/PSH
MY_DROP tcp -- anywhere anywhere tcp flags:ACK,URG/URG
ACCEPT all -- anywhere anywhere <--- an Localhost gebunden!
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED <--- was macht diese Regel?
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:www
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:webcache
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
MY_REJECT all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere state INVALID limit: avg 2/sec burst 5 LOG level warning prefix `OUTPUT INVALID '
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere <--- an Localhost gebunden
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
MY_REJECT all -- anywhere anywhere
Chain MY_DROP (7 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `PORTSCAN DROP '
DROP all -- anywhere anywhere
Chain MY_REJECT (2 references)
target prot opt source destination
LOG tcp -- anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `REJECT TCP '
REJECT tcp -- anywhere anywhere reject-with tcp-reset
LOG udp -- anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `REJECT UDP '
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
LOG icmp -- anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `DROP ICMP '
DROP icmp -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `REJECT OTHER '
REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable
Bye
Thorsten
Lesezeichen