| 1 |
On Wed, 2006-10-04 at 18:57 -0700, Ryan Tandy wrote: |
| 2 |
> Michael Sullivan wrote: |
| 3 |
> > I'm having a problem with ipkungfu on one of my boxes. According to the |
| 4 |
> > log files, it's running, but it doesn't seem to be firewall-ing. It's |
| 5 |
> > not working on 192.168.1.2. Here's nmap output from 192.168.1.3: |
| 6 |
> > |
| 7 |
> > camille ~ # nmap -sT -PT 192.168.1.2 |
| 8 |
> > |
| 9 |
> > Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-10-04 20:39 |
| 10 |
> > CDT |
| 11 |
> > Interesting ports on bullet.espersunited.com (192.168.1.2): |
| 12 |
> > (The 1657 ports scanned but not shown below are in state: closed) |
| 13 |
> > PORT STATE SERVICE |
| 14 |
> > 21/tcp open ftp |
| 15 |
> > 22/tcp open ssh |
| 16 |
> > 25/tcp open smtp |
| 17 |
> > 53/tcp open domain |
| 18 |
> > 80/tcp open http |
| 19 |
> > 111/tcp open rpcbind |
| 20 |
> > 139/tcp open netbios-ssn |
| 21 |
> > 143/tcp open imap |
| 22 |
> > 445/tcp open microsoft-ds |
| 23 |
> > 587/tcp open submission |
| 24 |
> > 631/tcp open ipp |
| 25 |
> > 746/tcp open unknown |
| 26 |
> > 993/tcp open imaps |
| 27 |
> > 2049/tcp open nfs |
| 28 |
> > 3632/tcp open distccd |
| 29 |
> > MAC Address: 00:10:4B:73:8E:81 (3com) |
| 30 |
> > |
| 31 |
> > Nmap finished: 1 IP address (1 host up) scanned in 0.597 seconds |
| 32 |
> > |
| 33 |
> |
| 34 |
> OK. What does iptables -L report? Is iptables in your default |
| 35 |
> runlevel? (hint: it shouldn't be.) If iptables is being started after |
| 36 |
> ipkungfu for some reason, it may be overwriting ipkungfu's iptables |
| 37 |
> rules with its saved (blank) ruleset. Try 'rc-update del iptables && |
| 38 |
> reboot' if iptables is present in any runlevels. When you start |
| 39 |
> ipkungfu, are there any error messages? |
| 40 |
|
| 41 |
bullet ipkungfu # iptables -L |
| 42 |
Chain INPUT (policy DROP) |
| 43 |
target prot opt source destination |
| 44 |
ACCEPT all -- anywhere anywhere state |
| 45 |
RELATED,ESTABLISHED |
| 46 |
LOG all -- 0.0.0.1 anywhere LOG level |
| 47 |
warning prefix `IPKF IPKungFu (--init)' |
| 48 |
DROP all -- 125.250.19.90 anywhere |
| 49 |
DROP all -- abo-140-170-68.bab.modulonet.fr anywhere |
| 50 |
DROP all -- 220.163.199.101 anywhere |
| 51 |
DROP all -- 217.10.189.30 anywhere |
| 52 |
ACCEPT all -- bullet.espersunited.com anywhere |
| 53 |
ACCEPT all -- camille.espersunited.com anywhere |
| 54 |
ACCEPT all -- catherine.espersunited.com anywhere |
| 55 |
ACCEPT all -- bubbles.espersonline.com anywhere |
| 56 |
ACCEPT all -- 192.168.1.101 anywhere |
| 57 |
ACCEPT all -- 192.168.1.102 anywhere |
| 58 |
ACCEPT all -- 192.168.1.103 anywhere |
| 59 |
DROP all -- anywhere anywhere recent: |
| 60 |
CHECK seconds: 120 name: badguy side: source |
| 61 |
LOG tcp -- anywhere anywhere tcp |
| 62 |
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG limit: avg 3/sec |
| 63 |
burst 5 LOG level warning prefix `IPKF flags ALL: ' |
| 64 |
LOG tcp -- anywhere anywhere tcp |
| 65 |
flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg 3/sec burst 5 LOG level |
| 66 |
warning prefix `IPKF flags NONE: ' |
| 67 |
LOG tcp -- anywhere anywhere tcp |
| 68 |
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG limit: avg 3/sec burst 5 LOG |
| 69 |
level warning prefix `IPKF PORTSCAN (nmap XMAS): ' |
| 70 |
LOG tcp -- anywhere anywhere tcp |
| 71 |
flags:FIN,SYN,RST,PSH,ACK,URG/FIN limit: avg 3/sec burst 5 LOG level |
| 72 |
warning prefix `IPKF PORTSCAN (nmap FIN): ' |
| 73 |
LOG tcp -- anywhere anywhere tcp |
| 74 |
flags:FIN,SYN/FIN,SYN limit: avg 3/sec burst 5 LOG level warning prefix |
| 75 |
`IPKF flags SYN,FIN: ' |
| 76 |
LOG tcp -- anywhere anywhere tcp |
| 77 |
flags:SYN,RST/SYN,RST limit: avg 3/sec burst 5 LOG level warning prefix |
| 78 |
`IPKF flags SYN,RST: ' |
| 79 |
LOG tcp -- anywhere anywhere tcp |
| 80 |
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG limit: avg 3/sec burst |
| 81 |
5 LOG level warning prefix `IPKF SYN,RST,ACK,FIN,URG: ' |
| 82 |
LOG tcp -- anywhere anywhere tcp |
| 83 |
flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg 3/sec burst 5 LOG level |
| 84 |
warning prefix `IPKF PORTSCAN (nmap NULL): ' |
| 85 |
DROP tcp -- anywhere anywhere tcp |
| 86 |
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG |
| 87 |
DROP tcp -- anywhere anywhere tcp |
| 88 |
flags:FIN,SYN,RST,PSH,ACK,URG/NONE |
| 89 |
DROP tcp -- anywhere anywhere tcp |
| 90 |
flags:FIN,SYN/FIN,SYN |
| 91 |
DROP tcp -- anywhere anywhere tcp |
| 92 |
flags:SYN,RST/SYN,RST |
| 93 |
DROP tcp -- anywhere anywhere tcp |
| 94 |
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG |
| 95 |
DROP tcp -- anywhere anywhere tcp |
| 96 |
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG |
| 97 |
DROP tcp -- anywhere anywhere tcp |
| 98 |
flags:FIN,SYN,RST,PSH,ACK,URG/FIN |
| 99 |
DROP tcp -- anywhere anywhere tcp |
| 100 |
flags:FIN,SYN,RST,PSH,ACK,URG/NONE |
| 101 |
ACCEPT icmp -- anywhere anywhere icmp |
| 102 |
echo-request |
| 103 |
LOG all -- anywhere anywhere state |
| 104 |
INVALID limit: avg 3/sec burst 5 LOG level warning prefix `IPKF Invalid |
| 105 |
TCP flag: ' |
| 106 |
DROP all -- anywhere anywhere state |
| 107 |
INVALID |
| 108 |
LOG all -f anywhere anywhere limit: avg |
| 109 |
3/sec burst 5 LOG level warning prefix `IPKF Fragmented Packet: ' |
| 110 |
DROP all -f anywhere anywhere |
| 111 |
LOG icmp -- anywhere anywhere icmp |
| 112 |
timestamp-request limit: avg 3/sec burst 5 LOG level warning prefix |
| 113 |
`IPKF ICMP Timestamp: ' |
| 114 |
DROP icmp -- anywhere anywhere icmp |
| 115 |
timestamp-request |
| 116 |
syn-flood tcp -- anywhere anywhere tcp |
| 117 |
flags:FIN,SYN,RST,ACK/SYN |
| 118 |
LOG tcp -- anywhere anywhere tcp flags:! |
| 119 |
SYN,RST,ACK/SYN state NEW limit: avg 3/sec burst 5 LOG level warning |
| 120 |
prefix `IPKF New Not SYN: ' |
| 121 |
DROP tcp -- anywhere anywhere tcp flags:! |
| 122 |
SYN,RST,ACK/SYN state NEW |
| 123 |
DROP tcp -- anywhere anywhere multiport |
| 124 |
dports netbios-ns,6666 |
| 125 |
DROP udp -- anywhere anywhere multiport |
| 126 |
dports ms-sql-m |
| 127 |
ACCEPT tcp -- anywhere anywhere state NEW |
| 128 |
multiport dports ftp,ssh,smtp,http |
| 129 |
ACCEPT all -- anywhere anywhere state NEW |
| 130 |
ACCEPT all -- 192.168.1.0/24 anywhere state NEW |
| 131 |
REJECT tcp -- anywhere anywhere tcp |
| 132 |
dpt:auth reject-with tcp-reset |
| 133 |
LOG !icmp -- anywhere anywhere limit: avg |
| 134 |
3/sec burst 5 LOG level warning prefix `IPKF INPUT Catch-all: ' |
| 135 |
DROP all -- anywhere anywhere |
| 136 |
|
| 137 |
Chain FORWARD (policy ACCEPT) |
| 138 |
target prot opt source destination |
| 139 |
ACCEPT all -- anywhere anywhere state |
| 140 |
RELATED,ESTABLISHED |
| 141 |
ACCEPT all -- bullet.espersunited.com anywhere |
| 142 |
ACCEPT all -- camille.espersunited.com anywhere |
| 143 |
ACCEPT all -- catherine.espersunited.com anywhere |
| 144 |
ACCEPT all -- bubbles.espersonline.com anywhere |
| 145 |
ACCEPT all -- 192.168.1.101 anywhere |
| 146 |
ACCEPT all -- 192.168.1.102 anywhere |
| 147 |
ACCEPT all -- 192.168.1.103 anywhere |
| 148 |
DROP all -- anywhere anywhere recent: |
| 149 |
CHECK seconds: 120 name: badguy side: source |
| 150 |
LOG tcp -- anywhere anywhere tcp |
| 151 |
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG limit: avg 3/sec |
| 152 |
burst 5 LOG level warning prefix `IPKF flags ALL: ' |
| 153 |
LOG tcp -- anywhere anywhere tcp |
| 154 |
flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg 3/sec burst 5 LOG level |
| 155 |
warning prefix `IPKF flags NONE: ' |
| 156 |
LOG tcp -- anywhere anywhere tcp |
| 157 |
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG limit: avg 3/sec burst 5 LOG |
| 158 |
level warning prefix `IPKF flags FIN,URG,PSH: ' |
| 159 |
LOG tcp -- anywhere anywhere tcp |
| 160 |
flags:FIN,SYN,RST,PSH,ACK,URG/FIN limit: avg 3/sec burst 5 LOG level |
| 161 |
warning prefix `IPKF PORTSCAN (nmap XMAS): ' |
| 162 |
LOG tcp -- anywhere anywhere tcp |
| 163 |
flags:FIN,SYN/FIN,SYN limit: avg 3/sec burst 5 LOG level warning prefix |
| 164 |
`IPKF flags SYN,FIN: ' |
| 165 |
LOG tcp -- anywhere anywhere tcp |
| 166 |
flags:SYN,RST/SYN,RST limit: avg 3/sec burst 5 LOG level warning prefix |
| 167 |
`IPKF flags SYN,RST: ' |
| 168 |
LOG tcp -- anywhere anywhere tcp |
| 169 |
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG limit: avg 3/sec burst |
| 170 |
5 LOG level warning prefix `IPKF SYN,RST,ACK,FIN,URG: ' |
| 171 |
LOG tcp -- anywhere anywhere tcp |
| 172 |
flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg 3/sec burst 5 LOG level |
| 173 |
warning prefix `IPKF PORTSCAN (nmap NULL): ' |
| 174 |
DROP tcp -- anywhere anywhere tcp |
| 175 |
flags:FIN,SYN,RST,PSH,ACK,URG/NONE |
| 176 |
DROP tcp -- anywhere anywhere tcp |
| 177 |
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG |
| 178 |
DROP tcp -- anywhere anywhere tcp |
| 179 |
flags:FIN,SYN,RST,PSH,ACK,URG/NONE |
| 180 |
DROP tcp -- anywhere anywhere tcp |
| 181 |
flags:FIN,SYN/FIN,SYN |
| 182 |
DROP tcp -- anywhere anywhere tcp |
| 183 |
flags:SYN,RST/SYN,RST |
| 184 |
DROP tcp -- anywhere anywhere tcp |
| 185 |
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG |
| 186 |
DROP tcp -- anywhere anywhere tcp |
| 187 |
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG |
| 188 |
DROP tcp -- anywhere anywhere tcp |
| 189 |
flags:FIN,SYN,RST,PSH,ACK,URG/FIN |
| 190 |
LOG all -- anywhere anywhere state |
| 191 |
INVALID limit: avg 3/sec burst 5 LOG level warning prefix `IPKF Invalid |
| 192 |
TCP flag: ' |
| 193 |
DROP all -- anywhere anywhere state |
| 194 |
INVALID |
| 195 |
LOG all -f anywhere anywhere limit: avg |
| 196 |
3/sec burst 5 LOG level warning prefix `IPKF Fragmented Packet: ' |
| 197 |
DROP all -f anywhere anywhere |
| 198 |
LOG icmp -- anywhere anywhere icmp |
| 199 |
timestamp-request limit: avg 3/sec burst 5 LOG level warning prefix |
| 200 |
`IPKF ICMP Timestamp: ' |
| 201 |
DROP icmp -- anywhere anywhere icmp |
| 202 |
timestamp-request |
| 203 |
syn-flood tcp -- anywhere anywhere tcp |
| 204 |
flags:FIN,SYN,RST,ACK/SYN |
| 205 |
LOG tcp -- anywhere anywhere tcp flags:! |
| 206 |
SYN,RST,ACK/SYN state NEW limit: avg 3/sec burst 5 LOG level warning |
| 207 |
prefix `IPKF New Not SYN: ' |
| 208 |
DROP tcp -- anywhere anywhere tcp flags:! |
| 209 |
SYN,RST,ACK/SYN state NEW |
| 210 |
DROP tcp -- anywhere anywhere multiport |
| 211 |
dports netbios-ns,6666 |
| 212 |
DROP udp -- anywhere anywhere multiport |
| 213 |
dports ms-sql-m |
| 214 |
REJECT tcp -- anywhere anywhere tcp |
| 215 |
dpt:auth reject-with tcp-reset |
| 216 |
|
| 217 |
Chain OUTPUT (policy ACCEPT) |
| 218 |
target prot opt source destination |
| 219 |
ACCEPT all -- anywhere anywhere state |
| 220 |
RELATED,ESTABLISHED |
| 221 |
ACCEPT all -- anywhere anywhere state NEW |
| 222 |
|
| 223 |
Chain syn-flood (2 references) |
| 224 |
target prot opt source destination |
| 225 |
RETURN all -- anywhere anywhere limit: avg |
| 226 |
10/sec burst 24 |
| 227 |
LOG all -- anywhere anywhere limit: avg |
| 228 |
3/sec burst 5 LOG level warning prefix `IPKF SYN flood: ' |
| 229 |
DROP all -- anywhere anywhere |
| 230 |
bullet ipkungfu # rc-update show | grep 'iptables' |
| 231 |
bullet ipkungfu # /etc/init.d/ipkungfu restart |
| 232 |
* Stopping ipkungfu ... |
| 233 |
Stopping ipkungfu: [ OK ] |
| 234 |
[ ok ] * Starting ipkungfu ... |
| 235 |
[ ok ]bullet ipkungfu # |
| 236 |
|
| 237 |
And I can still detect all those ports open from nmap on another |
| 238 |
machine. |
| 239 |
|
| 240 |
-- |
| 241 |
gentoo-user@g.o mailing list |
Archives