1 |
On Wed, 2006-10-04 at 18:57 -0700, Ryan Tandy wrote: |
2 |
> Michael Sullivan wrote: |
3 |
> > I'm having a problem with ipkungfu on one of my boxes. According to the |
4 |
> > log files, it's running, but it doesn't seem to be firewall-ing. It's |
5 |
> > not working on 192.168.1.2. Here's nmap output from 192.168.1.3: |
6 |
> > |
7 |
> > camille ~ # nmap -sT -PT 192.168.1.2 |
8 |
> > |
9 |
> > Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-10-04 20:39 |
10 |
> > CDT |
11 |
> > Interesting ports on bullet.espersunited.com (192.168.1.2): |
12 |
> > (The 1657 ports scanned but not shown below are in state: closed) |
13 |
> > PORT STATE SERVICE |
14 |
> > 21/tcp open ftp |
15 |
> > 22/tcp open ssh |
16 |
> > 25/tcp open smtp |
17 |
> > 53/tcp open domain |
18 |
> > 80/tcp open http |
19 |
> > 111/tcp open rpcbind |
20 |
> > 139/tcp open netbios-ssn |
21 |
> > 143/tcp open imap |
22 |
> > 445/tcp open microsoft-ds |
23 |
> > 587/tcp open submission |
24 |
> > 631/tcp open ipp |
25 |
> > 746/tcp open unknown |
26 |
> > 993/tcp open imaps |
27 |
> > 2049/tcp open nfs |
28 |
> > 3632/tcp open distccd |
29 |
> > MAC Address: 00:10:4B:73:8E:81 (3com) |
30 |
> > |
31 |
> > Nmap finished: 1 IP address (1 host up) scanned in 0.597 seconds |
32 |
> > |
33 |
> |
34 |
> OK. What does iptables -L report? Is iptables in your default |
35 |
> runlevel? (hint: it shouldn't be.) If iptables is being started after |
36 |
> ipkungfu for some reason, it may be overwriting ipkungfu's iptables |
37 |
> rules with its saved (blank) ruleset. Try 'rc-update del iptables && |
38 |
> reboot' if iptables is present in any runlevels. When you start |
39 |
> ipkungfu, are there any error messages? |
40 |
|
41 |
bullet ipkungfu # iptables -L |
42 |
Chain INPUT (policy DROP) |
43 |
target prot opt source destination |
44 |
ACCEPT all -- anywhere anywhere state |
45 |
RELATED,ESTABLISHED |
46 |
LOG all -- 0.0.0.1 anywhere LOG level |
47 |
warning prefix `IPKF IPKungFu (--init)' |
48 |
DROP all -- 125.250.19.90 anywhere |
49 |
DROP all -- abo-140-170-68.bab.modulonet.fr anywhere |
50 |
DROP all -- 220.163.199.101 anywhere |
51 |
DROP all -- 217.10.189.30 anywhere |
52 |
ACCEPT all -- bullet.espersunited.com anywhere |
53 |
ACCEPT all -- camille.espersunited.com anywhere |
54 |
ACCEPT all -- catherine.espersunited.com anywhere |
55 |
ACCEPT all -- bubbles.espersonline.com anywhere |
56 |
ACCEPT all -- 192.168.1.101 anywhere |
57 |
ACCEPT all -- 192.168.1.102 anywhere |
58 |
ACCEPT all -- 192.168.1.103 anywhere |
59 |
DROP all -- anywhere anywhere recent: |
60 |
CHECK seconds: 120 name: badguy side: source |
61 |
LOG tcp -- anywhere anywhere tcp |
62 |
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG limit: avg 3/sec |
63 |
burst 5 LOG level warning prefix `IPKF flags ALL: ' |
64 |
LOG tcp -- anywhere anywhere tcp |
65 |
flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg 3/sec burst 5 LOG level |
66 |
warning prefix `IPKF flags NONE: ' |
67 |
LOG tcp -- anywhere anywhere tcp |
68 |
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG limit: avg 3/sec burst 5 LOG |
69 |
level warning prefix `IPKF PORTSCAN (nmap XMAS): ' |
70 |
LOG tcp -- anywhere anywhere tcp |
71 |
flags:FIN,SYN,RST,PSH,ACK,URG/FIN limit: avg 3/sec burst 5 LOG level |
72 |
warning prefix `IPKF PORTSCAN (nmap FIN): ' |
73 |
LOG tcp -- anywhere anywhere tcp |
74 |
flags:FIN,SYN/FIN,SYN limit: avg 3/sec burst 5 LOG level warning prefix |
75 |
`IPKF flags SYN,FIN: ' |
76 |
LOG tcp -- anywhere anywhere tcp |
77 |
flags:SYN,RST/SYN,RST limit: avg 3/sec burst 5 LOG level warning prefix |
78 |
`IPKF flags SYN,RST: ' |
79 |
LOG tcp -- anywhere anywhere tcp |
80 |
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG limit: avg 3/sec burst |
81 |
5 LOG level warning prefix `IPKF SYN,RST,ACK,FIN,URG: ' |
82 |
LOG tcp -- anywhere anywhere tcp |
83 |
flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg 3/sec burst 5 LOG level |
84 |
warning prefix `IPKF PORTSCAN (nmap NULL): ' |
85 |
DROP tcp -- anywhere anywhere tcp |
86 |
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG |
87 |
DROP tcp -- anywhere anywhere tcp |
88 |
flags:FIN,SYN,RST,PSH,ACK,URG/NONE |
89 |
DROP tcp -- anywhere anywhere tcp |
90 |
flags:FIN,SYN/FIN,SYN |
91 |
DROP tcp -- anywhere anywhere tcp |
92 |
flags:SYN,RST/SYN,RST |
93 |
DROP tcp -- anywhere anywhere tcp |
94 |
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG |
95 |
DROP tcp -- anywhere anywhere tcp |
96 |
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG |
97 |
DROP tcp -- anywhere anywhere tcp |
98 |
flags:FIN,SYN,RST,PSH,ACK,URG/FIN |
99 |
DROP tcp -- anywhere anywhere tcp |
100 |
flags:FIN,SYN,RST,PSH,ACK,URG/NONE |
101 |
ACCEPT icmp -- anywhere anywhere icmp |
102 |
echo-request |
103 |
LOG all -- anywhere anywhere state |
104 |
INVALID limit: avg 3/sec burst 5 LOG level warning prefix `IPKF Invalid |
105 |
TCP flag: ' |
106 |
DROP all -- anywhere anywhere state |
107 |
INVALID |
108 |
LOG all -f anywhere anywhere limit: avg |
109 |
3/sec burst 5 LOG level warning prefix `IPKF Fragmented Packet: ' |
110 |
DROP all -f anywhere anywhere |
111 |
LOG icmp -- anywhere anywhere icmp |
112 |
timestamp-request limit: avg 3/sec burst 5 LOG level warning prefix |
113 |
`IPKF ICMP Timestamp: ' |
114 |
DROP icmp -- anywhere anywhere icmp |
115 |
timestamp-request |
116 |
syn-flood tcp -- anywhere anywhere tcp |
117 |
flags:FIN,SYN,RST,ACK/SYN |
118 |
LOG tcp -- anywhere anywhere tcp flags:! |
119 |
SYN,RST,ACK/SYN state NEW limit: avg 3/sec burst 5 LOG level warning |
120 |
prefix `IPKF New Not SYN: ' |
121 |
DROP tcp -- anywhere anywhere tcp flags:! |
122 |
SYN,RST,ACK/SYN state NEW |
123 |
DROP tcp -- anywhere anywhere multiport |
124 |
dports netbios-ns,6666 |
125 |
DROP udp -- anywhere anywhere multiport |
126 |
dports ms-sql-m |
127 |
ACCEPT tcp -- anywhere anywhere state NEW |
128 |
multiport dports ftp,ssh,smtp,http |
129 |
ACCEPT all -- anywhere anywhere state NEW |
130 |
ACCEPT all -- 192.168.1.0/24 anywhere state NEW |
131 |
REJECT tcp -- anywhere anywhere tcp |
132 |
dpt:auth reject-with tcp-reset |
133 |
LOG !icmp -- anywhere anywhere limit: avg |
134 |
3/sec burst 5 LOG level warning prefix `IPKF INPUT Catch-all: ' |
135 |
DROP all -- anywhere anywhere |
136 |
|
137 |
Chain FORWARD (policy ACCEPT) |
138 |
target prot opt source destination |
139 |
ACCEPT all -- anywhere anywhere state |
140 |
RELATED,ESTABLISHED |
141 |
ACCEPT all -- bullet.espersunited.com anywhere |
142 |
ACCEPT all -- camille.espersunited.com anywhere |
143 |
ACCEPT all -- catherine.espersunited.com anywhere |
144 |
ACCEPT all -- bubbles.espersonline.com anywhere |
145 |
ACCEPT all -- 192.168.1.101 anywhere |
146 |
ACCEPT all -- 192.168.1.102 anywhere |
147 |
ACCEPT all -- 192.168.1.103 anywhere |
148 |
DROP all -- anywhere anywhere recent: |
149 |
CHECK seconds: 120 name: badguy side: source |
150 |
LOG tcp -- anywhere anywhere tcp |
151 |
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG limit: avg 3/sec |
152 |
burst 5 LOG level warning prefix `IPKF flags ALL: ' |
153 |
LOG tcp -- anywhere anywhere tcp |
154 |
flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg 3/sec burst 5 LOG level |
155 |
warning prefix `IPKF flags NONE: ' |
156 |
LOG tcp -- anywhere anywhere tcp |
157 |
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG limit: avg 3/sec burst 5 LOG |
158 |
level warning prefix `IPKF flags FIN,URG,PSH: ' |
159 |
LOG tcp -- anywhere anywhere tcp |
160 |
flags:FIN,SYN,RST,PSH,ACK,URG/FIN limit: avg 3/sec burst 5 LOG level |
161 |
warning prefix `IPKF PORTSCAN (nmap XMAS): ' |
162 |
LOG tcp -- anywhere anywhere tcp |
163 |
flags:FIN,SYN/FIN,SYN limit: avg 3/sec burst 5 LOG level warning prefix |
164 |
`IPKF flags SYN,FIN: ' |
165 |
LOG tcp -- anywhere anywhere tcp |
166 |
flags:SYN,RST/SYN,RST limit: avg 3/sec burst 5 LOG level warning prefix |
167 |
`IPKF flags SYN,RST: ' |
168 |
LOG tcp -- anywhere anywhere tcp |
169 |
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG limit: avg 3/sec burst |
170 |
5 LOG level warning prefix `IPKF SYN,RST,ACK,FIN,URG: ' |
171 |
LOG tcp -- anywhere anywhere tcp |
172 |
flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg 3/sec burst 5 LOG level |
173 |
warning prefix `IPKF PORTSCAN (nmap NULL): ' |
174 |
DROP tcp -- anywhere anywhere tcp |
175 |
flags:FIN,SYN,RST,PSH,ACK,URG/NONE |
176 |
DROP tcp -- anywhere anywhere tcp |
177 |
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG |
178 |
DROP tcp -- anywhere anywhere tcp |
179 |
flags:FIN,SYN,RST,PSH,ACK,URG/NONE |
180 |
DROP tcp -- anywhere anywhere tcp |
181 |
flags:FIN,SYN/FIN,SYN |
182 |
DROP tcp -- anywhere anywhere tcp |
183 |
flags:SYN,RST/SYN,RST |
184 |
DROP tcp -- anywhere anywhere tcp |
185 |
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG |
186 |
DROP tcp -- anywhere anywhere tcp |
187 |
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG |
188 |
DROP tcp -- anywhere anywhere tcp |
189 |
flags:FIN,SYN,RST,PSH,ACK,URG/FIN |
190 |
LOG all -- anywhere anywhere state |
191 |
INVALID limit: avg 3/sec burst 5 LOG level warning prefix `IPKF Invalid |
192 |
TCP flag: ' |
193 |
DROP all -- anywhere anywhere state |
194 |
INVALID |
195 |
LOG all -f anywhere anywhere limit: avg |
196 |
3/sec burst 5 LOG level warning prefix `IPKF Fragmented Packet: ' |
197 |
DROP all -f anywhere anywhere |
198 |
LOG icmp -- anywhere anywhere icmp |
199 |
timestamp-request limit: avg 3/sec burst 5 LOG level warning prefix |
200 |
`IPKF ICMP Timestamp: ' |
201 |
DROP icmp -- anywhere anywhere icmp |
202 |
timestamp-request |
203 |
syn-flood tcp -- anywhere anywhere tcp |
204 |
flags:FIN,SYN,RST,ACK/SYN |
205 |
LOG tcp -- anywhere anywhere tcp flags:! |
206 |
SYN,RST,ACK/SYN state NEW limit: avg 3/sec burst 5 LOG level warning |
207 |
prefix `IPKF New Not SYN: ' |
208 |
DROP tcp -- anywhere anywhere tcp flags:! |
209 |
SYN,RST,ACK/SYN state NEW |
210 |
DROP tcp -- anywhere anywhere multiport |
211 |
dports netbios-ns,6666 |
212 |
DROP udp -- anywhere anywhere multiport |
213 |
dports ms-sql-m |
214 |
REJECT tcp -- anywhere anywhere tcp |
215 |
dpt:auth reject-with tcp-reset |
216 |
|
217 |
Chain OUTPUT (policy ACCEPT) |
218 |
target prot opt source destination |
219 |
ACCEPT all -- anywhere anywhere state |
220 |
RELATED,ESTABLISHED |
221 |
ACCEPT all -- anywhere anywhere state NEW |
222 |
|
223 |
Chain syn-flood (2 references) |
224 |
target prot opt source destination |
225 |
RETURN all -- anywhere anywhere limit: avg |
226 |
10/sec burst 24 |
227 |
LOG all -- anywhere anywhere limit: avg |
228 |
3/sec burst 5 LOG level warning prefix `IPKF SYN flood: ' |
229 |
DROP all -- anywhere anywhere |
230 |
bullet ipkungfu # rc-update show | grep 'iptables' |
231 |
bullet ipkungfu # /etc/init.d/ipkungfu restart |
232 |
* Stopping ipkungfu ... |
233 |
Stopping ipkungfu: [ OK ] |
234 |
[ ok ] * Starting ipkungfu ... |
235 |
[ ok ]bullet ipkungfu # |
236 |
|
237 |
And I can still detect all those ports open from nmap on another |
238 |
machine. |
239 |
|
240 |
-- |
241 |
gentoo-user@g.o mailing list |