[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Port 80 Open


Ansgar -59cobalt- Wiechers a écrit :
On 2007-10-27 Telly Williams wrote:

-A INPUT -s -i lo -j ACCEPT -A INPUT -s XX.XXX.XXX.XXX -i lo -j ACCEPT

No other source address than is supposed to appear at the
loopback interface.

Wrong. Any local address, including the whole range and all addresses and aliases configured on local network interfaces may appear in traffic involving the loopback interface. Besides, what's the use of address-based filtering on the loopback interface ?

-A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP -A icmp_packets -p icmp -m icmp --icmp-type 11 -j DROP # With the above two rules, I thought it put me in stealth
 # mode(?).

Repeating myself: "stealth" is braindead marketing babble invented by
people who failed to understand TCP/IP for people who fail to understand

Anyway, "stealth" means that your box does not reply to any solicitation from the outside, not that it only drops some ICMP types.

Your host doesn't magically become "invisible" just because it
drops packets.


Besides, you shouldn't be dropping echo-request and time-exceeded. ICMP
is a vital part of IP and required e.g. for troubleshooting connection
problems. Rather do something like this:

iptables -N icmp_packets
# Allow ping, but limit it to 10 requests per second:
iptables -A icmp_packets -p icmp --icmp-type echo-request \
  -m state --state NEW -m limit --limit 10/sec -j ACCEPT
# Allow echo replies (pong) for accepted pings:
iptables -A icmp_packets -p icmp --icmp-type echo-reply \
  -m state --state ESTABLISHED -j ACCEPT
# Allow troubleshooting messages for all established connections:
iptables -A icmp_packets -p icmp --icmp-type destination-unreachable \
  -m state --state RELATED -j ACCEPT
iptables -A icmp_packets -p icmp --icmp-type source-quench \
  -m state --state RELATED -j ACCEPT
iptables -A icmp_packets -p icmp --icmp-type time-exceeded \
  -m state --state RELATED -j ACCEPT
iptables -A icmp_packets -p icmp --icmp-type parameter-problem \
  -m state --state RELATED -j ACCEPT
iptables -A icmp_packets -j DROP

I used to accept source-quench, but not any more after reading that some DoS attacks were based on it, and I'm not so sure it's really useful. I acknowledge that destination-unreachable can be abused too, but this one is really necessary.

-A tcp_packets -p tcp -m tcp --dport 80 -j allowed -A tcp_packets -p tcp -m tcp --dport 443 -m comment --comment "HTTPS" -j allowed -A tcp_packets -p tcp -m tcp --dport 25 -j allowed -A tcp_packets -p tcp -m tcp --sport 123 -m comment --comment "NTP" -j allowed

Why are you ACCEPTing NTP packets based on the source port?

Besides, I'm not sure that NTP uses TCP transport. Conversely HTTP(S) and SMTP(S) don't use UDP transport.

I globally agree with the other comments and suggestions.

Reply to: