Re: iptables not working on Etch AMD64 (same rule works on Sarge i686)

To: debian-firewall@lists.debian.org
Subject: Re: iptables not working on Etch AMD64 (same rule works on Sarge i686)
From: Ansgar -59cobalt- Wiechers <lists@planetcobalt.net>
Date: Wed, 24 Oct 2007 02:44:50 +0200
Message-id: <[🔎] 20071024004450.GB10368@mail.planetcobalt.net>
In-reply-to: <[🔎] aa6f01850710231350j4dd27e38yb01b8ac102129e88@mail.gmail.com>
References: <[🔎] aa6f01850710231350j4dd27e38yb01b8ac102129e88@mail.gmail.com>

On 2007-10-23 Bryn Moslow wrote:
> Chain INPUT (policy ACCEPT)
> target     prot opt source           destination
> DROP       udp  --  anywhere         anywhere          udp dpt:sunrpc
[...]
> rpcinfo -p n.n.n.n
> No remote programs registered.
[...]
> PORT    STATE         SERVICE
> 111/udp open|filtered rpcbind
[...]
> I've tried turning the DROP into a LOG (level debug) and don't see any
> logging entries either. What am I missing?

That RPC uses TCP as well as UDP.

The output of nmap shows that your UDP filter is working just fine.
However, since "rpcinfo -p" uses TCP the rule simply doesn't apply.
And I seriously doubt that the rule works on i686.

iptables -A INPUT -p tcp --dport 111 -j REJECT --reject-with tcp-reset

Besides, blacklisting ports is a bad idea. Whitelist what you want to
allow, and reject everything else.

Regards
Ansgar Wiechers
-- 
"The Mac OS X kernel should never panic because, when it does, it
seriously inconveniences the user."
--http://developer.apple.com/technotes/tn2004/tn2118.html

Reply to:

References:
- iptables not working on Etch AMD64 (same rule works on Sarge i686)
  - From: "Bryn Moslow" <rhomboid@gmail.com>

Prev by Date: iptables not working on Etch AMD64 (same rule works on Sarge i686)
Next by Date: Default Policy = DROP. Help-me
Previous by thread: iptables not working on Etch AMD64 (same rule works on Sarge i686)
Next by thread: Default Policy = DROP. Help-me
Index(es):
- Date
- Thread