Re: iptables and nmap

Ok,

thank you for your answers. I will try to sum up mine.

It is true that it is not me who wrote the firewall script and that I do not understand what all rules do.

I tried different solutions that you proposed but none works, from localhost, local network or from the internet. The 8080 port remains closed. i did not try to upgrade my kernel. Actually, I am a little bit frightened to this idea. is it really riskless ?

Finally this is the result of 'iptables -t filter -L -n -v' command:

Chain INPUT (policy DROP 17 packets, 1088 bytes)

pkts bytes target prot opt in out source destination

1 64 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080

225 18816 bad_tcp_packets tcp -- * * 0.0.0.0/0 0.0.0.0/0

0 0 ACCEPT tcp -- eth1 * 192.168.0.3 0.0.0.0/0 tcp dpt:22

0 0 ACCEPT tcp -- eth1 * 192.168.0.12 0.0.0.0/0 tcp dpt:22

0 0 ACCEPT tcp -- eth1 * 192.168.0.31 0.0.0.0/0 tcp dpt:22

0 0 ACCEPT tcp -- eth1 * 192.168.0.28 0.0.0.0/0 tcp dpt:22

0 0 REJECT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 reject-with icmp-port-unreachable

162 18088 ACCEPT all -- eth1 * 192.168.0.0/24 0.0.0.0/0

10 1219 ACCEPT all -- lo * 127.0.0.1 0.0.0.0/0

4 156 ACCEPT all -- lo * 192.168.0.1 0.0.0.0/0

8 528 ACCEPT all -- lo * 193.51.128.146 0.0.0.0/0

0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 udp spts:67:68 dpts:67:68

140 10422 ACCEPT all -- * * 0.0.0.0/0 193.51.128.146 state RELATED,ESTABLISHED

20 1280 tcp_packets tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0

0 0 udp_packets udp -- eth0 * 0.0.0.0/0 0.0.0.0/0

10 640 icmp_packets icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0

0 0 DROP all -- eth0 * 0.0.0.0/0 224.0.0.0/8

3 192 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 3 LOG flags 0 level 7 prefix `IPT INPUT packet died: '

Chain FORWARD (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

0 0 bad_tcp_packets tcp -- * * 0.0.0.0/0 0.0.0.0/0

2 152 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0

2 152 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 3 LOG flags 0 level 7 prefix `IPT FORWARD packet died: '

Chain OUTPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

169 22018 bad_tcp_packets tcp -- * * 0.0.0.0/0 0.0.0.0/0

10 1219 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0

166 16632 ACCEPT all -- * * 192.168.0.1 0.0.0.0/0

120 16559 ACCEPT all -- * * 193.51.128.146 0.0.0.0/0

0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 3 LOG flags 0 level 7 prefix `IPT OUTPUT packet died: '

Chain allowed (20 references)

pkts bytes target prot opt in out source destination

3 192 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02

0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0

Chain bad_tcp_packets (3 references)

pkts bytes target prot opt in out source destination

0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x12/0x12 state NEW reject-with tcp-reset

1 40 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02 state NEW LOG flags 0 level 4 prefix `New not syn:'

1 40 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02 state NEW

Chain icmp_packets (1 references)

pkts bytes target prot opt in out source destination

10 640 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8

0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11

Chain tcp_packets (1 references)

pkts bytes target prot opt in out source destination

0 0 allowed tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21

0 0 allowed tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:51000:52000

0 0 allowed tcp -- eth0 * 195.221.162.126 0.0.0.0/0 tcp dpt:22

0 0 allowed tcp -- eth0 * 81.57.83.190 0.0.0.0/0 tcp dpt:22

0 0 allowed tcp -- eth0 * 193.52.24.125 0.0.0.0/0 tcp dpt:22

0 0 allowed tcp -- eth0 * 129.175.58.218 0.0.0.0/0 tcp dpt:22

0 0 allowed tcp -- eth0 * 82.230.68.31 0.0.0.0/0 tcp dpt:22

0 0 allowed tcp -- eth0 * 82.246.152.215 0.0.0.0/0 tcp dpt:22

0 0 allowed tcp -- eth0 * 86.67.133.75 0.0.0.0/0 tcp dpt:22

0 0 allowed tcp -- eth0 * 88.171.133.128 0.0.0.0/0 tcp dpt:22

0 0 allowed tcp -- eth0 * 157.136.22.133 0.0.0.0/0 tcp dpt:22

0 0 allowed tcp -- eth0 * 129.104.48.4 0.0.0.0/0 tcp dpt:22

0 0 allowed tcp -- eth0 * 129.104.48.5 0.0.0.0/0 tcp dpt:22

0 0 allowed tcp -- eth0 * 129.104.48.3 0.0.0.0/0 tcp dpt:22

0 0 LOG tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 LOG flags 0 level 7 prefix `IPT INPUT SSH FORBIDDEN: '

1 64 allowed tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80

2 128 allowed tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443

0 0 allowed tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 multiport ports 143,993,110,995

0 0 allowed tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53

0 0 allowed tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25

0 0 allowed tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113

Chain udp_packets (1 references)

pkts bytes target prot opt in out source destination

0 0 REJECT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:515 reject-with icmp-port-unreachable

0 0 DROP udp -- eth0 * 0.0.0.0/0 193.51.128.151 multiport ports 513,631

0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123

0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:443

0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 multiport ports 143,993,110,995

0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53

0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:10000

0 0 DROP udp -- eth0 * 0.0.0.0/0 193.51.128.151 udp dpts:135:139

0 0 DROP udp -- eth0 * 0.0.0.0/0 255.255.255.255 udp dpts:67:68

Joan

_________________

Post-doc GENNETEC

Programme d'Épigénomique, Genopole®

Tour Évry2, 10è étage

523 Terrasses de l'Agora

91034 ÉVRY cedex

Tél : +33 (0)1 69 47 44 34

Fax : +33 (0)1 69 47 44 37

Web : http://www.epigenomique.genopole.fr/opencms/opencms/epigenomique/en/perso/joe/

________________________________________________________________________

Le 7 juin 07 à 16:51, Németh Tamás a écrit :

'iptables -t filter -L -n -v