Re: iptables and nmap

To: debian-security@lists.debian.org
Subject: Re: iptables and nmap
From: Lee Braiden <lee.b@digitalunleashed.com>
Date: Thu, 7 Jun 2007 23:25:40 +0100
Message-id: <[🔎] 200706072325.40847.lee.b@digitalunleashed.com>
In-reply-to: <[🔎] 110BB7CD-4EEC-4063-834F-B4CCEC9A53C7@epigenomique.genopole.fr>
References: <[🔎] 110BB7CD-4EEC-4063-834F-B4CCEC9A53C7@epigenomique.genopole.fr>

Hi Joan,

On Thursday 07 June 2007 14:51:51 Joan Hérisson wrote:
> Hello,
>
> 	Config:
> 		- Debian 2.4.18

This is very old.  For security and better features, you'd be best to upgrade 
to a more recent version of Debian, with a more recent kernel.

> 		- iptables with many rules

Without understanding those rules, you're unlikely to get it working.  
IPTables is pretty simple when you take time to understand it -- it's 
literally just a list of tests, and things to do if that test has a positive 
result.  Well, lists (tables) can have other lists/tables, but that's not 
really any more complex.

> 	Problems:
> 		- I have installed a tomcat 5.5 server. The server is unreachable
> (connection failed from locahost or another host on my local network).

This suggests that the server isn't yet up and running.  Sometimes, installing 
things on debian means they will just work.  Other times, you have to 
configure the thing and enable it.  I've never really bothered with tomcat, 
but given that it's java-based, and fairly heavyweight, I'd expect you have 
to do some configuration before it'll run.  Try 
reading /usr/share/doc/tomcat*/README.Debian.  Also, make sure that the 
server is actually running on port 8080, and that it's listening on the 
correct IPs/interfaces.

> 	Tries:
> 		- I have to open port 8080. I have this rule in /etc/init.d.firewal-
> start :
> 			"iptables -A tcp_packets -p TCP -i eth0 -s 0/0         --dport 80
> -j allowed"

Appending rules to "many iptables rules" isn't likely to work, if your rules 
end with something that denies all unknown traffic.  You really should try to 
understand your firewall before adding anything to it.  Having said that, 
I've been guilty of not taking enough time for things like that, too :)

> 			"iptables -A tcp_packets -p TCP -i eth1 -s 0/0         --dport
> 8080  -j allowed"

As someone else mentioned, this should probably be -j ACCEPT

> 	Results:
> 		- The server is still unreachable.

Are you actually seeing an error that says "unreachable"?  That suggests a 
routing problem, or a prohibitive firewall rule before the one you added.

> 		- When I do nmap localhost, I have port 80 open but not 8080.
> 		- When I comment out the line for port 80 in firewall-start and I
> restart firewall, I do nmap localhost, port 80 is still open.

Your firewall script is broken.  Again, as others suggested, I'd say start 
from scratch -- either with IPTables (if you have the time to understand it) 
or with a simpler/higher-level interface, like firehol, or shorewall.

Remember not to test firewall rules for external interfaces through 
localhost -- use, at least, the ip of the interface in question.  Ideally, 
test from the machine you actually need access to be provided for.

Good luck :)

-- 
Lee Braiden
http://peacejournals.org

"Those who check rising anger as a charioteer checks a rolling
chariot... those, I call true charioteers. Others only hold the
reins."                                -- Dhammapada, verse 222

Reply to:

References:
- iptables and nmap
  - From: Joan Hérisson <herisson@epigenomique.genopole.fr>

Prev by Date: Re: iptables and nmap
Next by Date: Re: iptables and nmap
Previous by thread: Re: iptables and nmap
Next by thread: Re: iptables and nmap
Index(es):
- Date
- Thread