I am trying to block these ports with no success...

137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
1080/tcp filtered socks

I've tried several different ways but none successful. Any suggestions?

------------------
"I'm so thoroughly trained I don't even have to think before I speak"

What do your rules currently look like? I would imagine you could do something like: (this example is for port #137)

ipchains -A input -i $YOUR_NIC -p tcp \
-s $ANYWHERE $UNPRIVLAGEDPORTS \
-d $YOUR_IP 137 -j DENY
ipchains -A output -i $YOUR_NIC -p tcp \
-s $YOUR_IP 137 \
-d $ANYWHERE $UNPRIVLAGEDPORTS -j DENY

This will block all incoming and outgoing traffic for that port. Do this for each specific port that you want to block if you do not already have as default policy to deny all. The variables will have to be defined in a script along with these chains and exectued or substituted for their actual values. Hope this helps.

well, first off:

when something is filtered, it means it is "firewalled".

when something is open, it means no firewall is on that port.. open to the public

whe nsomething is closed, it is turned off from the outside world completely.

secondly,

ndelo had the right idea, but for clarification, if you do post your firewall rules, please include what your variables mean because when I was a newbie, I had no clue what $ANYWHERE meant, or $UNPRIVLAGEDPORTS meant http://www.linuxnewbie.org/ubb/smile.gif

so...

$ANYWHERE=any/0
$UNPRIVLAGEDPORTS=1024:65535
$YOUR_IP & $YOUR_NIC should be self-explanatory though.

Personally, I like to log anything denied, espsecially to those common ports, so I would add -l (to anywhere on the line) to all those DENY rulesets.

so.. it would look like..

$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 137:139 -i $YOUR_NIC -j DENY -l
$IPCHAINS -A input -p udp -s 0/0 -d 0/0 137:139 -i $YOUR_NIC -j DENY -l

please keep in mind (something that took me a while to figure out) $YOUR_NIC is where your internet access is, *NOT* where your internal LAN is (so it could be something like ppp0, or eth1, etc..). It's common sense once you understand this, but until someone points it out, you don't really think about it http://www.linuxnewbie.org/ubb/smile.gif

regards,

~kyle

!

[This message has been edited by shad0w (edited 09 December 2000).]

That didn't work. I still show the ports:

137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
1080/tcp filtered socks

Originally posted by Fandelem:
well, first off:

when something is filtered, it means it is "firewalled".


Originally posted from shad0w

#this is a temp config below here#
/sbin/ipchains -A input -p tcp -s 0/0 -d 0/0 137:139 -i eth1 -j DENY -l
/sbin/ipchains -A input -p udp -s 0/0 -d 0/0 137:139 -i eth1 -j DENY -l

those rules *do* work bud.. remember, if your scan shows up filtered, it means it is just firewalled. but i really don't know why it would showed up as filtered, because you're DENYing them, instead of REJECTing them.. hmmm.. mail me your ip address let me scan you sometime. also, keep in mind, perhaps your ISP could be filtering those ports from their router so if you're scanning from outside your ISP, it may catch in that firewall too.. you might want to try to find someone on your network segment and ask them to scan ya..

just a few thoughts..

but i'm positive those rules work :}

regards,

~kyle
(fandelem@hotmail.com)

[This message has been edited by Fandelem (edited 03 December 2000).]

Well I'm sorry to say they don't. I've tried it several ways now. I just don't get it. Whether I specify the rules or just leave them out they those ports still show up. If you have any other suggestions (other than turning off smb file sharing) then let me know.

I think the difference between filtered and closed is that closed only happens when the routing point before the destination is unable to deliver it to the final receiver, and filtered happens when it is delivered successfully but no reply is returned.

Try this:
eth0 is my external interface

ipchains -A input -p tcp -j DENY --destination-port 137:139 -i eth0
ipchains -A input -p udp -j DENY --destination-port 137:139 -i eth0
ipchains -A output -p tcp -j DENY --destination-port 137:139 -i eth0
ipchains -A output -p udp -j DENY --destination-port 137:139 -i eth0

Seems to work for me.

okay.. well, let's try it at a different angle; how are you getting scanned?

are you scanning localhost?

or is an outside party scanning you?

and good point Strike - so would that mean he is rejecting but not denying? do you think he's still at risk with those rules in place?

Scanned from the outside on a completely different network same things come up.

137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
1080/tcp filtered socks

Originally posted by Fandelem:
Strike - so would that mean he is rejecting but not denying? do you think he's still at risk with those rules in place?
Well, I think the ultimate goal is to simply keep the knowledge that these ports exist from the outside world, in which case they would want to be "closed". However the way to really close a port would also close it to anyone who may have previously had access.

To be perfectly honest, I don't know why DENYing wouldn't result in a closed status for those ports, and the ipchains rules look fine to me. I'm far from being an ipchains guru, but I'm working on it http://www.linuxnewbie.org/ubb/smile.gif

It seems to me that your firewall does exactly what he is expected to do.

1. the scanner knows that the host is up
2. the scanner doesn't get replies from ports that are filtered (this is what DENY means)
3. ... and it does have replies from your closed ports (your default policy on the input chain is ACCEPT (i think?), but wherever there is no service listening, an RST packet is sent).
4. so, as he is very clever, the scanner understands that there is a firewall DENYing ports from which he doesn't get replies.

Correct me if i'm mistaken.
Andrzej

I have just tried it on my system.

I don't have anything on port 35/tcp

nmap -sT localhost -p 35
-- it shows 35 is closed

I add a rule:

ipchains -A input -p tcp -s 0/0 -d 0/0 35 -i lo -j DENY
now nmap shows:
35/TCP filtered priv-print

If I REJECT 35/tcp nmap says it is closed.

So: for any tcp port
if a port is closed or a firewall is REJECTing an RST packet is send
if the firewall is DENYing there is no RST packet and a port is shown as filtered (no matter whether it is closed or open).

I hope that helps,
Andrzej

Ok thanx, I'll try that when I get home.

nothing. IT STILL shows up. I'm on the verge of giving up and turning off windows file sharing on my windoze workstations. Here are my modified rulez one last time (you will see in the last few lines I was tired of messing with the ports):

#!/bin/bash

IPCHAINS=/sbin/ipchains
INTNET=192.168.0.0/24
EXTNET=x.x.x.x/24
MODPROBE=/sbin/modprobe
DEPMOD=/sbin/depmod

#CRITICAL: Enable IP forwarding since it is disabled by default since
echo "1" > /proc/sys/net/ipv4/ip_forward

#CRITICAL: Enable automatic IP defragmenting since it is disabled by default
echo "1" > /proc/sys/net/ipv4/ip_always_defrag

#CRITICAL: Enable TCP SYN Cookie Protection
echo "1" > /proc/sys/net/ipv4/tcp_syncookies

# Disable ICMP broadcast echo protection
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Enable bad error message protection
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

#CRITICAL: Enable Default Flusing BEFORE Appending Rulez
$IPCHAINS -F input
$IPCHAINS -F output
$IPCHAINS -F forward

#Supports the masquerading of FTP, IRC, RealPlayer, VDOPlayer, and Quake
$DEPMOD -a
$MODPROBE ip_masq_ftp
$MODPROBE ip_masq_irc
$MODPROBE ip_masq_raudio
$MODPROBE ip_masq_vdolive
$MODPROBE ip_masq_quake

$IPCHAINS -A forward -s $EXTNET -d 0/0 -j ACCEPT
$IPCHAINS -A forward -s $INTNET -d 0/0 -j MASQ
$IPCHAINS -A forward -s $INTNET -d 0/0 -j MASQ
$IPCHAINS -A forward -s $INTNET -d 0/0 -j MASQ

# Custom Web Blocking #
$IPCHAINS -A output -s 0/0 -d mailandnews.com -j DENY
$IPCHAINS -A output -s 0/0 -d aol.com -j DENY -l
$IPCHAINS -A output -s 0/0 -d whitepages.com -j DENY
$IPCHAINS -A output -s 0/0 -d hotmail.com -j DENY -l

# DENY PRIVATE IP's #
$IPCHAINS -A input -s 10.0.0.0/8 -j DENY -l
$IPCHAINS -A input -s 172.16.0.0/12 -j DENY -l

# Misc Deny Rulez #
$IPCHAINS -A input -s 0.0.0.0/8 -j DENY -l
$IPCHAINS -A input -s 1.0.0.0/8 -j DENY -l
$IPCHAINS -A input -s 2.0.0.0/8 -j DENY -l
$IPCHAINS -A input -s 5.0.0.0/8 -j DENY -l
$IPCHAINS -A input -s 7.0.0.0/8 -j DENY -l
$IPCHAINS -A input -s 23.0.0.0/8 -j DENY -l
$IPCHAINS -A input -s 27.0.0.0/8 -j DENY -l
$IPCHAINS -A input -s 31.0.0.0/8 -j DENY -l
$IPCHAINS -A input -s 36.0.0.0/8 -j DENY -l
$IPCHAINS -A input -s 37.0.0.0/8 -j DENY -l
$IPCHAINS -A input -s 39.0.0.0/8 -j DENY -l
$IPCHAINS -A input -s 41.0.0.0/8 -j DENY -l
$IPCHAINS -A input -s 42.0.0.0/8 -j DENY -l
$IPCHAINS -A input -s 49.0.0.0/8 -j DENY -l
$IPCHAINS -A input -s 50.0.0.0/8 -j DENY -l
$IPCHAINS -A input -s 58.0.0.0/7 -j DENY -l
$IPCHAINS -A input -s 60.0.0.0/8 -j DENY -l
$IPCHAINS -A input -s 67.0.0.0/8 -j DENY -l
$IPCHAINS -A input -s 68.0.0.0/6 -j DENY -l
$IPCHAINS -A input -s 72.0.0.0/5 -j DENY -l
$IPCHAINS -A input -s 80.0.0.0/4 -j DENY -l
$IPCHAINS -A input -s 96.0.0.0/3 -j DENY -l
$IPCHAINS -A input -s 169.254.0.0/16 -j DENY -l
$IPCHAINS -A input -s 192.0.2.0/24 -j DENY -l
$IPCHAINS -A input -s 197.0.0.0/8 -j DENY -l
$IPCHAINS -A input -s 218.0.0.0/7 -j DENY -l
$IPCHAINS -A input -s 220.0.0.0/6 -j DENY -l
$IPCHAINS -A input -s 224.0.0.0/3 -j DENY -l

#this is a temp config below here#
$IPCHAINS -A input -p tcp -j DENY --destination-port 137:139 -i eth0
$IPCHAINS -A input -p udp -j DENY --destination-port 137:139 -i eth0
$IPCHAINS -A output -p tcp -j DENY --destination-port 137:139 -i eth0
$IPCHAINS -A output -p udp -j DENY --destination-port 137:139 -i eth0
$IPCHAINS -A output -p tcp -j DENY --destination-port 1080 -i eth0
$IPCHAINS -A output -p udp -j DENY --destination-port 1080 -i eth0

$IPCHAINS -A input -p tcp -j DENY --destination-port 137:139 -i eth1
$IPCHAINS -A input -p udp -j DENY --destination-port 137:139 -i eth1
$IPCHAINS -A output -p tcp -j DENY --destination-port 137:139 -i eth1
$IPCHAINS -A output -p udp -j DENY --destination-port 137:139 -i eth1
$IPCHAINS -A output -p tcp -j DENY --destination-port 1080 -i eth1
$IPCHAINS -A output -p udp -j DENY --destination-port 1080 -i eth1

$IPCHAINS -A output -p tcp -j DENY --destination-port 137:139 -i eth0
$IPCHAINS -A output -p udp -j DENY --destination-port 137:139 -i eth0
$IPCHAINS -A input -p tcp -j DENY --destination-port 137:139 -i eth0
$IPCHAINS -A input -p udp -j DENY --destination-port 137:139 -i eth0
$IPCHAINS -A input -p tcp -j DENY --destination-port 1080 -i eth0
$IPCHAINS -A input -p udp -j DENY --destination-port 1080 -i eth0

$IPCHAINS -A output -p tcp -j DENY --destination-port 137:139 -i eth1
$IPCHAINS -A output -p udp -j DENY --destination-port 137:139 -i eth1
$IPCHAINS -A input -p tcp -j DENY --destination-port 137:139 -i eth1
$IPCHAINS -A input -p udp -j DENY --destination-port 137:139 -i eth1
$IPCHAINS -A input -p tcp -j DENY --destination-port 1080 -i eth1
$IPCHAINS -A input -p udp -j DENY --destination-port 1080 -i eth1

Try REJECTing instead of DENYing and see what happens.

I've done that already with the same result. I'm stumped.

Okay! I think I might have a solution..

I've thought about this for a while.. and perhaps it's where you are *placing* the rules that is why it isn't working (or changing)

Try placing the rules at the very top of the file, and see what happens.

other than that, I really am stumped.

regards,

~kyle

(after the -F rules, *grin* but before all the rest..)


[This message has been edited by Fandelem (edited 04 December 2000).]

IT STILL shows up. Oh well. I'd like to thank all of you for you help!

<group hug> IF I do manage to figure I'll post it.

Thank you

------------------
"I'm so thoroughly trained I don't even have to think before I speak"

Originally posted by shad0w:
IT STILL shows up.

And what do you expect ?

When all packets sent are dropped (DENY!) while there should be some response (for TCP packets) it is obvious for the scanner that the port is filtered.

A "half-open" scan will always show ports where you REJECT or DENY as filtered (edit: i don't fully understand why, i'd expect REJECTEd to be closed).

A "connect()" scan will show ports which you DENY as filtered, and ports that you REJECT as closed.

It is just perfect that ports are filtered - it means that your firewall is protecting them. Nothing can connect there ! You can filter also some ports where you have nothing listening, just to make it harder to see where your services really are.

Andrzej

[This message has been edited by andrzej (edited 05 December 2000).]

I am not understanding your ipchains, it looks to complicated. I have 2 machines behind a linux firewall/router running Mandrake 7.2. Take a look at my rc.firewall, and all three of my machine communicate with no open ports to the internet. But I also run portsentry.........
/sbin/depmod -a
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_raudio
/sbin/modprobe ip_masq_irc
/sbin/modprobe ip_masq_cuseeme
/sbin/modprobe ip_masq_vdolive
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_always_defrag
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
/sbin/ipchains -M -S 7200 10 160
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -s 192.168.0.0/24 -j MASQ
/sbin/ipchains -A forward -s 172.16.0.0/8 -j MASQ

One more thing. This may sound kind of dumb, I take it you are running Samba?
If you are you will have to edit the samba configuration to tell it not to use the gateway nic, eth0 ??. You have to tell i tto use the internal nic's only and that way the gateway ports will close......

hmm, good point.

in your smb.conf, check for these (if not, add em)

interfaces = 192.168.0.1/24 127.0.0.1/24
bind interfaces only = Yes


then issue: samba restart

regards,


~kyle

[This message has been edited by Fandelem (edited 05 December 2000).]

Samba is NOT installed. I have windows file sharing going on behind the box (win 2k Pro). Prior to activating file sharing those ports didn't show up on a scan, if I take down the win boxes then the ports disappear again. I don't understand why eth0 (WAN Interface) would push those ports through when they have been specifically blocked on both the WAN and LAN interfaces on the firewall.

Which box is the gateway to the internet??

a RedHat 6.2 box w/2 NIC's

One Public static IP
One Private static IP

their are two windoze2k boxen behind it w/private IP's

I took another look at your rules and I see that you have it set to ignore pings....If the machine is set to ignore pings then there is no machine in the world that can scan a non pingable machine.....The machine in essence is invisible, like mine......

"It's life Jim, but not as we know it"

The machine is pingable.

Originally posted by five40i:
But I also run portsentry.........
Portsentry opens up ports for you, you know.

Good point, Strike :}

also, just because you aren't pingable doesn't mean you can't be scanned. the chances go down, yes, but it doesn't make you totally invisible :}

If your machine is pingable, then your ipchains ain't working......

And another thing. If you can't ping a machine, how do you know it is there? And how can you scan it if you don't know its there?
I realize that I am not totally invisible, but the sites I have gone to, to get scanned drop the scan when the ping is not returned??
I must assume that my box is totally secure. I tell you what I'll do.I will send you my IP address, scan it and let me know what you find. I have a winders machine behind my router with print and file sharing switched on.......

"It's life Jim, but not as we know it"

Ok lets clear some things up. The machine is pingable. I just installed portsentry a few days ago... AFTER trying to close out the ports that are STILL currently open.

the line:

# Disable ICMP broadcast echo protection
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

From my understanding ignores icmp broadcast packet storms... not ICMP as in simply pinging the host

For one more showing here are my rules *slightly modified*


#!/bin/bash

IPCHAINS=/sbin/ipchains
INTNET=192.168.0.0/24
EXTNET=x.x.x.x/32
MODPROBE=/sbin/modprobe
DEPMOD=/sbin/depmod

#CRITICAL: Enable IP forwarding since it is disabled by default since
echo "1" > /proc/sys/net/ipv4/ip_forward

#CRITICAL: Enable automatic IP defragmenting since it is disabled by default
echo "1" > /proc/sys/net/ipv4/ip_always_defrag

#CRITICAL: Enable TCP SYN Cookie Protection
echo "1" > /proc/sys/net/ipv4/tcp_syncookies

# Disable ICMP broadcast echo protection
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Enable bad error message protection
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

#CRITICAL: Enable Default Flusing BEFORE Appending Rulez
$IPCHAINS -F input
$IPCHAINS -F output
$IPCHAINS -F forward

#Supports the masquerading of FTP, IRC, RealPlayer, VDOPlayer, and Quake
$DEPMOD -a
$MODPROBE ip_masq_ftp
$MODPROBE ip_masq_irc
$MODPROBE ip_masq_raudio
$MODPROBE ip_masq_vdolive
$MODPROBE ip_masq_quake

$IPCHAINS -A forward -s $EXTNET -d 0/0 -j ACCEPT
$IPCHAINS -A forward -s $INTNET -d 0/0 -j MASQ

# Custom Web Blocking #
$IPCHAINS -A output -s 0/0 -d mailandnews.com -j DENY
$IPCHAINS -A output -s 0/0 -d aol.com -j DENY -l
$IPCHAINS -A output -s 0/0 -d whitepages.com -j DENY
$IPCHAINS -A output -s 0/0 -d hotmail.com -j DENY -l

# DENY PRIVATE IP's #
$IPCHAINS -A input -s 10.0.0.0/8 -j DENY -l
$IPCHAINS -A input -s 172.16.0.0/12 -j DENY -l

# Misc Deny Rulez #
$IPCHAINS -A input -s 0.0.0.0/8 -j DENY -l
$IPCHAINS -A input -s 1.0.0.0/8 -j DENY -l
$IPCHAINS -A input -s 2.0.0.0/8 -j DENY -l
$IPCHAINS -A input -s 5.0.0.0/8 -j DENY -l
$IPCHAINS -A input -s 7.0.0.0/8 -j DENY -l
$IPCHAINS -A input -s 23.0.0.0/8 -j DENY -l
$IPCHAINS -A input -s 27.0.0.0/8 -j DENY -l
$IPCHAINS -A input -s 31.0.0.0/8 -j DENY -l
$IPCHAINS -A input -s 36.0.0.0/8 -j DENY -l
$IPCHAINS -A input -s 37.0.0.0/8 -j DENY -l
$IPCHAINS -A input -s 39.0.0.0/8 -j DENY -l
$IPCHAINS -A input -s 41.0.0.0/8 -j DENY -l
$IPCHAINS -A input -s 42.0.0.0/8 -j DENY -l
$IPCHAINS -A input -s 49.0.0.0/8 -j DENY -l
$IPCHAINS -A input -s 50.0.0.0/8 -j DENY -l
$IPCHAINS -A input -s 58.0.0.0/7 -j DENY -l
$IPCHAINS -A input -s 60.0.0.0/8 -j DENY -l
$IPCHAINS -A input -s 67.0.0.0/8 -j DENY -l
$IPCHAINS -A input -s 68.0.0.0/6 -j DENY -l
$IPCHAINS -A input -s 72.0.0.0/5 -j DENY -l
$IPCHAINS -A input -s 80.0.0.0/4 -j DENY -l
$IPCHAINS -A input -s 96.0.0.0/3 -j DENY -l
$IPCHAINS -A input -s 169.254.0.0/16 -j DENY -l
$IPCHAINS -A input -s 192.0.2.0/24 -j DENY -l
$IPCHAINS -A input -s 197.0.0.0/8 -j DENY -l
$IPCHAINS -A input -s 218.0.0.0/7 -j DENY -l
$IPCHAINS -A input -s 220.0.0.0/6 -j DENY -l
$IPCHAINS -A input -s 224.0.0.0/3 -j DENY -l

#this is a temp config below here#


#EOF

usually places that offer scans have a set command with parameters to scan that doesn't include the -P0 function - which ignores trying to ping the host first to see if it's up and just scans the IP address regardless..

If your machine is pingable, your ipchains ain't working......With "icmp_ignore_all" enabled, the machine will not reply to the ping. If your machine is replying to the ping, your ipchains AIN'T WORKING!!!!!!!

I was curious about the first line of you masq'ing where you are accepting anything from the outside network and passing it to your internal....
Why do you need that line?
I thought that the masqing rules would handle it both ways automagically...
Would that line also defeat the purpose of the reject or deny actions of the other rules?
What happens if you comment that line out and then get scanned?
I'm not trying to slam anybody, cause I probably know the least about it here, it just seemed weird to me when I was reading thru it...

------------------
Knute
Email: knuteh@yahoo.com
ICQ: 53979509
GAIM: knutehall

scrap that firewall script, go with pmfirewall =)

Well if my IPChains were not working I would NOT be able to type and post this from my win2k box with a Non-Routable IP. Not to mention icmp_ignore_all is NOT enabled...

echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

The rules block what they should be blocking and pass what they should be passing.

Besides I'm asking for help, I'm not boasting I'm the IPChains God so there is not need to "yell". Please be a little more mature.

Originally posted by five40i:
If your machine is pingable, your ipchains ain't working......With "icmp_ignore_all" enabled, the machine will not reply to the ping. If your machine is replying to the ping, your ipchains AIN'T WORKING!!!!!!!

maybe to clarify:

Enable broadcast echo Protection

do you know what it means to "broadcast" vs. "reply"?

echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

I didn't mean to shout....Sorry...I am getting as frustrated as you are trying to figure out why it don't work.....I still don't understand why you need all those rules. I personaly would go with something a bit simpler rather than trying to block each individual port....Have you tried pmfirewall or portsentry? I had a hell of a time when I first started with ipchains and getting them to work. I followed all the HowTo's and got totally confused....That is why my rules are simple and running portsentry makes my system very secure.
I know we are all trying to help each other here, so lets get your machine secure....
Redo the ipchains, make it simple, don't try and block ports, use portsentry it will close them for you and pmfirewall will do it too.......Take another look at the ipchains I posted, try it.....let us know what happens......

You are correct I do NOT need the first line you are reffering to. It was recommended by someone I know (not this Message Board)

I also added this line:
#Dont MASQ internal-Internal traffic
$IPCHAINS -A forward -s $INTNET -d $INTNET -j ACCEPT


I have taken out that line from the config... Scanning my firewall from a different host... Results:

Port State Service
22/tcp open ssh
80/tcp open http
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
1080/tcp filtered socks


Originally posted by knute:
I was curious about the first line of you masq'ing where you are accepting anything from the outside network and passing it to your internal....
Why do you need that line?
I thought that the masqing rules would handle it both ways automagically...
Would that line also defeat the purpose of the reject or deny actions of the other rules?
What happens if you comment that line out and then get scanned?
I'm not trying to slam anybody, cause I probably know the least about it here, it just seemed weird to me when I was reading thru it...

STRIPPED CONFIG:

#!/bin/bash

IPCHAINS=/sbin/ipchains
INTNET=192.168.0.0/24

echo "1" > /proc/sys/net/ipv4/ip_forward

$IPCHAINS -F input
$IPCHAINS -F output
$IPCHAINS -F forward

$IPCHAINS -A forward -s $INTNET -d 0/0 -j MASQ

RESULTS:

Port State Service
22/tcp open ssh
80/tcp open http
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
1080/tcp filtered socks

It ain't going to work....The nature of the beast is....The Linux box is masqing the windoze boxes and if it is masqing the windoze boxes which are sharing files and printers then it is going to open up the ports that you are trying to close. The only way I can think of and the simplest way to close these ports is portsentry.....
Give it a try and make your life easier.

Alright.

For reference, portsentry does not listen on already open ports

as shown from my logs:


Dec 10 03:56:19 server portsentry[26452]: adminalert: ERROR: Socket 139 is in use and will not be monitored. Attempting to continue
Dec 10 03:56:19 server portsentry[26452]: adminalert: Going into stealth listen mode on TCP port: 143
Dec 10 03:56:19 server portsentry[26452]: adminalert: Going into stealth listen mode on TCP port: 512


it opens ports not in use and listens on them :}

I recommend just giving PMFirewall a try and see where it gets you - what do you have to lose?

regards

~kyle

Okay I've done some experimenting with my machines....I have as you know a Linux box which is the router, running Drake 7.2. I have 3 nic's in that machine. eth0 (connected to the internet) eth1 (Winderz) and eth2 (Linux machine). I have print and file sharing between the Linux machine and the Winderz machine (samba) but do not have either sharing with the router. I am running portsentry on the router, I am not running pmfirewall...I had the machine scanned again last night at secure-me.net which gave me a perfect score of 0 and also no ports at all were open, not one....I really have no idea what you are doing with that machine.....I give up..........

Good luck and I hope you finally figure it out.............

Fandelem:
Could you post a working example of pmfirewall file(s) using the following?

10.10.10.30 LM7.2 with internet connection
10.10.10.10 Win98
10.10.10.20 WinME

So far, I can use Netscape on the Linuxbox just fine, but when I try using pmfirewall, I can no longer access the internet with Netscape. The 2 win boxes can't access the internet through the linuxbox either (never did actually).
Samba is running but not correctly right now, shows up on winboxes by hostname but is unreachable. I actually had it working once, but not sure it is related to pmfirewall problem. I can use proxy settings in netscape on the linuxbox and access the net through the winme pc (which is backwards from what I want).
Thanks for any help!

I'm confused.. you are running pmfirewall right? if so, all you have to do is run the pmfirewall config script again..


i have made a logfile for you to run through (just notice the big red one, which is the important one)

you can find it at:
http://www.fandelem.com/roofrabbit.html

hope this can help - basically you need to add 10.10.10.0/24 for your internal masq'ing - pmfirewall will figure your IP addresses out from ifconfig so make sure that is correct as well (10.10.10.30 should have a subnet mask of 255.255.255.0 I believe [in your case])

regards,

~kyle

-anymore specific questions, feel free to ask away - I just didn't want to go into too much depth at first and have it not pertain :}

(edit: sorry, on my logfile i enabled ssh on port 22 [habit], if you don't want this, just answer n)

[This message has been edited by Fandelem (edited 11 December 2000).]

Thanks for the info. I'm still working on it, but having a problem with ipchains, keeps printing "help" each time pmfirewall script tries to run it. Since this could be a screwed up cfg I may have done, I plan to just reinstall LM7.2 from scratch and start fresh. That'd probably be the fastest way.
I appreciate the page you did for me and have it copied on my HD (not the linuxbox). I will let you know how it turns out in the next few days (when I get the time).
The only question I had was you used ppp3 and I think mine is ppp0. Does that sound correct?
Again, thanks for the info a bunch :-)

ppp0 sounds correct. I use ppp3 because I have three internet connections and WvDial assigned the one I use the most ppp3 for some idiotic reason, and I'm too lazy to go in and fix it :}

also, it is printing the "help" commands because of bad syntax. start a new thread posting your pmfirewall.rules.local in full - and I will diagnose the problem from there - don't reinstall your OS because your IPCHAINS aren't working - reinstall your OS when you can't access your disks anymore, or you keep getting segmentation faults when you do anything, or it locks up continuously and randomly, etc..

regards,

~kyle

"don't reinstall your OS"

Believe me, it's no big deal. I've learnt a lot playing with it and re-installing different flavors of Linux. The pc is dedicated only for Linux and has no important functions till Linux is the way I want it.
It only takes me about 45-50 minutes to get it back from scratch anyways.

Between Samba and ipchains, should ipchains be correctly running before installing samba, or does it matter?

"Between Samba and ipchains, should ipchains be correctly running before installing samba, or does it matter"

It doesn't matter at all - just make sure once you get samba up and running that you implement some ipchains rules http://www.linuxnewbie.org/ubb/smile.gif