Ubuntu Suomen keskustelualueet
Muut alueet => Muut käyttöjärjestelmät ja Linux-jakelut => Aiheen aloitti: vellu@vmach - 08.04.12 - klo:21.58
-
Yritin sulkea portin 25 debianista (testing), mutta netistä hakemani ohje :
iptables -A INPUT -p tcp --dport 0:25 -j DROP
ei toiminutkaan niinkuin piti.
Nyt nmap sanoo tällaistä:
root@debian:/home/vellu# nmap -A localhost
Starting Nmap 5.21 ( http://nmap.org ) at 2012-04-08 21:27 EEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000041s latency).
Not shown: 985 closed ports
PORT STATE SERVICE VERSION
1/tcp filtered tcpmux
3/tcp filtered compressnet
4/tcp filtered unknown
6/tcp filtered unknown
7/tcp filtered echo
9/tcp filtered discard
13/tcp filtered daytime
17/tcp filtered qotd
19/tcp filtered chargen
20/tcp filtered ftp-data
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp filtered telnet
24/tcp filtered priv-mail
25/tcp filtered smtp
Too many fingerprints match this host to give specific OS details
Network Distance: 0 hops
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3.20 seconds
Lisäksi iptables -L kertoo:
Chain INPUT (policy DROP)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp dpts:0:smtp
REJECT tcp -- anywhere anywhere tcp dpts:0:smtp reject-with icmp-port-unreachable
ufw-before-logging-input all -- anywhere anywhere
ufw-before-input all -- anywhere anywhere
ufw-after-input all -- anywhere anywhere
ufw-after-logging-input all -- anywhere anywhere
ufw-reject-input all -- anywhere anywhere
ufw-track-input all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ufw-before-logging-forward all -- anywhere anywhere
ufw-before-forward all -- anywhere anywhere
ufw-after-forward all -- anywhere anywhere
ufw-after-logging-forward all -- anywhere anywhere
ufw-reject-forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- anywhere anywhere
ufw-before-output all -- anywhere anywhere
ufw-after-output all -- anywhere anywhere
ufw-after-logging-output all -- anywhere anywhere
ufw-reject-output all -- anywhere anywhere
ufw-track-output all -- anywhere anywhere
Chain ufw-after-forward (1 references)
target prot opt source destination
Chain ufw-after-input (1 references)
target prot opt source destination
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootps
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootpc
ufw-skip-to-policy-input all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
target prot opt source destination
Chain ufw-after-output (1 references)
target prot opt source destination
Chain ufw-before-forward (1 references)
target prot opt source destination
ufw-user-forward all -- anywhere anywhere
Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ufw-logging-deny all -- anywhere anywhere state INVALID
DROP all -- anywhere anywhere state INVALID
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ufw-not-local all -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere 239.255.255.250 udp dpt:1900
ufw-user-input all -- anywhere anywhere
Chain ufw-before-logging-forward (1 references)
target prot opt source destination
Chain ufw-before-logging-input (1 references)
target prot opt source destination
Chain ufw-before-logging-output (1 references)
target prot opt source destination
Chain ufw-before-output (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ufw-user-output all -- anywhere anywhere
Chain ufw-logging-allow (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere state INVALID limit: avg 3/min burst 10
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10
DROP all -- anywhere anywhere
Chain ufw-reject-forward (1 references)
target prot opt source destination
Chain ufw-reject-input (1 references)
target prot opt source destination
Chain ufw-reject-output (1 references)
target prot opt source destination
Chain ufw-skip-to-policy-forward (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-input (7 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-output (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-track-input (1 references)
target prot opt source destination
Chain ufw-track-output (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere state NEW
ACCEPT udp -- anywhere anywhere state NEW
Chain ufw-user-forward (1 references)
target prot opt source destination
Chain ufw-user-input (1 references)
target prot opt source destination
Chain ufw-user-limit (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-user-logging-forward (0 references)
target prot opt source destination
Chain ufw-user-logging-input (0 references)
target prot opt source destination
Chain ufw-user-logging-output (0 references)
target prot opt source destination
Chain ufw-user-output (1 references)
target prot opt source destination
Miten saisin palautettua tuon normaaliksi? Uskaltaako tätä käyttää edes nyt?
-
Muutama linkki mistä voi olla hyötyä. Vähän erilainen tilanne, mutta voit soveltaa ohjetta.
http://linux.fi/wiki/Iptables (http://linux.fi/wiki/Iptables)
http://forum.ubuntu-fi.org/index.php?topic=39932.0 (http://forum.ubuntu-fi.org/index.php?topic=39932.0)
-
Tulihan se kuntoon, tai ei ollutkaan koskaan rikki. Nyt näkyy näin:
root@debian:/home/vellu# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@debian:/home/vellu# nmap -A localhost
Starting Nmap 5.21 ( http://nmap.org ) at 2012-04-08 22:59 EEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000017s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
25/tcp open smtp Exim smtpd 4.77
| smtp-commands: EHLO debian Hello localhost [127.0.0.1], SIZE 52428800, PIPELINING, HELP
|_HELP Commands supported: AUTH HELO EHLO MAIL RCPT DATA NOOP QUIT RSET HELP
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.21%........................ jne
Network Distance: 0 hops
Service Info: Host: debian
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.01 seconds
Se portti 25 on kylläkin vielä auki. Sen kun sais vielä...
-
sudo apt-get purge ufw # Poistaa ufw-paketin
sudo iptables -F # Resetoi palomuurin
-
Itselleni kävi joskus samoin kun kokeilin noita ja tein silloin kolme pikku skriptiä testailun avuksi:
Alkuperäinen Ubuntun "kaikki auki" asetus:
http://www.homelinuxpc.com/download/iptables-auki.bash (http://www.homelinuxpc.com/download/iptables-auki.bash)
Sulje kaikki:
http://www.homelinuxpc.com/download/iptables-sulje.bash (http://www.homelinuxpc.com/download/iptables-sulje.bash)
Mikä tilanne:
http://www.homelinuxpc.com/download/iptables-nykytila.bash (http://www.homelinuxpc.com/download/iptables-nykytila.bash)
Nuo ovat Ubuntulle eli ne "sudoilevat".