You are not logged in.

Pages: 1

#1 2015-07-02 07:59:35

rehono
Member
Registered: 2015-06-15
Posts: 16

open CUPS port in TCP and UDP chain

I followed the simple statefull wiki howto.

I also did the SYN TCP scan and UDP scan blocking:
https://wiki.archlinux.org/index.php/Si … t_scanners

iptables -nvL --line-numbers

Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 limit: avg 30/min burst 8
2        0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
3    4358K 6323M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
4      117  6956 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
5      129  5160 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
6     6370 1702K UDP        udp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW
7        0     0 TCP        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 ctstate NEW
8      109 18829 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            recent: SET name: UDP-PORTSCAN side: source mask: 255.255.255.255 reject-with icmp-port-unreachable
9        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            recent: SET name: TCP-PORTSCAN side: source mask: 255.255.255.255 reject-with tcp-reset
10       2    64 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-proto-unreachable

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 1105K packets, 93M bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain TCP (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            recent: UPDATE seconds: 60 name: TCP-PORTSCAN side: source mask: 255.255.255.255 reject-with tcp-reset
2        0     0 ACCEPT     tcp  --  *      *       192.168.1.199       0.0.0.0/0            tcp spt:631 dpt:631 state NEW

Chain UDP (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1     6261 1683K REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            recent: UPDATE seconds: 60 name: UDP-PORTSCAN side: source mask: 255.255.255.255 reject-with icmp-port-unreachable
2        0     0 ACCEPT     udp  --  *      *       192.168.1.199       0.0.0.0/0            udp spt:631 dpt:631 state NEW

Using the TCP/UDP chains This is what i did to allow inbound CUPS ports (not working):

iptables -A TCP -p tcp -s 192.168.1.199 --sport 631 -m state --state NEW  --dport 631 -j ACCEPT
iptables -A UDP -p udp -s 192.168.1.199 --sport 631 -m state --state NEW  --dport 631 -j ACCEPT

But if I open up the tcp/udp ports in INPUT chain the it all works fine (end of input chain):

iptables -A INPUT -p tcp -s 192.168.1.199 --sport 631 -m state --state NEW  --dport 631 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.1.199 --sport 631 -m state --state NEW  --dport 631 -j ACCEPT


Looking at all the rejected packers in the UDP scan(rule #1 in UDP chain) makes me think that udp scan rule might be blocking the port cups port.
am i right? anyone know solution to this?
edit: wiki suggests the scan reject rule should be top of the TCP/UDP chains, but I am not sure.

Last edited by rehono (2015-07-02 08:02:43)

Offline

#2 2015-07-02 08:17:37

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,224
Website

Re: open CUPS port in TCP and UDP chain

iptables -A INPUT -p tcp -s 192.168.1.199 --sport 631 -m state --state NEW  --dport 631 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.1.199 --sport 631 -m state --state NEW  --dport 631 -j ACCEPT

EDIT: no need for the --sport part. The source port will be randomly assigned by the remote.

Last edited by fukawi2 (2015-07-02 08:18:15)

Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?

BlueHackers // fscanary // resticctl

Offline

#3 2015-07-02 18:15:15

rehono
Member
Registered: 2015-06-15
Posts: 16

Re: open CUPS port in TCP and UDP chain

fukawi2 wrote:
iptables -A INPUT -p tcp -s 192.168.1.199 --sport 631 -m state --state NEW  --dport 631 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.1.199 --sport 631 -m state --state NEW  --dport 631 -j ACCEPT

EDIT: no need for the --sport part. The source port will be randomly assigned by the remote.

Yeah I didn't have sport in the rule I had working in INPUT chain.
I tried no sport iin the TCP/UDP chains but still no luck.

Offline

#4 2015-07-02 22:41:13

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,224
Website

Re: open CUPS port in TCP and UDP chain

Post the output of `iptables-save` -- it's easier to visually parse smile

Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?

BlueHackers // fscanary // resticctl

Offline

#5 2015-07-03 09:16:45

rehono
Member
Registered: 2015-06-15
Posts: 16

Re: open CUPS port in TCP and UDP chain

fukawi2 wrote:

Post the output of `iptables-save` -- it's easier to visually parse smile

# Generated by iptables-save v1.4.21 on Fri Jul  3 02:14:12 2015
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 30/min --limit-burst 8 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -m recent --set --name UDP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m recent --set --name TCP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with tcp-reset
-A TCP -s 192.168.1.199/32 -p tcp -m tcp --dport 631 -j ACCEPT
-A UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with icmp-port-unreachable
-A UDP -s 192.168.1.199/32 -p udp -m udp --dport 631 -j ACCEPT
COMMIT
# Completed on Fri Jul  3 02:14:12 2015

Last edited by rehono (2015-07-08 21:09:24)

Offline

#6 2015-07-03 09:32:08

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,224
Website

Re: open CUPS port in TCP and UDP chain

Reorder the rules in your "TCP" and "UDP" chains -- first match wins, and your REJECT is the first rule. Make it the last.

Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?

BlueHackers // fscanary // resticctl

Offline

#7 2015-07-08 18:47:24

rehono
Member
Registered: 2015-06-15
Posts: 16

Re: open CUPS port in TCP and UDP chain

fukawi2 wrote:

Reorder the rules in your "TCP" and "UDP" chains -- first match wins, and your REJECT is the first rule. Make it the last.

I will try it out and update. Sorry I have been bit busy lately.

Offline

Pages: 1

Board footer

Powered by FluxBB