You are not logged in.
- Topics: Active | Unanswered
#1 2008-04-18 00:55:04
- miguimon
- Member
- From: Sydney
- Registered: 2008-02-28
- Posts: 37
- Website
iptables and securing portmap
Hello,
I think this topic has been discussed more than once but I don't find a solution so.. 
here is. I been trying to add some iptables rules for securing the portmap service on port 111. But with no luck. I'm usually behind a dsl router using interface eth0 and NAT but sometimes I want to test the security of my laptop and I change to a DMZ and scan myself using some online portscan because I need to be more safe using wifi public areas... I would like to provide some extra security for my laptop but portmap seems always open from outside. All the rules are from http://wiki.archlinux.org/index.php/Sim … wall_HOWTO.
/etc/iptables/iptables.rules
# Generated by iptables-save v1.3.8 on Sun Mar 2 20:48:53 2008
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [104271:8445548]
:interfaces - [0:0]
:open - [0:0]
-A INPUT -p icmp -m icmp --icmp-type 18 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 17 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 10 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 9 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 5 -j DROP
-A INPUT -s 127.0.0.0/255.0.0.0 -i eth0 -j DROP
-A INPUT -s 192.168.0.0/255.255.0.0 -i eth0 -j DROP
-A INPUT -s 172.16.0.0/255.240.0.0 -i eth0 -j DROP
-A INPUT -s 10.0.0.0/255.0.0.0 -i eth0 -j DROP
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j interfaces
-A INPUT -j open
-A INPUT -p tcp --dport 111 -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -f -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -p tcp -m tcp --dport 111 -j DROP
-A INPUT -p udp -m udp --dport 111 -j DROP
-A INPUT -p udp -m udp --dport 68 -j DROP
-A INPUT -p tcp -m tcp --dport 113 -j DROP
-A interfaces -i lo -j ACCEPT
-A interfaces -i eth0 -j ACCEPT
COMMIT
# Completed on Sun Mar 2 20:48:53 2008/etc/hosts.deny
#
# /etc/hosts.deny
#
ALL: ALL: DENY
# End of fileI will appreciate any idea or suggestion.
Thanks
Offline