You are not logged in.

#1 2009-01-14 16:14:41

darkbeanies
Member
Registered: 2009-01-14
Posts: 142

How do I stealth my ports with iptables?

Greetings all, just getting started with Archlinux, using Chakra because I, er, couldn't quite manage to configure the desktop environment by myself.  Anyway, I followed the "simple stateful firewall" guide on the wiki, but I notice that GRC's shieldsUP finds that my ports are closed and not stealthed.  First of all, is this important anyway, or is it better they be closed rather than stealthed?  And, if it would be more secure to stealth my ports, how do I change iptables rules to do this?

Thanks!

Offline

#2 2009-01-14 16:52:10

Bob_Sheep
Member
From: Scotland
Registered: 2008-10-06
Posts: 27

Re: How do I stealth my ports with iptables?

Stealthed means that your computer will not respond to any requests on a port, whereas with closed it will send a RST packet.  Your iptables rules just need to be set to drop rather than reject.

Last edited by Bob_Sheep (2009-01-14 16:55:25)

Offline

#3 2009-01-14 17:20:48

Procyon
Member
Registered: 2008-05-07
Posts: 1,819

Re: How do I stealth my ports with iptables?

I am trying to figure out how this works too, it's these lines, right?

# iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset 
# iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable

and then -j DROP?

Will that give any disadvantages?


And if I can hijack a little, the open chain, I have used that for bittorrent (is that wise by the way?), but that site says the ports are closed. I have also opened another port for P2P and that works fine.
Could it be the ISP blocking? My bittorrent is still fast though.

EDIT: After a bit of setup it seems an application needs to be actually listening on the port for it to be open? I did try out DROP instead of REJECT and everything reports as stealthed now, except those ports in the OPEN chain.

Last edited by Procyon (2009-01-14 17:38:08)

Offline

#4 2009-01-14 17:50:06

darkbeanies
Member
Registered: 2009-01-14
Posts: 142

Re: How do I stealth my ports with iptables?

Works perfectly!!!

Procyon-Just change REJECT to DROP in those two lines, forget whatever comes after the --, perfect Trustealth rating!

You might have to start again, flush your rules maybe, I did anyway.

edit-oh, i see you have it working already.  Bah, I wanted to answer a question!

Last edited by darkbeanies (2009-01-14 17:51:07)

Offline

#5 2009-01-14 17:55:53

.:B:.
Forum Fellow
Registered: 2006-11-26
Posts: 5,819
Website

Re: How do I stealth my ports with iptables?

Erm no.

The fact you use --j REJECT will send a message back to the computer trying to contact yours. That way the computer will know that, even though the ports are closed, the system is up (because it gets a response). Just using -j DROP should fix this.

I don't think you can stealth open ports - that would defeat its purpose. How will you discern between legitimate requests (that need the port to be open) and bots (that you don't want to know the port is open)?

Edit: dammit I should refresh when I put a response together so slowly tongue.


Got Leenucks? :: Arch: Power in simplicity :: Get Counted! Registered Linux User #392717 :: Blog thingy

Offline

#6 2009-01-14 18:27:33

Xyne
Administrator/PM
Registered: 2008-08-03
Posts: 6,963
Website

Re: How do I stealth my ports with iptables?

B wrote:

Edit: dammit I should refresh when I put a response together so slowly tongue.

At least you're not alone.


My Arch Linux StuffForum EtiquetteCommunity Ethos - Arch is not for everyone

Offline

#7 2009-01-14 18:42:46

Procyon
Member
Registered: 2008-05-07
Posts: 1,819

Re: How do I stealth my ports with iptables?

I see, and I read somewhere my 10 bittorrent ports are fine too as long as the application is secure. (rtorrent was using a closed port though, I wonder what was up with that)

And BTW, the policy of INPUT is already DROP, so these lines are actually redundant. (I tested it just now)

Offline

#8 2009-01-14 19:29:47

darkbeanies
Member
Registered: 2009-01-14
Posts: 142

Re: How do I stealth my ports with iptables?

Also, I can't seem to get a port open for deluge.  I tried iptables -A open -i eth0 -p tcp --dport 55555:55555 -j ACCEPT in the guide, is there anything else I need to do?  I've got moblock running too, do I need to meddle with that at all to open ports, I don't think I do? I also tried

iptables -A open -i eth0 -p tcp --dport 55555:55555 -j ACCEPT
iptables -A open -i eth0 -p udp --dport 55555:55555 -j ACCEPT

But that doesn't work either, unless I did it wrong.

Offline

#9 2009-01-14 19:36:33

.:B:.
Forum Fellow
Registered: 2006-11-26
Posts: 5,819
Website

Re: How do I stealth my ports with iptables?

Why the port range if you only have one port in it? I think a range also requires a slightly different syntax from a rule with one port.

Btw:

iptables -L

shows you the loaded rules, always nice for diagnosing (it reads easier than the rules themselves imho).


Got Leenucks? :: Arch: Power in simplicity :: Get Counted! Registered Linux User #392717 :: Blog thingy

Offline

#10 2009-01-14 19:38:10

darkbeanies
Member
Registered: 2009-01-14
Posts: 142

Re: How do I stealth my ports with iptables?

Ah, sorry, I just guessed it basically.  I'll have a look, cheers.

edit- or could I do 55554:55556 and save time?

Output of iptables -L gives (at the bottom)

chain open

accept tcp -- anywhere tcp dpt: 55555

Last edited by darkbeanies (2009-01-14 19:43:18)

Offline

#11 2009-03-24 02:17:37

schmoemi
Member
From: Gersthofen, BY, Germany
Registered: 2004-10-17
Posts: 51
Website

Re: How do I stealth my ports with iptables?

Procyon wrote:

And BTW, the policy of INPUT is already DROP, so these lines are actually redundant. (I tested it just now)

I tried to set the input policy to REJECT btw,  and this is what I got after I tried to load my altered iptables.rules:

iptables-restore v1.4.2: Can't set policy `INPUT' on `REJECT' line 4: Bad policy name

Is 'REJECT' not allowed as policy? Why? Anyone who knows more? hmm


The time when Microsoft starts making something that doesn't suck will be when they start making vacuum cleaners.

Offline

#12 2009-03-24 03:09:00

Xyne
Administrator/PM
Registered: 2008-08-03
Posts: 6,963
Website

Re: How do I stealth my ports with iptables?

Post your iptables.rules.


My Arch Linux StuffForum EtiquetteCommunity Ethos - Arch is not for everyone

Offline

#13 2009-03-24 13:38:41

schmoemi
Member
From: Gersthofen, BY, Germany
Registered: 2004-10-17
Posts: 51
Website

Re: How do I stealth my ports with iptables?

I tried this

# iptables rules for spitfire machine

*filter
:INPUT REJECT [0:0]
:FORWARD REJECT [0:0]
:OUTPUT ACCEPT [0:0]

# accept from local loopback
-A INPUT -i lo -j ACCEPT
# accept from LAN / Local Subnet
-A INPUT -i eth0 -s 192.168.0.0/24 -j ACCEPT

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 

#Server

#FTP
#Command link
-A INPUT -p tcp --dport 21 -j ACCEPT
#data transfer link
-A INPUT -p tcp --dport 6250 -j ACCEPT

#Freeciv Server
-A INPUT -p tcp --dport 5555 -j ACCEPT

# aMule
-A INPUT -p tcp --dport 4662 -j ACCEPT
-A INPUT -p udp --dport 4665 -j ACCEPT
-A INPUT -p udp --dport 4669 -j ACCEPT

# ICEcast Streaming Audio Server
-A INPUT -p tcp --dport 8000 -j ACCEPT

# Bittorrent
-A INPUT -p tcp --dport 50000 -j ACCEPT

# forward LAN traffic
-A FORWARD -s 192.168.0.0/24 -j ACCEPT

# do not forward NetBIOS/SMB to the internet
-A FORWARD -o ppp+ -p udp --sport 137:138 -j DROP
-A FORWARD -o ppp+ -p tcp --sport 139 -j DROP
-A FORWARD -o ppp+ -p tcp --sport 445 -j DROP

COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

# do masquerading
-A POSTROUTING -o ppp+ -s 192.168.0.0/24 -j MASQUERADE

COMMIT

instead of

# iptables rules for spitfire machine

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# accept from local loopback
-A INPUT -i lo -j ACCEPT
# accept from LAN / Local Subnet
-A INPUT -i eth0 -s 192.168.0.0/24 -j ACCEPT

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 

#Server

#FTP
#Command link
-A INPUT -p tcp --dport 21 -j ACCEPT
#data transfer link
-A INPUT -p tcp --dport 6250 -j ACCEPT

#Freeciv Server
-A INPUT -p tcp --dport 5555 -j ACCEPT

# aMule
-A INPUT -p tcp --dport 4662 -j ACCEPT
-A INPUT -p udp --dport 4665 -j ACCEPT
-A INPUT -p udp --dport 4669 -j ACCEPT

# ICEcast Streaming Audio Server
-A INPUT -p tcp --dport 8000 -j ACCEPT

# Bittorrent
-A INPUT -p tcp --dport 50000 -j ACCEPT

# forward LAN traffic
-A FORWARD -s 192.168.0.0/24 -j ACCEPT

# do not forward NetBIOS/SMB to the internet
-A FORWARD -o ppp+ -p udp --sport 137:138 -j DROP
-A FORWARD -o ppp+ -p tcp --sport 139 -j DROP
-A FORWARD -o ppp+ -p tcp --sport 445 -j DROP

COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

# do masquerading
-A POSTROUTING -o ppp+ -s 192.168.0.0/24 -j MASQUERADE

COMMIT

The time when Microsoft starts making something that doesn't suck will be when they start making vacuum cleaners.

Offline

Board footer

Powered by FluxBB