# iptables open on other ports

## silwerspawn

hey everyone 

I got a bad problem with my iptables.

for some reason i can connect to my server (is also the router where iptables is installed) on allmost any random port.

I have som internel VNC servers running only for internel use at :4 :5.

But i can connect to them from the outside why.. 

Here is my ipconfig-save:

```
# Generated by iptables-save v1.4.1.1 on Sat Nov  1 10:54:19 2008

*nat

:PREROUTING ACCEPT [2205493:165833688]

:POSTROUTING ACCEPT [287861:44133544]

:OUTPUT ACCEPT [1252271:121454787]

-A PREROUTING -i WAN -p tcp -m tcp --dport 6881:6889 -j DNAT --to-destination 192.168.0.10 

-A PREROUTING -i WAN -p tcp -m tcp --dport 3 -j DNAT --to-destination 192.168.0.109:22 

-A POSTROUTING -o WAN -j MASQUERADE 

COMMIT

# Completed on Sat Nov  1 10:54:19 2008

# Generated by iptables-save v1.4.1.1 on Sat Nov  1 10:54:19 2008

*mangle

:PREROUTING ACCEPT [157954099:95689050593]

:INPUT ACCEPT [154159393:92378716311]

:FORWARD ACCEPT [3767923:3305346293]

:OUTPUT ACCEPT [183680054:141003759038]

:POSTROUTING ACCEPT [187506660:144321207816]

COMMIT

# Completed on Sat Nov  1 10:54:19 2008

# Generated by iptables-save v1.4.1.1 on Sat Nov  1 10:54:19 2008

*filter

:INPUT ACCEPT [39277768:24475736906]

:FORWARD DROP [14422:3452563]

:OUTPUT ACCEPT [183680054:141003759038]

-A INPUT -i lo -j ACCEPT 

-A INPUT -i LAN -j ACCEPT 

-A INPUT -i ! LAN -p udp -m udp --dport 67 -j REJECT --reject-with icmp-port-unreachable 

-A INPUT -i ! LAN -p udp -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable 

-A INPUT -i WAN -p tcp -m tcp --dport 110 -j ACCEPT 

-A INPUT -i WAN -p tcp -m tcp --dport 143 -j ACCEPT 

-A INPUT -i WAN -p tcp -m tcp --dport 25 -j ACCEPT 

-A INPUT -i WAN -p tcp -m tcp --dport 465 -j ACCEPT 

-A INPUT -i WAN -p tcp -m tcp --dport 2 -j ACCEPT 

-A INPUT -i WAN -p tcp -m tcp --dport 1 -j ACCEPT 

-A INPUT -i WAN -p tcp -m tcp --dport 3306 -j ACCEPT 

-A INPUT -i WAN -p tcp -m tcp --dport 6543 -j ACCEPT 

-A INPUT -i WAN -p tcp -m tcp --dport 49750 -j ACCEPT 

-A INPUT -i WAN -p udp -m udp --dport 49750 -j ACCEPT 

-A INPUT -i WAN -p tcp -m tcp --dport 6886 -j ACCEPT 

-A INPUT -i WAN -p tcp -m tcp --dport 10000 -j ACCEPT 

-A INPUT -i WAN -p tcp -m tcp --dport 80 -j ACCEPT 

-A INPUT -i WAN -p tcp -m tcp --dport 53 -j ACCEPT 

-A INPUT -i WAN -p tcp -m tcp --dport 22 -j ACCEPT 

-A INPUT -i WAN -p tcp -m tcp --dport 21 -j ACCEPT 

-A INPUT -i WAN -p tcp -m tcp --dport 20 -j ACCEPT 

-A INPUT -i ! LAN -p tcp -m tcp --dport 0:1023 -j DROP 

-A INPUT -i ! LAN -p udp -m udp --dport 0:1023 -j DROP 

-A FORWARD -d 192.168.0.0/16 -i LAN -j DROP 

-A FORWARD -s 192.168.0.0/16 -i LAN -j ACCEPT 

-A FORWARD -d 192.168.0.0/16 -i WAN -j ACCEPT 

COMMIT

# Completed on Sat Nov  1 10:54:19 2008

```

have i made som bad errors?

----------

## VinzC

If I've understood what you mean by interface WAN you're allowing incoming traffic from the Internet towards your server machine on the following ports:

```
-A INPUT -i WAN -p tcp -m tcp --dport 110 -j ACCEPT

-A INPUT -i WAN -p tcp -m tcp --dport 143 -j ACCEPT

-A INPUT -i WAN -p tcp -m tcp --dport 25 -j ACCEPT

-A INPUT -i WAN -p tcp -m tcp --dport 465 -j ACCEPT

-A INPUT -i WAN -p tcp -m tcp --dport 2 -j ACCEPT

-A INPUT -i WAN -p tcp -m tcp --dport 1 -j ACCEPT

-A INPUT -i WAN -p tcp -m tcp --dport 3306 -j ACCEPT

-A INPUT -i WAN -p tcp -m tcp --dport 6543 -j ACCEPT

-A INPUT -i WAN -p tcp -m tcp --dport 49750 -j ACCEPT

-A INPUT -i WAN -p udp -m udp --dport 49750 -j ACCEPT

-A INPUT -i WAN -p tcp -m tcp --dport 6886 -j ACCEPT

-A INPUT -i WAN -p tcp -m tcp --dport 10000 -j ACCEPT

-A INPUT -i WAN -p tcp -m tcp --dport 80 -j ACCEPT

-A INPUT -i WAN -p tcp -m tcp --dport 53 -j ACCEPT

-A INPUT -i WAN -p tcp -m tcp --dport 22 -j ACCEPT

-A INPUT -i WAN -p tcp -m tcp --dport 21 -j ACCEPT

-A INPUT -i WAN -p tcp -m tcp --dport 20 -j ACCEPT
```

Is it *really* what you want?

----------

## Hu

Beyond that, I do not see any rules to prevent WAN traffic to the specified VNC ports.  The default INPUT policy is ACCEPT, so the kernel is accepting the WAN traffic because no prior rules have told it otherwise.

----------

## silwerspawn

VinzC ->

I have a stack of ports open, im running a tracker.

then its a home server with

proftp

postfix

dovecot -pop3 -imap

apache

named

ssh

VNC on :1 :2 :3 :4 :5 internal except one or two of them

and

webmin

is there then too much?

Hu ->

Witch should i change all of them im getting a little lost in the iptable now :S

----------

## vaguy02

Can I just say that having all those ports open to the world is an insanely bad idea! 

My suggestion is to do an accept on the most limited number of ports possible. Add a line about established and related packets, and change the default policy to DROP for INPUT OUTPUT AND FORWARD.

----------

## silwerspawn

I have read a lot of manuals but when i set INPUT, FORWARD, and OUTPUT to DROP i just cant get any connection to anything.

I have tried to open port 80, but has logged myself out.

Could someone give me an example?

i have tried a lot of different ways according to guides, and tutorials.

----------

## VinzC

Here's a tutorial about TCP, IP and iptables. It's pretty long but quite clear. I think you'll fully understand how it works after reading.

----------

## silwerspawn

Ey... some good night reading...

Maybe i should install my printer again  :Very Happy: 

----------

## vaguy02

Opening port 80 as you indicated will not solve your problem, that will allow new requests in (ie. running a webserver). What you want is Established and Related packets accepted. You don't need to open port 80 to get "internet"

----------

## silwerspawn

Thanks  :Wink: 

I think i will need to stick my head down in some more about iptables, even thou im a super slow reader.

I will return again in a day or two, and hope i have learned some more  :Wink: 

----------

## silwerspawn

okay i just cant get my printer to run right now, that old piece of junk need to be cleaned :S and i just cant read that much on a screen.

anyways i have tried to narrow down the ports and found some new good guide on the net. but i am running a big bunch of services on this server soo.

here is my new iptables:

```
#The NAT portion of the ruleset. Used for Network Address Transalation.

#Usually not needed on a typical web server, but it's there if you need it.

*nat

:PREROUTING ACCEPT [127173:7033011]

:POSTROUTING ACCEPT [31583:2332178]

:OUTPUT ACCEPT [32021:2375633]

-A POSTROUTING -o WAN -j MASQUERADE

COMMIT

#The Mangle portion of the ruleset. Here is where unwanted packet types get dropped.

#This helps in making port scans against your server a bit more time consuming and difficult, but not impossible.

*mangle

:PREROUTING ACCEPT [444:43563]

:INPUT ACCEPT [444:43563]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [402:144198]

:POSTROUTING ACCEPT [402:144198]

-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP

-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP

-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP

-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP

-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP

-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP

-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP

-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP

-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP

-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP

-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP

-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP

-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP

-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP

-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP

-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP

COMMIT

#The FILTER section of the ruleset is where we initially drop all packets and then selectively open certain ports.

#We will also enable logging of all dropped requests.

*filter

:INPUT DROP [1:242]

:FORWARD DROP [0:0]

:OUTPUT DROP [0:0]

:LOG_DROP - [0:0]

:LOG_ACCEPT - [0:0]

:icmp_packets - [0:0]

#First, we cover the INPUT rules, or the rules for incoming requests.

#Note how at the end we log any incoming packets that are not accepted.

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 22 -j LOG_ACCEPT

-A INPUT -p tcp -m tcp --dport 25 -j LOG_ACCEPT

-A INPUT -p tcp -m tcp --dport 43 -j ACCEPT

-A INPUT -p udp -m udp --dport 53 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

-A INPUT -i LAN -p tcp -m tcp --dport 445 -j ACCEPT

#uncomment the next line if you are running Spamassassin on your server

#-A INPUT -p tcp -m tcp --dport 783 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT

# Connection for MYSQL (Need evaluation almost every database is localhost only)

-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT

# Here is my VNC interfaces for

# Spawn:5901

# Azureus:5902

# Spawn:5903 (High Resolution)

-A INPUT -p tcp -m tcp --dport 5901 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 5902 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 5903 -j ACCEPT

# Private Torrent Tracker

#-A INPUT -p tcp -m tcp --dport 6881:6889 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 49750 -j ACCEPT

-A INPUT -p udp -m udp --dport 49750 -j ACCEPT

-A INPUT -s 127.0.0.1 -j ACCEPT

-A INPUT -p icmp -j icmp_packets

-A INPUT -j LOG_DROP

#Next, we cover the OUTPUT rules, or the rules for all outgoing traffic.

#Note how at the end we log any outbound packets that are not accepted.

-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT

-A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT

-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT

-A OUTPUT -p tcp -m tcp --dport 23 -j ACCEPT

-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT

-A OUTPUT -p tcp -m tcp --dport 43 -j ACCEPT

-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT

-A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT

-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT

-A OUTPUT -p tcp -m tcp --dport 110 -j ACCEPT

-A OUTPUT -p tcp -m tcp --dport 143 -j ACCEPT

-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT

-A OUTPUT -p tcp -m tcp --dport 445 -j ACCEPT

#uncomment the next line if you are running Spamassassin on your server

#-A OUTPUT -p tcp -m tcp --dport 783 -j ACCEPT

-A OUTPUT -p tcp -m tcp --dport 993 -j ACCEPT

# Connection for MYSQL (Need evaluation almost every database is localhost only)

-A OUTPUT -p tcp -m tcp --dport 3306 -j ACCEPT

# Here is my VNC interfaces for

# Spawn:5901

# Azureus:5902

# Spawn:5903 (High Resolution)

-A OUTPUT -p tcp -m tcp --dport 5901 -j ACCEPT

-A OUTPUT -p tcp -m tcp --dport 5902 -j ACCEPT

-A OUTPUT -p tcp -m tcp --dport 5903 -j ACCEPT

# Private Torrent Tracker

#-A OUTPUT -p tcp -m tcp --dport 6881:6889 -j ACCEPT

-A OUTPUT -p tcp -m tcp --sport 49750 -j ACCEPT

-A OUTPUT -p udp -m udp --sport 49750 -j ACCEPT

-A OUTPUT -d 127.0.0.1 -j ACCEPT

-A OUTPUT -p icmp -j icmp_packets

-A OUTPUT -j LOG_DROP

# Here we go with dome forwarding

#

-A FORWARD -d 192.168.0.0/16 -i LAN -j DROP

-A FORWARD -s 192.168.0.0/16 -i LAN -j LOG_ACCEPT

-A FORWARD -d 192.168.0.0/16 -i WAN -j LOG_ACCEPT

#Here we have 2 sets of logging rules. One for dropped packets to log all dropped requests and one for accepted packets, should we wish to log any accepted requesets.

-A LOG_DROP -j LOG --log-prefix "[IPTABLES DROP] : " --log-tcp-options --log-ip-options

-A LOG_DROP -j DROP

-A LOG_ACCEPT -j LOG --log-prefix "[IPTABLES ACCEPT] : " --log-tcp-options --log-ip-options

-A LOG_ACCEPT -j ACCEPT

#And finally, a rule to deal with ICMP requests. We drop all ping requests except from our own server.

# Make sure you replace 1.2.3.4 with the IP address of your server.

-A icmp_packets -p icmp -m icmp --icmp-type 0 -j ACCEPT

-A icmp_packets -s 93.160.203.34 -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP

-A icmp_packets -p icmp -m icmp --icmp-type 3 -j ACCEPT

-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT

COMMIT

```

but why can wow communicate thrue 3724 i dont understand?

----------

## VinzC

Is your WOW client on your LAN?

Here's a commented example:

```
IFWAN=eth1

IFLAN=eth0

IPLAN=192.168.x.y/24

*filter

:INPUT DROP 

:FORWARD DROP 

:OUTPUT DROP 

:WHITE-LIST - 

# ---INPUT: From the Internet to processes running on this machine

# Accept already established connections on all interfaces...

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 

# ... but filter WAN interface:

-A INPUT -i ! $IFWAN -j ACCEPT 

# Accept incoming OpenVPN packets

-A INPUT -p udp -m udp --dport 1194 -m state --state NEW -j ACCEPT 

# Accept local MSN networks, chat and file transfers

-A INPUT -p udp -m udp -m multiport --dports 10690,7892,6346,6347 -m state --state NEW -j ACCEPT 

-A INPUT -p tcp -m tcp -m multiport --dports 10686,7892,6346,6347,6881,6882 -m state --state NEW -j ACCEPT 

# Accept DHCP packets from ISP!

-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT 

# Log the rest (and DROP, see policy)

-A INPUT -j LOG --log-prefix "flt-in: " --log-level 7 --log-tcp-options --log-ip-options 

# ---OUTPUT: From processes running on this machine towards the Internet

# Accept existing connections

-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 

# Pass everything but filter outgoing traffic towards the Internet

-A OUTPUT -o ! $IFWAN -j ACCEPT 

# Allow outgoing ICMP

-A OUTPUT -p icmp -j ACCEPT 

# Allow outgoing OpenVPN, DNS, MSN,...

-A OUTPUT -p udp -m udp --sport 1194 -j ACCEPT 

-A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT 

-A OUTPUT -p tcp -m tcp --dport 1863 -j ACCEPT 

# Allow outgoing FTP, SMTP, POP, News, DNS and Network Time Protocol

-A OUTPUT -p tcp -m tcp -m multiport --dports 21,25,110,119 -j ACCEPT 

-A OUTPUT -p udp -m udp -m multiport --dports 53,123 -j ACCEPT 

# Allow outgoing web traffic

-A OUTPUT -p tcp -m multiport --dports 80,443 -j ACCEPT 

# Allow outgoing SSH connections (STD and custom ports)

-A OUTPUT -p tcp -m tcp -m multiport --dports 22,1522 -j ACCEPT 

# Allow local processes running with these accounts

-A OUTPUT -m owner --uid-owner ftpproxy -j ACCEPT 

-A OUTPUT -m owner --uid-owner p2p -j ACCEPT 

-A OUTPUT -m owner --uid-owner portage -j ACCEPT 

-A OUTPUT -m owner --uid-owner ut2004 -j ACCEPT 

# Log (and drop) the rest

-A OUTPUT -j LOG --log-prefix "flt-out: " --log-level 7 --log-tcp-options --log-ip-options --log-uid 

# ---Forward: from/to LAN hosts to/from the Internet

# Forward new and related packets

-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 

# Forward everything that is not from or to WAN without condition (include lo)

-A FORWARD -i ! $IFWAN -o ! $IFWAN -j ACCEPT 

# Forward GRE packets (PPTP VPN)

-A FORWARD -p gre -j ACCEPT 

-A FORWARD -p icmp -j ACCEPT 

# Forward UDP packets to/from WAN (might be more secure, but Ok...)

-A FORWARD -p udp -j ACCEPT 

# Allow machines on the LAN to use FTP, HTTP, HTTPS plus other well-known Web ports

-A FORWARD -p tcp -m tcp -m multiport --dports 21,80,443,8000,8080 -j ACCEPT 

# Allow SMTP, POP, IMAP and PPTP VPN

-A FORWARD -p tcp -m tcp -m multiport --dports 25,110,143,1723 -j ACCEPT 

# Allow LAN hosts to contact remote SSH hosts through port 22 (standard) and 65522 (custom example)

-A FORWARD -p tcp -m tcp -m multiport --dports 22,65522 -j ACCEPT 

# Allow everything in the white list

-A FORWARD -j WHITE-LIST 

# Log (and drop) the rest!

-A FORWARD -j LOG --log-prefix "flt-fwd: " --log-level 7 --log-tcp-options --log-ip-options 

# White list: Unreal Tournament global servers :-)

-A WHITE-LIST -d 193.25.197.33/32 -p tcp -m state --state NEW -j ACCEPT 

COMMIT

*nat

:PREROUTING DROP 

:POSTROUTING ACCEPT 

:OUTPUT ACCEPT 

# Redirect incoming FTP trafic to Frox, port 1521

-A PREROUTING -s $IPLAN -p tcp -m tcp --dport 21 -j REDIRECT --to-ports 1521 

# Accept almost all incoming connections...

-A PREROUTING -m state --state NEW,RELATED,ESTABLISHED,UNTRACKED -j ACCEPT 

# And log the rest!

-A PREROUTING -j LOG --log-prefix "nat-pre: " --log-level 7 --log-tcp-options --log-ip-options 

# Masquerade outgoing traffic through WAN interface

-A POSTROUTING -o $IFWAN -j MASQUERADE 

# Source NAT incoming OpenVPN traffic

-A POSTROUTING -s 172.21.45.0/24 -d $IPLAN -j SNAT --to-source 192.168.45.1 

COMMIT
```

You'll note only the WAN interface appears. Also be careful *not* to use 127.0.0.1 but lo. Using lo is not equal to 127.0.0.1/32, which is a common mistake.

Finally I've intentionally set my PREROUTING policy to DROP. It was set this way but I never saw anything logged so you can revert it to ACCEPT.

As for p2p user, I have a process running locally on my server and it's running under that account. ut2004 is a user account that is dedicated to ut2004-ded. Users ftpproxy portage are self-explaining, I think  :Smile:  .

----------

## silwerspawn

yes it is and im thinking i need to look a little more on the forward! thanks  :Wink: 

----------

## silwerspawn

The whitelist you are using thats kernel build in right?

----------

## VinzC

 *silwerspawn wrote:*   

> The whitelist you are using thats kernel build in right?

 

No, it's just an all-purpose jump chain that I created.

----------

## silwerspawn

Ahh sorry i missed that one in the top  :Wink: 

----------

