Determine open ports

Hi,

I installed a web server and a data base server for local development. I want
to ensure that these both and cupsd are only accessible from localhost. If I
run

netstat -ntulp 127.0.0.1

I get a list of programs listening for connections. But are these the ports
that are accessible from this machine or from outside? If these are the ports
that are open from inside only, how can I test which ports are open from
outside.

Mostly I'm inside a network with hundreds of other hosts behind a not very
restrictive firewall and I assume that some kind of NAT is used. But I use
different networks, not only this one. If you need more information, please
tell me what, then I'll provide.


Marco

On 03/14/2011 04:38 PM, Marco wrote:
> Hi,
>
> I installed a web server and a data base server for local development. I want
> to ensure that these both and cupsd are only accessible from localhost. If I
> run
>
> netstat -ntulp 127.0.0.1
>
> I get a list of programs listening for connections. But are these the ports
> that are accessible from this machine or from outside? If these are the ports
> that are open from inside only, how can I test which ports are open from
> outside.

Run 'netstat -l -p -n -t'. Example meanings;
Proto R-Q S-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN -
Means, that port 631/tcp is open on loopback interface.
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
Means, that port 22/tcp is open on all interfaces.
tcp 0 0 10.1.1.2:445 0.0.0.0:* LISTEN -
Means, that port 445/tcp is open on interface with IP 10.1.1.2.

Be sure to set iptables policy of FORWARD chain to DROP and disable IPv6
if u don't use it.

Regards.
e.

On 03/14/2011 04:50 PM, ein wrote:
> [...]
> Be sure to set iptables policy of FORWARD chain to DROP and disable IPv6
> if u don't use it.

U can also disable IP forwarding;
echo 0 > /proc/sys/net/ipv4/ip_forward

On 2011-03-14 ein <(E-Mail Removed)> wrote:

> On 03/14/2011 04:50 PM, ein wrote:
> > [...]
> > Be sure to set iptables policy of FORWARD chain to DROP and disable IPv6
> > if u don't use it.
>
> U can also disable IP forwarding;
> echo 0 > /proc/sys/net/ipv4/ip_forward

cat /proc/sys/net/ipv4/ip_forward

already gives »0«. I didn't set up any iptables rules. I disabledall services
I don't need except 2 (these are still open, this is okay) and the 3 mentioned
that should only be accessible from localhost (but they are, thanks to your
previous post).

If you still see a reason to write iptables rules, please tell me, otherwise
thanks for your help.


Marco

On 03/14/2011 05:12 PM, Marco wrote:
> On 2011-03-14 ein <(E-Mail Removed)> wrote:
>> On 03/14/2011 04:50 PM, ein wrote:
>>> [...]
>>> Be sure to set iptables policy of FORWARD chain to DROP and disable IPv6
>>> if u don't use it.
>>
>> U can also disable IP forwarding;
>> echo 0 > /proc/sys/net/ipv4/ip_forward
>
> cat /proc/sys/net/ipv4/ip_forward
>
> already gives »0«. I didn't set up any iptables rules. I disabled all services
> I don't need except 2 (these are still open, this is okay) and the 3 mentioned
> that should only be accessible from localhost (but they are, thanks to your
> previous post).
>
> If you still see a reason to write iptables rules, please tell me, otherwise
> thanks for your help.

Of course you need a firewall. I see lots of reasons but I don't have
time to explain this. Please for future read:
http://www.google.pl/search?client=o...hannel=suggest

Some basic script you find at:
http://wiki.linuxquestions.org/wiki/...uration_script

Regards.

On 2011-03-14 ein <(E-Mail Removed)> wrote:
> > If you still see a reason to write iptables rules, please tell me,
> > otherwise thanks for your help.
>
> Of course you need a firewall. I see lots of reasons but I don't have
> time to explain this. Please for future read:
> http://www.google.pl/search?client=o...hannel=suggest

I have read many of the pages, but I have problems to define what I should be
protected from and what you think I need. A simple packet filter?

My knowledge so far:

I have two services open to the world. On these ports the packet filter is
useless, since the packets go unfiltered.

Then I have three services (cupsd, apache, postgres) that are accessible from
localhost only. Incoming packages should not harm in any way if the software
works correctly. A packet filter would not change anything.

On all other ports there are not services listening. With or without packet filter.

> Some basic script you find at:
> http://wiki.linuxquestions.org/wiki/...uration_script

As I mentioned before, I'm not an expert but my understanding is that this
script protects from:

1) Forwarded packets
2) Accepts packets for public services (as particular example ssh)
3) Drops any other incoming packets

My thoughts:

1) Forwarding is turned off, so packets aren't forwarded
2) So does my system
3) So does my system

If I'm mistaken, correct me. I read many of your links but as I mentioned I
still have problems to define what I should be protected from.


Marco

Hello,

ein a écrit :
>
> Run 'netstat -l -p -n -t'. Example meanings;
> Proto R-Q S-Q Local Address Foreign Address State PID/Program name
> tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN -
> Means, that port 631/tcp is open on loopback interface.

Indirectly, because 127.0.0.1 can be used only on a loopback interface.

> tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
> Means, that port 22/tcp is open on all interfaces.

Correct.

> tcp 0 0 10.1.1.2:445 0.0.0.0:* LISTEN -
> Means, that port 445/tcp is open on interface with IP 10.1.1.2.

Not exactly. The port is open on any interface, but only at this
address. By default Linux enforces the "weak host model", so
communications can use any local address on any interface, except
127.x.y.z which is restricted to loopback interfaces.

> Be sure to set iptables policy of FORWARD chain to DROP

That won't filter access to local ports. The FORWARD chain filters only
received packets not destined to the local host.

On 03/14/2011 09:50 PM, Pascal Hambourg wrote:
> Hello,
>
> ein a écrit :
>>
>> Run 'netstat -l -p -n -t'. Example meanings;
>> Proto R-Q S-Q Local Address Foreign Address State PID/Program name
>> tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN -
>> Means, that port 631/tcp is open on loopback interface.
>
> Indirectly, because 127.0.0.1 can be used only on a loopback interface.

This is not true.

eth1 Link encap:Ethernet HWaddr 00:90:27:34:5e:ab
inet addr:127.0.0.1 Bcast:127.255.255.255 Mask:255.0.0.0
route:
eth1 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0

>> tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
>> Means, that port 22/tcp is open on all interfaces.
>
> Correct.
>
>> tcp 0 0 10.1.1.2:445 0.0.0.0:* LISTEN -
>> Means, that port 445/tcp is open on interface with IP 10.1.1.2.
>
> Not exactly. The port is open on any interface, but only at this
> address. By default Linux enforces the "weak host model", so
> communications can use any local address on any interface, except
> 127.x.y.z which is restricted to loopback interfaces.

True, 127.0.0.0/8 is restricted.
I think loopback can by used like any other interafce - we can route
trafic to it.

>> Be sure to set iptables policy of FORWARD chain to DROP
>
> That won't filter access to local ports. The FORWARD chain filters only
> received packets not destined to the local host.

True, but we can route traffic to it, if IP forwarding is turned on.

ein a écrit :
> On 03/14/2011 09:50 PM, Pascal Hambourg wrote:
>>
>> ein a écrit :
>>> Run 'netstat -l -p -n -t'. Example meanings;
>>> Proto R-Q S-Q Local Address Foreign Address State PID/Program name
>>> tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN -
>>> Means, that port 631/tcp is open on loopback interface.
>> Indirectly, because 127.0.0.1 can be used only on a loopback interface.
>
> This is not true.
>
> eth1 Link encap:Ethernet HWaddr 00:90:27:34:5e:ab
> inet addr:127.0.0.1 Bcast:127.255.255.255 Mask:255.0.0.0
> route:
> eth1 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0

You can *assign* a loopback address on a non loopback interface, but
cannot effectively *use* it.
Just try it. Any packet received or sent on a non loopback interface
from or to a loopback address will just be discarded by the kernel.

On 03/15/2011 11:20 PM, Pascal Hambourg wrote:
> You can *assign* a loopback address on a non loopback interface, but
> cannot effectively *use* it.

Sorry you're right. Just tried. (;

Regards.