I was using Redhat 7.1 for my nat firewall for quite a while but now
that redhat is switching to pay or fedora I thought I would try
recreating my firewall when running nmap -sS -O against the old one I
get what I want:
Starting nmap V. 3.00 (
www.insecure.org/nmap/ )
Interesting ports on (192.168.77.1)
(The 1590 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
25/tcp open smtp
80/tcp open http
443/tcp open https
Remote operating system guess: Linux 2.4.16 - 2.4.18
Uptime 41.975 days (since Tue Nov 4 11:24:56 2003)
Nmap run completed -- 1 IP address (1 host up) scanned in 25 seconds
With the Fedora Box I get a lot of stuff I don't want.
Starting nmap V. 3.00 (
www.insecure.org/nmap/ )
Interesting ports on (192.168.77.1)
(The 1590 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
80/tcp open http
111/tcp filtered sunrpc
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
443/tcp open https
1024/tcp filtered kdm
1080/tcp filtered socks
Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20
Uptime 5.717 days (since Wed Dec 10 17:39:08 2003)
Nmap run completed -- 1 IP address (1 host up) scanned in 17 seconds
How in the world Do I get the filtered to appear to be closed and why
can I no longer pass port 25?
my current machine works with the following using the exact same on
fedora core 1. but Fedora is different. Did I miss a big change from
netfilter?
#!/bin/bash
/sbin/dhcpcd
ipt="/sbin/iptables"
modp="/sbin/modprobe"
ipad=`ifconfig eth0 | grep "inet addr" | awk -F "[B:]" '{print
$2}'|cut -d ' ' -f 1` #for this we will assume we get 192.168.77.1
clean="/root/firewall/awkit" #just a small awk file that removes all
rules
echo $ipad #verify we got a good dhcp ip address
#load modules
$modp ip_tables
$modp iptable_nat
$modp iptable_filter
$modp ip_conntrack
$modp ip_conntrack_ftp
$modp ip_nat_ftp
$modp ipt_MASQUERADE
$modp ipt_REDIRECT
#flush rules and clean everything
$clean
#turn ipforwarding on
echo 1 > /proc/sys/net/ipv4/ip_forward
#turn input off by default
#$ipt -P INPUT DROP #comment this out to fix problems and allow accept
to work
#allow inputs that are needed.
#inside secure computers
$ipt -A INPUT -s $ipad -d 0/0 -j ACCEPT
$ipt -A INPUT -p tcp -s 0/0 -d $ipad --dport 1024 -j REJECT
$ipt -A INPUT -p tcp -s 0/0 -d $ipad --dport 111 -j DROP
$ipt -A INPUT -p tcp -s 0/0 -d $ipad --dport 137 -j DROP
$ipt -A INPUT -p tcp -s 0/0 -d $ipad --dport 138 -j DROP
$ipt -A INPUT -p tcp -s 0/0 -d $ipad --dport 139 -j DROP
$ipt -A INPUT -p tcp -s 0/0 -d $ipad --dport 1080 -j DROP
$ipt -A INPUT -p tcp -s 0/0 -d $ipad -j ACCEPT
#allow machine to talk to itsself.
$ipt -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
#allow inside machines to masquerade out.
$ipt -A POSTROUTING -t nat -s 192.168.80.0/24 -j MASQUERADE
#allow services through
$ipt -A PREROUTING -t nat -p tcp -i eth0 -d $ipad --dport 25 -j DNAT
--to 192.16
8.80.101:25
$ipt -A PREROUTING -t nat -p tcp -i eth0 -d $ipad --dport 80 -j DNAT
--to 192.16
8.80.101:80
$ipt -A PREROUTING -t nat -p tcp -i eth0 -d $ipad --dport 443 -j DNAT
--to 192.1
68.80.101:443
$ipt -A PREROUTING -t nat -p tcp -i eth0 -d $ipad --dport 22 -j DNAT
--to 192.16
8.80.101:22
Similar Threads
Linear Mode
