iptables firewall problems.

From: Jean-David Beyer (jdbeyer_at_exit109.com)
Date: 07/20/03 

Date: Sat, 19 Jul 2003 21:26:15 -0400

I use iptables firewall.

For input, I accept stuff from the outside world on very few ports, and
some of these from very few IP addresses. Normally, therefore, I could
not obtain answers to queries sent out on the Internet.

So I have a loophole in my rules, like this:

#################################################################
# Rules for built-in chains #
#################################################################

$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -j BADIP
$IPT -A INPUT -j SHUN
$IPT -A INPUT -p ! icmp -j IN
$IPT -A INPUT -p icmp -j IN_ICMP
$IPT -A INPUT -j LDROP
# Now the main input checker.
$IPT -N IN
$IPT -A IN -m state --state INVALID -j LDROP
$IPT -A IN -p tcp --syn -j FLOOD
$IPT -A IN -p tcp -j FLAGS
$IPT -A IN -m state --state ESTABLISHED,RELATED -j ACCEPT <---<<<
$IPT -A IN -j IN_SPOOF
[other rules to accept a few connections]
[if you fall out the bottom, message is rejected]

I would expect that the rule indicated by <---<<< would permit what I
need with CPAN. I imagine it is using Active Mode FTP.

But I sometimes have problems with this. Recently I tried to get some
stuff with CPAN and it does not work. It complains of timeouts. If I
look at /var/log/messages I see stuff like this:

Jul 19 20:30:29: IPT Drop: IN=ppp0 SRC=209.221.142.118 ID=32675 DF
  PROTO=TCP SPT=20 DPT=56611 WINDOW=5840 RES=0x00 CWR ECE SYN URGP=0
Jul 19 20:32:08: IPT Drop: IN=ppp0 SRC=209.221.142.118 ID=19899 DF
  PROTO=TCP SPT=20 DPT=56616 WINDOW=5840 RES=0x00 CWR ECE SYN URGP=0
Jul 19 20:32:11: IPT Drop: IN=ppp0 SRC=209.221.142.118 ID=19900 DF
  PROTO=TCP SPT=20 DPT=56616 WINDOW=5840 RES=0x00 CWR ECE SYN URGP=0
Jul 19 20:32:17: IPT Drop: IN=ppp0 SRC=209.221.142.118 ID=19901 DF
  PROTO=TCP SPT=20 DPT=56616 WINDOW=5840 RES=0x00 CWR ECE SYN URGP=0
Jul 19 20:32:29: IPT Drop: IN=ppp0 SRC=209.221.142.118 ID=19902 DF
  PROTO=TCP SPT=20 DPT=56616 WINDOW=5840 RES=0x00 CWR ECE SYN URGP=0
Jul 19 20:32:53: IPT Drop: IN=ppp0 SRC=209.221.142.118 ID=19903 DF
  PROTO=TCP SPT=20 DPT=56616 WINDOW=5840 RES=0x00 CWR ECE SYN URGP=0
Jul 19 20:33:41: IPT Drop: IN=ppp0 SRC=209.221.142.118 ID=19904 DF
  PROTO=TCP SPT=20 DPT=56616 WINDOW=5840 RES=0x00 CWR ECE SYN URGP=0
Jul 19 20:35:21: IPT Drop: IN=ppp0 SRC=209.221.142.118 ID=10544 DF
  PROTO=TCP SPT=20 DPT=56618 WINDOW=5840 RES=0x00 CWR ECE SYN URGP=0

I do not know just how "ESTABLISHED,RELATED" are determined in IPTABLES.
I have "Red Hat Linux Firewalls" that says, in part:

  ESTABLISHED indicates that the packet is associated with a connection
  that has seen a two-way exchange of packets.
  RELATED indicates that the packet is associated [HOW?] with a new
  connection that is related to an established connection.

The book also states:

  ... the term _connection_ is broader than when used in the context of
  the TCP protocol.Here, the term refers to an entry in the state table.
  The entry can pertain to TCP or UDP communication between hosts.
  Connections are identified by protocol, source and destination IP
  address, and source and destination port. A new connection is created
  whenever a client attempts to contact a server. ...

  A _related_ connection is one that has an association with an
  established connection but involves a different protocol, source or
  destination IP address, or source or destination port.

However it is done, normal web browsing works, as do e-mail, and almost
everything else I do. But these do not work. I would *hate* to enable
arbitrary connections to my port 20 (and 21) even though I do not run an
ftp server myself. What is the proper way to accept these things? Or is
the server set up wrong and I am right to refuse their messages? 

-- 
   .~.  Jean-David Beyer           Registered Linux User 85642.
   /V\                             Registered Machine    73926.
  /( )\ Shrewsbury, New Jersey     http://counter.li.org
  ^^-^^ 8:50pm up 31 days, 23:21, 3 users, load average: 2.29, 2.19, 2.12

Relevant Pages

  • Re: Correction
    ... Normally to physically disconnect is just a matter of reaching for the ... >> I have an ADSL connection which polls my computer from time to time, ... > disallow each and every port with Windows Firewall? ...
    (microsoft.public.windowsxp.messenger)
  • Re: Using Remote Desktop From an SBS Domain
    ... when you tried to RDP while attached directly to a port on your router? ... Internet to initiate an IP conversation with your computer. ... This situation is different than if you ran your own NAT connection sharing ...
    (microsoft.public.windows.server.sbs)
  • Re: Still cant connect to RWW or OWA remotely
    ... it certainly appears to be something about the SBS configuration. ... Meridian.local Ethernet adapter Local Area Connection: ... Windows SMALL BUSINESS SERVER 2003 Windows IP Configuration ... 192.168.254.254) directly to a port on the router and then ...
    (microsoft.public.windows.server.sbs)
  • Re: Still cant connect to RWW or OWA remotely
    ... it certainly appears to be something about the SBS configuration. ... Meridian.local Ethernet adapter Local Area Connection: ... Windows SMALL BUSINESS SERVER 2003 Windows IP Configuration ... 192.168.254.254) directly to a port on the router and then ...
    (microsoft.public.windows.server.sbs)
  • Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second
    ... When Nmap (or many ... > other applications, such as Telnet) does a connectcall, the OS is ... > supposed to choose a good souce port to bind to for the connection. ... I saw a familiar "Connection reset by peer" every time the random port ...
    (Incidents)