Conversation
precedente ou
suivante
Re: iptables
Envoyé par:
elyes
merci.
j'ai ce msg a la suite de: /sbin/modprobe ip_nat_ftp
autrement une tite question, ou je p trouvre de la doc pour configurer un firewall (mono-poste par le cable ) pour ma slackware.
P.S.:
nmap -v -sV -O 19X.XXX.X.XXX donne :
Discovered open port 25/tcp on 19X.XXX.X.XXX
Discovered open port 22/tcp on 19X.XXX.X.XXX
Discovered open port 113/tcp on 19X.XXX.X.XXX
Discovered open port 587/tcp on 19X.XXX.X.XXX
Discovered open port 37/tcp on 19X.XXX.X.XXX
Discovered open port 6000/tcp on 19V.XXX.X.XXX
ca fait mal
Merci.
j'ai ce msg a la suite de: /sbin/modprobe ip_nat_ftp
autrement une tite question, ou je p trouvre de la doc pour configurer un firewall (mono-poste par le cable ) pour ma slackware.
P.S.:
nmap -v -sV -O 19X.XXX.X.XXX donne :
Discovered open port 25/tcp on 19X.XXX.X.XXX
Discovered open port 22/tcp on 19X.XXX.X.XXX
Discovered open port 113/tcp on 19X.XXX.X.XXX
Discovered open port 587/tcp on 19X.XXX.X.XXX
Discovered open port 37/tcp on 19X.XXX.X.XXX
Discovered open port 6000/tcp on 19V.XXX.X.XXX
ca fait mal
Merci.
Poste le Monday 17 January 2005 19:40:22
Re: iptables
Envoyé par:
Perramus
Salut,
De toute manière ip_nat_ftp ça ne te sert à rien dans le cadre d'un mono-pc...
Pour la doc, je conseille toujours [olivieraj.free.fr]... tu y trouveras tout le nécessaire pour tes problème de nmap qui cherche et trouve ;-)
Pour un script d'exemple, généralement j'envoie ça... mais bon, autant le donner sur le forum... :
Lis attentivement la doc, et tu devrais t'y retrouver sans problème... @:-)
De toute manière ip_nat_ftp ça ne te sert à rien dans le cadre d'un mono-pc...
Pour la doc, je conseille toujours [olivieraj.free.fr]... tu y trouveras tout le nécessaire pour tes problème de nmap qui cherche et trouve ;-)
Pour un script d'exemple, généralement j'envoie ça... mais bon, autant le donner sur le forum... :
#!/bin/bash # # # ZEN - Un script iptables pour tranquilliser les pingouinets sur le net.^^ # # # Modifié le 08/01/2005 # # # Ce script est prévu pour tourner avec une connexion sur l'interface ppp0. A changer selon les # besoins ( eth0,... ). # # En creusant un peu, vous pourrez constater qu'il n'est pas "optimum". Les règles en ont été # volontairement simplifiées afin de permettre # une compréhension tout en douceur à ceux qui se mettent à iptables. Si néanmoins un problème # était constaté ou si les motivations d'un # choix demeuraient obscures,ou encore simplement si vous avez des idées pour améliorer le script # sans le complexifier, vous pouvez sans # problème en référer à l'auteur de ce script( consultez l'adresse courante dans le profil de # Perramus sur www.lea-linux.org ). Souvenez-vous # cependant que loopback est le seul réseau potentiellement 100% sûr. ;-) # # Quelques adresses : # # - [olivieraj.free.fr] | Doc (fr) à partir de laquelle ce # script à été élaboré dans sa plus grande partie. # - [lea-linux.org] | Deuxième source (fr) de ce script. # - [iptables-tutorial.frozentux.net] | Tutorial (en) très complet sur tous les concepts de # Netfilter/iptables. # - [www.pcflank.com] | Un site (en) pour tester les firewalls. S'y rendre pour vérifier que # tout est bien en place. # # BON COURAGE ! :-) # #INITIALISATION FILTER # "On ferme tout" iptables -t filter -F iptables -t filter -X iptables -t filter -P INPUT DROP iptables -t filter -P OUTPUT DROP iptables -t filter -P FORWARD DROP #INITIALISATION NAT # La chaîne FORWARD de filter est en DROP, # donc aucun paquet n'arrive jusqu'ici... On laisse donc tout ouvert. iptables -t nat -F iptables -t nat -X iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P POSTROUTING ACCEPT iptables -t nat -P OUTPUT ACCEPT #INITIALISATION MANGLE # iptables -t mangle -F iptables -t mangle -X iptables -t mangle -P PREROUTING ACCEPT iptables -t mangle -P INPUT ACCEPT iptables -t mangle -P OUTPUT ACCEPT iptables -t mangle -P POSTROUTING ACCEPT iptables -t mangle -P FORWARD ACCEPT #Chargement des modules modprobe ip_conntrack modprobe ip_conntrack_ftp #Ouverture du réseau virtuel iptables -t filter -A OUTPUT -o lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT iptables -t filter -A INPUT -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT #Autorisation du retour des connexions établies ( le RELATED ne sert ici que pour le ftp, on ne l'autorise donc que sur le port 20 ) iptables -A INPUT -i ppp0 -d 0.0.0.0/0 -p all -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i ppp0 -p tcp --sport 20 -m state --state RELATED -j ACCEPT #Autorisations en sortie vers internet # Première option - "Tout" # A utiliser en cas de problème... mettre en commentaire (#) les règles de la seconde option # #iptables -A OUTPUT -o ppp0 -p all -m state --state !INVALID -j ACCEPT # Seconde option - "A la carte" # Commentez ce qui est inutile #dns ( permet de surfer avec les noms des sites plutôt que leurs adresses IP ) iptables -A OUTPUT -o ppp0 -s 0.0.0.0/0 -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT #http ( surf internet ) iptables -A OUTPUT -o ppp0 -s 0.0.0.0/0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT #https ( surf internet sécurisé... utile pour certains sites : banques etc... ) iptables -A OUTPUT -o ppp0 -s 0.0.0.0/0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT #pop3 ( récupération des mails ) iptables -A OUTPUT -o ppp0 -s 0.0.0.0/0 -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT #smtp ( envoi des mails ) iptables -A OUTPUT -o ppp0 -s 0.0.0.0/0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT #msn ( bon c'est assez clair ...non ? ) iptables -A OUTPUT -o ppp0 -s 0.0.0.0/0 -p tcp --dport 1863 -m state --state NEW,ESTABLISHED -j ACCEPT #jabber ( Autre protocole de messagerie LIBRE ) iptables -A OUTPUT -o ppp0 -s 0.0.0.0/0 -p tcp --dport 5222 -m state --state NEW,ESTABLISHED -j ACCEPT #ftp ( protocole de transferts de fichiers... utile parfois ) iptables -A OUTPUT -o ppp0 -s 0.0.0.0/0 -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -o ppp0 -s 0.0.0.0/0 -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o ppp0 -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT #icmp ( ping et traceroute ) iptables -A OUTPUT -o ppp0 -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
Lis attentivement la doc, et tu devrais t'y retrouver sans problème... @:-)
Poste le Monday 17 January 2005 20:31:48
Re: iptables
Envoyé par:
elyes
bonjour,
ouf! c pas tres simple pour un bleu :,(
nmap -v -sV -O 19X.XXX.X.XXX #donne ca
"PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
37/tcp open time?
113/tcp open ident OpenBSD identd
6000/tcp open X11 (access denied)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at [www.insecure.org] :
SF-Port37-TCP:V=3.75%D=1/18%Time=3884D951%P=i486-slackware-linux-gnu%r(NUL
SF:L,4,"\xbc/W\xd1")%r(GenericLines,4,"\xbc/W\xd1")%r(GetRequest,4,"\xbc/W
SF:\xd1")%r(HTTPOptions,4,"\xbc/W\xd1")%r(RTSPRequest,4,"\xbc/W\xd1")%r(RP
SF:CCheck,4,"\xbc/W\xd1")%r(DNSVersionBindReq,4,"\xbc/W\xd1")%r(DNSStatusR
SF:equest,4,"\xbc/W\xd1")%r(Help,4,"\xbc/W\xd1")%r(SSLSessionReq,4,"\xbc/W
SF:\xd1")%r(SMBProgNeg,4,"\xbc/W\xd1")%r(X11Probe,4,"\xbc/W\xd1")%r(LPDStr
SF:ing,4,"\xbc/W\xd1")%r(LDAPBindReq,4,"\xbc/W\xd1")%r(LANDesk-RC,4,"\xbc/
SF:W\xd1")%r(TerminalServer,4,"\xbc/W\xd1")%r(NCP,4,"\xbc/W\xd1")%r(NotesR
SF
C,4,"\xbc/W\xd1")%r(WMSRequest,4,"\xbc/W\xd1")%r(oracle-tns,4,"\xbc/W\
SF:xd1");
Device type: general purpose
Running: Linux 2.4.X|2.5.X|2.6.X
OS details: Linux 2.5.25 - 2.6.3 or Gentoo 1.2 Linux 2.4.19 rc1-rc7)
Uptime 0.058 days (since Tue Jan 18 20:57:45 2000)
TCP Sequence Prediction: Class=random positive increments
Difficulty=5077897 (Good luck!)
IPID Sequence Generation: All zeros
Nmap run completed -- 1 IP address (1 host up) scanned in 8.580 seconds "
bref mon pc est une vraie concierge :-/
voila ce que j'ai mis dans mon rc.local:
#!/bin/sh -x
# $Id: firewall,v 2.0 2002/08/01 13:42:22 chryjs Exp $
# File provided by www.firewall-net.com
# Parameters
# $1 : external interface name
# $2 : external interface ip address
# $3 : Gateway ip address
echo "Starting firewalling... "
# ----------------------------------------------------------------------------
if [ ! -z "$1" ]; then
EXTERNAL_INTERFACE=$1
GATEWAY=$2
else
EXTERNAL_INTERFACE="eth0"
GATEWAY="0/0"
fi
LOOPBACK_INTERFACE="lo"
IPADDR=`LANG= LC_ALL= ifconfig ${EXTERNAL_INTERFACE} | grep 'inet addr' |
awk -F: '{ print $2 } ' | awk '{ print $1 }'`
ANYWHERE="0/0"
DHCP_SERVER="0/0"
if [ -f /etc/resolv.conf ]; then
NAMESERVER_1=`grep nameserver /etc/resolv.conf | head -1 | awk '{print $2}'`
else
NAMESERVER_1="127.0.0.1"
fi
SMTP_SERVER="127.0.0.1"
POP_SERVER="0/0"
NEWS_SERVER="any/0"
LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
BROADCAST_SRC="0.0.0.0"
BROADCAST_DEST="255.255.255.255"
PRIVPORTS="0:1023"
UNPRIVPORTS="1024:65535"
# ----------------------------------------------------------------------------
NFS_PORT="2049"
SOCKS_PORT="1080"
OPENWINDOWS_PORT="2000"
XWINDOW_PORTS="6000:6063"
SSH_LOCAL_PORTS="1022:65535"
SSH_REMOTE_PORTS="513:65535"
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"
CVS_PSERVER_PORT="2401"
MYSQL_PORT="3306"
# ----------------------------------------------------------------------------
iptables -F
iptables -F -t nat
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT REJECT
iptables -P FORWARD DROP
# ----------------------------------------------------------------------------
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done
# ----------------------------------------------------------------------------
iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT
# ----------------------------------------------------------------------------
iptables -A POSTROUTING -t nat -o $EXTERNAL_INTERFACE -j MASQUERADE
# ----------------------------------------------------------------------------
iptables -A INPUT -s $IPADDR -j DROP
iptables -A INPUT -s $CLASS_A -j DROP
iptables -A INPUT -s $CLASS_B -j DROP
iptables -A INPUT -s $CLASS_C -j DROP
iptables -A INPUT -s $BROADCAST_DEST -j DROP
iptables -A INPUT -d $BROADCAST_SRC -j DROP
iptables -A INPUT -s $CLASS_D_MULTICAST -j DROP
iptables -A INPUT -s $CLASS_E_RESERVED_NET -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
iptables -A INPUT -s 192.0.2.0/24 -j DROP
iptables -A INPUT -s 224.0.0.0/3 -j DROP
# ----------------------------------------------------------------------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp --syn \
--destination-port $NFS_PORT -j DROP
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp --syn \
--destination-port $NFS_PORT -j REJECT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp --syn \
--destination-port $OPENWINDOWS_PORT -j DROP
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp --syn \
--destination-port $OPENWINDOWS_PORT -j REJECT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp --syn \
--destination-port $XWINDOW_PORTS -j DROP
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp --syn \
--destination-port $XWINDOW_PORTS -j REJECT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp --syn \
--destination-port $SOCKS_PORT -j DROP
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp --syn \
--destination-port $SOCKS_PORT -j REJECT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp --syn \
--destination-port $CVS_PSERVER_PORT -j DROP
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp --syn \
--destination-port $CVS_PSERVER_PORT -j REJECT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp --syn \
--destination-port $MYSQL_PORT -j DROP
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp --syn \
--destination-port $MYSQL_PORT -j REJECT
# ----------------------------------------------------------------------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
--destination-port $NFS_PORT -j DROP
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
--source-port $TRACEROUTE_SRC_PORTS \
--destination-port $TRACEROUTE_DEST_PORTS -j DROP
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $IPADDR --source-port $UNPRIVPORTS \
-d $NAMESERVER_1 --destination-port 53 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
-s $NAMESERVER_1 --source-port 53 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
-d $NAMESERVER_1 --destination-port 53 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
-s $NAMESERVER_1 --source-port 53 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 80 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 80 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 443 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 443 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 110 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 110 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
-d $SMTP_SERVER --destination-port 25 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
-s $SMTP_SERVER --source-port 25 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $SSH_LOCAL_PORTS \
--destination-port 22 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR --destination-port 113 -j REJECT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 113 -j ACCEPT
# ------------------------------------------------------------------
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 43 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 43 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 79 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 79 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 21 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 21 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
--source-port 20 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 20 -j ACCEPT
# ------------------------------------------------------------------
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 6667 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 6667 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port $UNPRIVPORTS -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
# ----------------------------------------------------------------------------
# CABLE
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
-s $DHCP_SERVER --source-port 67 \
-d $IPADDR --destination-port 68 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $IPADDR --source-port 68 \
-d $DHCP_SERVER --destination-port 67 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
-s $DHCP_SERVER --source-port 67 \
-d $BROADCAST_DEST --destination-port 68 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $BROADCAST_SRC --source-port 68 \
-d $DHCP_SERVER --destination-port 67 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
-s $BROADCAST_SRC --source-port 67 \
-d $BROADCAST_DEST --destination-port 68 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $BROADCAST_SRC --source-port 68 \
-d $BROADCAST_DEST --destination-port 67 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
-s $DHCP_SERVER --source-port 67 \
--destination-port 68 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
--source-port 67 \
-d $IPADDR --destination-port 68 -j DROP
# ------------------------------------------------------------------
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $IPADDR --source-port $UNPRIVPORTS \
-d any/0 --destination-port 123 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
-s any/0 --source-port 123 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $IPADDR --source-port $TRACEROUTE_SRC_PORTS \
--destination-port $TRACEROUTE_DEST_PORTS -j ACCEPT
# 0: echo-reply (pong)
# 3: destination-unreachable, port-unreachable, #fragmentation-needed, etc.
# 4: source-quench
# 5: redirect
# 8: echo-request (ping)
# 11: time-exceeded
# 12: parameter-problem
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type echo-reply \
-d $IPADDR -j REJECT #ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type destination-unreachable \
-d $IPADDR -j REJECT #ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type source-quench \
-d $IPADDR -j REJECT #ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type time-exceeded \
-d $IPADDR -j REJECT #ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type parameter-problem \
-d $IPADDR -j REJECT #ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR --icmp-type fragmentation-needed -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR --icmp-type source-quench -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR --icmp-type parameter-problem -j ACCEPT
# ----------------------------------------------------------------------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp -j DROP
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp -j LOG
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
--destination-port $PRIVPORTS -j DROP
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
--destination-port $PRIVPORTS -j LOG
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
--destination-port $UNPRIVPORTS -j DROP
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
--destination-port $UNPRIVPORTS -j LOG
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type 3 -j DROP
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type 3 -j LOG
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp -j DROP
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp -j LOG
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -j REJECT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -j LOG
# ----------------------------------------------------------------------------
echo "done"
exit 0
ou est l'erreur :-( ?
ouf! c pas tres simple pour un bleu :,(
nmap -v -sV -O 19X.XXX.X.XXX #donne ca
"PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
37/tcp open time?
113/tcp open ident OpenBSD identd
6000/tcp open X11 (access denied)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at [www.insecure.org] :
SF-Port37-TCP:V=3.75%D=1/18%Time=3884D951%P=i486-slackware-linux-gnu%r(NUL
SF:L,4,"\xbc/W\xd1")%r(GenericLines,4,"\xbc/W\xd1")%r(GetRequest,4,"\xbc/W
SF:\xd1")%r(HTTPOptions,4,"\xbc/W\xd1")%r(RTSPRequest,4,"\xbc/W\xd1")%r(RP
SF:CCheck,4,"\xbc/W\xd1")%r(DNSVersionBindReq,4,"\xbc/W\xd1")%r(DNSStatusR
SF:equest,4,"\xbc/W\xd1")%r(Help,4,"\xbc/W\xd1")%r(SSLSessionReq,4,"\xbc/W
SF:\xd1")%r(SMBProgNeg,4,"\xbc/W\xd1")%r(X11Probe,4,"\xbc/W\xd1")%r(LPDStr
SF:ing,4,"\xbc/W\xd1")%r(LDAPBindReq,4,"\xbc/W\xd1")%r(LANDesk-RC,4,"\xbc/
SF:W\xd1")%r(TerminalServer,4,"\xbc/W\xd1")%r(NCP,4,"\xbc/W\xd1")%r(NotesR
SF
C,4,"\xbc/W\xd1")%r(WMSRequest,4,"\xbc/W\xd1")%r(oracle-tns,4,"\xbc/W\
SF:xd1");
Device type: general purpose
Running: Linux 2.4.X|2.5.X|2.6.X
OS details: Linux 2.5.25 - 2.6.3 or Gentoo 1.2 Linux 2.4.19 rc1-rc7)
Uptime 0.058 days (since Tue Jan 18 20:57:45 2000)
TCP Sequence Prediction: Class=random positive increments
Difficulty=5077897 (Good luck!)
IPID Sequence Generation: All zeros
Nmap run completed -- 1 IP address (1 host up) scanned in 8.580 seconds "
bref mon pc est une vraie concierge :-/
voila ce que j'ai mis dans mon rc.local:
#!/bin/sh -x
# $Id: firewall,v 2.0 2002/08/01 13:42:22 chryjs Exp $
# File provided by www.firewall-net.com
# Parameters
# $1 : external interface name
# $2 : external interface ip address
# $3 : Gateway ip address
echo "Starting firewalling... "
# ----------------------------------------------------------------------------
if [ ! -z "$1" ]; then
EXTERNAL_INTERFACE=$1
GATEWAY=$2
else
EXTERNAL_INTERFACE="eth0"
GATEWAY="0/0"
fi
LOOPBACK_INTERFACE="lo"
IPADDR=`LANG= LC_ALL= ifconfig ${EXTERNAL_INTERFACE} | grep 'inet addr' |
awk -F: '{ print $2 } ' | awk '{ print $1 }'`
ANYWHERE="0/0"
DHCP_SERVER="0/0"
if [ -f /etc/resolv.conf ]; then
NAMESERVER_1=`grep nameserver /etc/resolv.conf | head -1 | awk '{print $2}'`
else
NAMESERVER_1="127.0.0.1"
fi
SMTP_SERVER="127.0.0.1"
POP_SERVER="0/0"
NEWS_SERVER="any/0"
LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
BROADCAST_SRC="0.0.0.0"
BROADCAST_DEST="255.255.255.255"
PRIVPORTS="0:1023"
UNPRIVPORTS="1024:65535"
# ----------------------------------------------------------------------------
NFS_PORT="2049"
SOCKS_PORT="1080"
OPENWINDOWS_PORT="2000"
XWINDOW_PORTS="6000:6063"
SSH_LOCAL_PORTS="1022:65535"
SSH_REMOTE_PORTS="513:65535"
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"
CVS_PSERVER_PORT="2401"
MYSQL_PORT="3306"
# ----------------------------------------------------------------------------
iptables -F
iptables -F -t nat
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT REJECT
iptables -P FORWARD DROP
# ----------------------------------------------------------------------------
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done
# ----------------------------------------------------------------------------
iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT
# ----------------------------------------------------------------------------
iptables -A POSTROUTING -t nat -o $EXTERNAL_INTERFACE -j MASQUERADE
# ----------------------------------------------------------------------------
iptables -A INPUT -s $IPADDR -j DROP
iptables -A INPUT -s $CLASS_A -j DROP
iptables -A INPUT -s $CLASS_B -j DROP
iptables -A INPUT -s $CLASS_C -j DROP
iptables -A INPUT -s $BROADCAST_DEST -j DROP
iptables -A INPUT -d $BROADCAST_SRC -j DROP
iptables -A INPUT -s $CLASS_D_MULTICAST -j DROP
iptables -A INPUT -s $CLASS_E_RESERVED_NET -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
iptables -A INPUT -s 192.0.2.0/24 -j DROP
iptables -A INPUT -s 224.0.0.0/3 -j DROP
# ----------------------------------------------------------------------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp --syn \
--destination-port $NFS_PORT -j DROP
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp --syn \
--destination-port $NFS_PORT -j REJECT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp --syn \
--destination-port $OPENWINDOWS_PORT -j DROP
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp --syn \
--destination-port $OPENWINDOWS_PORT -j REJECT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp --syn \
--destination-port $XWINDOW_PORTS -j DROP
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp --syn \
--destination-port $XWINDOW_PORTS -j REJECT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp --syn \
--destination-port $SOCKS_PORT -j DROP
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp --syn \
--destination-port $SOCKS_PORT -j REJECT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp --syn \
--destination-port $CVS_PSERVER_PORT -j DROP
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp --syn \
--destination-port $CVS_PSERVER_PORT -j REJECT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp --syn \
--destination-port $MYSQL_PORT -j DROP
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp --syn \
--destination-port $MYSQL_PORT -j REJECT
# ----------------------------------------------------------------------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
--destination-port $NFS_PORT -j DROP
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
--source-port $TRACEROUTE_SRC_PORTS \
--destination-port $TRACEROUTE_DEST_PORTS -j DROP
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $IPADDR --source-port $UNPRIVPORTS \
-d $NAMESERVER_1 --destination-port 53 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
-s $NAMESERVER_1 --source-port 53 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
-d $NAMESERVER_1 --destination-port 53 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
-s $NAMESERVER_1 --source-port 53 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 80 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 80 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 443 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 443 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 110 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 110 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
-d $SMTP_SERVER --destination-port 25 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
-s $SMTP_SERVER --source-port 25 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $SSH_LOCAL_PORTS \
--destination-port 22 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR --destination-port 113 -j REJECT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 113 -j ACCEPT
# ------------------------------------------------------------------
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 43 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 43 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 79 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 79 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 21 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 21 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
--source-port 20 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 20 -j ACCEPT
# ------------------------------------------------------------------
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 6667 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 6667 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port $UNPRIVPORTS -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
# ----------------------------------------------------------------------------
# CABLE
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
-s $DHCP_SERVER --source-port 67 \
-d $IPADDR --destination-port 68 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $IPADDR --source-port 68 \
-d $DHCP_SERVER --destination-port 67 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
-s $DHCP_SERVER --source-port 67 \
-d $BROADCAST_DEST --destination-port 68 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $BROADCAST_SRC --source-port 68 \
-d $DHCP_SERVER --destination-port 67 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
-s $BROADCAST_SRC --source-port 67 \
-d $BROADCAST_DEST --destination-port 68 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $BROADCAST_SRC --source-port 68 \
-d $BROADCAST_DEST --destination-port 67 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
-s $DHCP_SERVER --source-port 67 \
--destination-port 68 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
--source-port 67 \
-d $IPADDR --destination-port 68 -j DROP
# ------------------------------------------------------------------
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $IPADDR --source-port $UNPRIVPORTS \
-d any/0 --destination-port 123 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
-s any/0 --source-port 123 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $IPADDR --source-port $TRACEROUTE_SRC_PORTS \
--destination-port $TRACEROUTE_DEST_PORTS -j ACCEPT
# 0: echo-reply (pong)
# 3: destination-unreachable, port-unreachable, #fragmentation-needed, etc.
# 4: source-quench
# 5: redirect
# 8: echo-request (ping)
# 11: time-exceeded
# 12: parameter-problem
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type echo-reply \
-d $IPADDR -j REJECT #ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type destination-unreachable \
-d $IPADDR -j REJECT #ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type source-quench \
-d $IPADDR -j REJECT #ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type time-exceeded \
-d $IPADDR -j REJECT #ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type parameter-problem \
-d $IPADDR -j REJECT #ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR --icmp-type fragmentation-needed -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR --icmp-type source-quench -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR --icmp-type parameter-problem -j ACCEPT
# ----------------------------------------------------------------------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp -j DROP
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp -j LOG
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
--destination-port $PRIVPORTS -j DROP
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
--destination-port $PRIVPORTS -j LOG
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
--destination-port $UNPRIVPORTS -j DROP
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
--destination-port $UNPRIVPORTS -j LOG
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type 3 -j DROP
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type 3 -j LOG
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp -j DROP
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp -j LOG
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -j REJECT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -j LOG
# ----------------------------------------------------------------------------
echo "done"
exit 0
ou est l'erreur :-( ?
Poste le Tuesday 18 January 2005 22:41:42
Re: iptables
Envoyé par:
Jonesy's
Bonsoir,
Et comment il est lancé ton script, car il se comporte différemment suivant les parametres...
Ensuite, comme le dit Perramus, il est seul ton PC ou il sert de passerelle ?
@+
--- Marchons seul, sans faire le mal, sans rien attendre, tel l'éléphant qui traverse la forêt. ---
Et comment il est lancé ton script, car il se comporte différemment suivant les parametres...
Ensuite, comme le dit Perramus, il est seul ton PC ou il sert de passerelle ?
@+
--- Marchons seul, sans faire le mal, sans rien attendre, tel l'éléphant qui traverse la forêt. ---
Poste le Wednesday 19 January 2005 02:03:54
Re: iptables
Envoyé par:
elyes
salut,
mon pc est bien seul sauf que j'ai un modem CDLP noos --> IP par DHCP.
et i faut que j'accepte les requettes du modem non?
autrement avec l'exemple de Perramu, et même avec celui de www.firewall-net.com, j'ai toujours des port ouvert:
root@Darkstar:/home/elyes# nmap -v -sV -O 195.xxx.x.xx
Starting nmap 3.75 ( [www.insecure.org] ) at 2000-01-19 11:33 CET
Initiating SYN Stealth Scan against m80.net195.xxx.x.xx.noos.fr (195.xxx.x.xx) [1663 ports] at 11:33
Discovered open port 113/tcp on 195.xxx.x.xx
Discovered open port 22/tcp on 195.xxx.x.xx
Discovered open port 37/tcp on 195.xxx.x.xx
Discovered open port 6000/tcp on 195.xxx.x.xx
The SYN Stealth Scan took 0.38s to scan 1663 total ports.
Initiating service scan against 4 services on m80.net195.xxx.x.xx.noos.fr (195.xxx.x.xx) at 11:33
The service scan took 5.05s to scan 4 services on 1 host.
For OSScan assuming port 22 is open, 1 is closed, and neither are firewalled
Host m80.net195-xxx-x.noos.fr (195.xxx.x.xx) appears to be up ... good.
Interesting ports on m80.net195-xxx-x.noos.fr (195.xxx.x.xx):
(The 1659 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
37/tcp open time?
113/tcp open ident OpenBSD identd
6000/tcp open X11 (access denied)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at [www.insecure.org] :
SF-Port37-TCP:V=3.75%D=1/19%Time=388592E8%P=i486-slackware-linux-gnu%r(NUL
SF:L,4,"\xbc0\x11h")%r(GenericLines,4,"\xbc0\x11h")%r(GetRequest,4,"\xbc0\
SF:x11h")%r(HTTPOptions,4,"\xbc0\x11h")%r(RTSPRequest,4,"\xbc0\x11h")%r(RP
SF:CCheck,4,"\xbc0\x11h")%r(DNSVersionBindReq,4,"\xbc0\x11h")%r(DNSStatusR
SF:equest,4,"\xbc0\x11h")%r(Help,4,"\xbc0\x11h")%r(SSLSessionReq,4,"\xbc0\
SF:x11h")%r(SMBProgNeg,4,"\xbc0\x11h")%r(X11Probe,4,"\xbc0\x11h")%r(LPDStr
SF:ing,4,"\xbc0\x11h")%r(LDAPBindReq,4,"\xbc0\x11h")%r(LANDesk-RC,4,"\xbc0
SF:\x11h")%r(TerminalServer,4,"\xbc0\x11h")%r(NCP,4,"\xbc0\x11h")%r(NotesR
SFC,4,"\xbc0\x11h")%r(WMSRequest,4,"\xbc0\x11h")%r(oracle-tns,4,"\xbc0\x
SF:11h");
Device type: general purpose
Running: Linux 2.4.X|2.5.X|2.6.X
OS details: Linux 2.5.25 - 2.6.3 or Gentoo 1.2 Linux 2.4.19 rc1-rc7), Linux 2.6.3 - 2.6.8
Uptime 0.033 days (since Wed Jan 19 10:46:04 2000)
TCP Sequence Prediction: Class=random positive increments
Difficulty=2026304 (Good luck!)
IPID Sequence Generation: All zeros
Nmap run completed -- 1 IP address (1 host up) scanned in 8.364 seconds
alors mon pc est une vraie "piplètte"
PS: le script est ecrit dans /etc/rc.d/rc.local
Merci pour votre aide c vraiment trés sympathique, je ne m'attendais vraiment pas a des réponces aussi rapide
encore merci
mon pc est bien seul sauf que j'ai un modem CDLP noos --> IP par DHCP.
et i faut que j'accepte les requettes du modem non?
autrement avec l'exemple de Perramu, et même avec celui de www.firewall-net.com, j'ai toujours des port ouvert:
root@Darkstar:/home/elyes# nmap -v -sV -O 195.xxx.x.xx
Starting nmap 3.75 ( [www.insecure.org] ) at 2000-01-19 11:33 CET
Initiating SYN Stealth Scan against m80.net195.xxx.x.xx.noos.fr (195.xxx.x.xx) [1663 ports] at 11:33
Discovered open port 113/tcp on 195.xxx.x.xx
Discovered open port 22/tcp on 195.xxx.x.xx
Discovered open port 37/tcp on 195.xxx.x.xx
Discovered open port 6000/tcp on 195.xxx.x.xx
The SYN Stealth Scan took 0.38s to scan 1663 total ports.
Initiating service scan against 4 services on m80.net195.xxx.x.xx.noos.fr (195.xxx.x.xx) at 11:33
The service scan took 5.05s to scan 4 services on 1 host.
For OSScan assuming port 22 is open, 1 is closed, and neither are firewalled
Host m80.net195-xxx-x.noos.fr (195.xxx.x.xx) appears to be up ... good.
Interesting ports on m80.net195-xxx-x.noos.fr (195.xxx.x.xx):
(The 1659 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
37/tcp open time?
113/tcp open ident OpenBSD identd
6000/tcp open X11 (access denied)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at [www.insecure.org] :
SF-Port37-TCP:V=3.75%D=1/19%Time=388592E8%P=i486-slackware-linux-gnu%r(NUL
SF:L,4,"\xbc0\x11h")%r(GenericLines,4,"\xbc0\x11h")%r(GetRequest,4,"\xbc0\
SF:x11h")%r(HTTPOptions,4,"\xbc0\x11h")%r(RTSPRequest,4,"\xbc0\x11h")%r(RP
SF:CCheck,4,"\xbc0\x11h")%r(DNSVersionBindReq,4,"\xbc0\x11h")%r(DNSStatusR
SF:equest,4,"\xbc0\x11h")%r(Help,4,"\xbc0\x11h")%r(SSLSessionReq,4,"\xbc0\
SF:x11h")%r(SMBProgNeg,4,"\xbc0\x11h")%r(X11Probe,4,"\xbc0\x11h")%r(LPDStr
SF:ing,4,"\xbc0\x11h")%r(LDAPBindReq,4,"\xbc0\x11h")%r(LANDesk-RC,4,"\xbc0
SF:\x11h")%r(TerminalServer,4,"\xbc0\x11h")%r(NCP,4,"\xbc0\x11h")%r(NotesR
SF
C,4,"\xbc0\x11h")%r(WMSRequest,4,"\xbc0\x11h")%r(oracle-tns,4,"\xbc0\x
SF:11h");
Device type: general purpose
Running: Linux 2.4.X|2.5.X|2.6.X
OS details: Linux 2.5.25 - 2.6.3 or Gentoo 1.2 Linux 2.4.19 rc1-rc7), Linux 2.6.3 - 2.6.8
Uptime 0.033 days (since Wed Jan 19 10:46:04 2000)
TCP Sequence Prediction: Class=random positive increments
Difficulty=2026304 (Good luck!)
IPID Sequence Generation: All zeros
Nmap run completed -- 1 IP address (1 host up) scanned in 8.364 seconds
alors mon pc est une vraie "piplètte"
PS: le script est ecrit dans /etc/rc.d/rc.local
Merci pour votre aide c vraiment trés sympathique, je ne m'attendais vraiment pas a des réponces aussi rapide
encore merci
Poste le Wednesday 19 January 2005 11:37:59
Re: iptables
Envoyé par:
Perramus
Si tu as des ports ouverts, c'est parce que tu as des services qui tournent... maintenant il est probable que ces ports ne soient ouverts que sur loopback ( donc invisible de l'extérieur )...
Le 22 c'est ssh
Il faut que tu ailles dans /etc/rc.d/rc.M ( je crois, c'est du moins ce que je fais ) et que tu commentes une ligne du type ( je donne de tête ):
Le 22 c'est ssh
Il faut que tu ailles dans /etc/rc.d/rc.M ( je crois, c'est du moins ce que je fais ) et que tu commentes une ligne du type ( je donne de tête ):
Citation
code
if [ -x /etc/rc.d/rc.ssh ]
then /etc/rc.d/rc.ssh start
fi[/code]
Ou mieux, que tu désinstalles ssh.
Le 6000 c'est le serveur X, l'astuce pour le fermer est expliquée dans la doc que je t'ai pointée.
Dans le doute teste ta machine sur [www.pcflank.com] ils te diront quels ports sont visibles de l'extérieur.
Poste le Wednesday 19 January 2005 12:50:19
Re: iptables
Envoyé par:
elyes
Merci 
en effet les ports ne sont visibles que par la loopback ^^D-*
la réponse de [www.pcflank.com sur c ports est la suivante
22 stealthed n/a n/a
37 stealthed n/a n/a
113 stealthed n/a n/a
6000 stealthed n/a n/a
merci les amis
en effet les ports ne sont visibles que par la loopback ^^D-*
la réponse de [www.pcflank.com sur c ports est la suivante
22 stealthed n/a n/a
37 stealthed n/a n/a
113 stealthed n/a n/a
6000 stealthed n/a n/a
merci les amis
Poste le Wednesday 19 January 2005 14:02:33
Ce forum !
iptables
Aide aux utilisateurs de la distribution Slackware et ses dérivées : Slax, Vector
Sauf mention contraire, les documentations publiées sont sous licence Creative-Commons