On Wed, 2006-10-04 at 18:57 -0700, Ryan Tandy wrote: > Michael Sullivan wrote: > > I'm having a problem with ipkungfu on one of my boxes. According to the > > log files, it's running, but it doesn't seem to be firewall-ing. It's > > not working on 192.168.1.2. Here's nmap output from 192.168.1.3: > > > > camille ~ # nmap -sT -PT 192.168.1.2 > > > > Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-10-04 20:39 > > CDT > > Interesting ports on bullet.espersunited.com (192.168.1.2): > > (The 1657 ports scanned but not shown below are in state: closed) > > PORT STATE SERVICE > > 21/tcp open ftp > > 22/tcp open ssh > > 25/tcp open smtp > > 53/tcp open domain > > 80/tcp open http > > 111/tcp open rpcbind > > 139/tcp open netbios-ssn > > 143/tcp open imap > > 445/tcp open microsoft-ds > > 587/tcp open submission > > 631/tcp open ipp > > 746/tcp open unknown > > 993/tcp open imaps > > 2049/tcp open nfs > > 3632/tcp open distccd > > MAC Address: 00:10:4B:73:8E:81 (3com) > > > > Nmap finished: 1 IP address (1 host up) scanned in 0.597 seconds > > > > OK. What does iptables -L report? Is iptables in your default > runlevel? (hint: it shouldn't be.) If iptables is being started after > ipkungfu for some reason, it may be overwriting ipkungfu's iptables > rules with its saved (blank) ruleset. Try 'rc-update del iptables && > reboot' if iptables is present in any runlevels. When you start > ipkungfu, are there any error messages?
bullet ipkungfu # iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED LOG all -- 0.0.0.1 anywhere LOG level warning prefix `IPKF IPKungFu (--init)' DROP all -- 125.250.19.90 anywhere DROP all -- abo-140-170-68.bab.modulonet.fr anywhere DROP all -- 220.163.199.101 anywhere DROP all -- 217.10.189.30 anywhere ACCEPT all -- bullet.espersunited.com anywhere ACCEPT all -- camille.espersunited.com anywhere ACCEPT all -- catherine.espersunited.com anywhere ACCEPT all -- bubbles.espersonline.com anywhere ACCEPT all -- 192.168.1.101 anywhere ACCEPT all -- 192.168.1.102 anywhere ACCEPT all -- 192.168.1.103 anywhere DROP all -- anywhere anywhere recent: CHECK seconds: 120 name: badguy side: source LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG limit: avg 3/sec burst 5 LOG level warning prefix `IPKF flags ALL: ' LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg 3/sec burst 5 LOG level warning prefix `IPKF flags NONE: ' LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG limit: avg 3/sec burst 5 LOG level warning prefix `IPKF PORTSCAN (nmap XMAS): ' LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN limit: avg 3/sec burst 5 LOG level warning prefix `IPKF PORTSCAN (nmap FIN): ' LOG tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN limit: avg 3/sec burst 5 LOG level warning prefix `IPKF flags SYN,FIN: ' LOG tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST limit: avg 3/sec burst 5 LOG level warning prefix `IPKF flags SYN,RST: ' LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG limit: avg 3/sec burst 5 LOG level warning prefix `IPKF SYN,RST,ACK,FIN,URG: ' LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg 3/sec burst 5 LOG level warning prefix `IPKF PORTSCAN (nmap NULL): ' DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN DROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE ACCEPT icmp -- anywhere anywhere icmp echo-request LOG all -- anywhere anywhere state INVALID limit: avg 3/sec burst 5 LOG level warning prefix `IPKF Invalid TCP flag: ' DROP all -- anywhere anywhere state INVALID LOG all -f anywhere anywhere limit: avg 3/sec burst 5 LOG level warning prefix `IPKF Fragmented Packet: ' DROP all -f anywhere anywhere LOG icmp -- anywhere anywhere icmp timestamp-request limit: avg 3/sec burst 5 LOG level warning prefix `IPKF ICMP Timestamp: ' DROP icmp -- anywhere anywhere icmp timestamp-request syn-flood tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN LOG tcp -- anywhere anywhere tcp flags:! SYN,RST,ACK/SYN state NEW limit: avg 3/sec burst 5 LOG level warning prefix `IPKF New Not SYN: ' DROP tcp -- anywhere anywhere tcp flags:! SYN,RST,ACK/SYN state NEW DROP tcp -- anywhere anywhere multiport dports netbios-ns,6666 DROP udp -- anywhere anywhere multiport dports ms-sql-m ACCEPT tcp -- anywhere anywhere state NEW multiport dports ftp,ssh,smtp,http ACCEPT all -- anywhere anywhere state NEW ACCEPT all -- 192.168.1.0/24 anywhere state NEW REJECT tcp -- anywhere anywhere tcp dpt:auth reject-with tcp-reset LOG !icmp -- anywhere anywhere limit: avg 3/sec burst 5 LOG level warning prefix `IPKF INPUT Catch-all: ' DROP all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- bullet.espersunited.com anywhere ACCEPT all -- camille.espersunited.com anywhere ACCEPT all -- catherine.espersunited.com anywhere ACCEPT all -- bubbles.espersonline.com anywhere ACCEPT all -- 192.168.1.101 anywhere ACCEPT all -- 192.168.1.102 anywhere ACCEPT all -- 192.168.1.103 anywhere DROP all -- anywhere anywhere recent: CHECK seconds: 120 name: badguy side: source LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG limit: avg 3/sec burst 5 LOG level warning prefix `IPKF flags ALL: ' LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg 3/sec burst 5 LOG level warning prefix `IPKF flags NONE: ' LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG limit: avg 3/sec burst 5 LOG level warning prefix `IPKF flags FIN,URG,PSH: ' LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN limit: avg 3/sec burst 5 LOG level warning prefix `IPKF PORTSCAN (nmap XMAS): ' LOG tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN limit: avg 3/sec burst 5 LOG level warning prefix `IPKF flags SYN,FIN: ' LOG tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST limit: avg 3/sec burst 5 LOG level warning prefix `IPKF flags SYN,RST: ' LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG limit: avg 3/sec burst 5 LOG level warning prefix `IPKF SYN,RST,ACK,FIN,URG: ' LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg 3/sec burst 5 LOG level warning prefix `IPKF PORTSCAN (nmap NULL): ' DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN DROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN LOG all -- anywhere anywhere state INVALID limit: avg 3/sec burst 5 LOG level warning prefix `IPKF Invalid TCP flag: ' DROP all -- anywhere anywhere state INVALID LOG all -f anywhere anywhere limit: avg 3/sec burst 5 LOG level warning prefix `IPKF Fragmented Packet: ' DROP all -f anywhere anywhere LOG icmp -- anywhere anywhere icmp timestamp-request limit: avg 3/sec burst 5 LOG level warning prefix `IPKF ICMP Timestamp: ' DROP icmp -- anywhere anywhere icmp timestamp-request syn-flood tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN LOG tcp -- anywhere anywhere tcp flags:! SYN,RST,ACK/SYN state NEW limit: avg 3/sec burst 5 LOG level warning prefix `IPKF New Not SYN: ' DROP tcp -- anywhere anywhere tcp flags:! SYN,RST,ACK/SYN state NEW DROP tcp -- anywhere anywhere multiport dports netbios-ns,6666 DROP udp -- anywhere anywhere multiport dports ms-sql-m REJECT tcp -- anywhere anywhere tcp dpt:auth reject-with tcp-reset Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere state NEW Chain syn-flood (2 references) target prot opt source destination RETURN all -- anywhere anywhere limit: avg 10/sec burst 24 LOG all -- anywhere anywhere limit: avg 3/sec burst 5 LOG level warning prefix `IPKF SYN flood: ' DROP all -- anywhere anywhere bullet ipkungfu # rc-update show | grep 'iptables' bullet ipkungfu # /etc/init.d/ipkungfu restart * Stopping ipkungfu ... Stopping ipkungfu: [ OK ] [ ok ] * Starting ipkungfu ... [ ok ]bullet ipkungfu # And I can still detect all those ports open from nmap on another machine. -- gentoo-user@gentoo.org mailing list