Re: [gentoo-user] OT - ipkungfu not

Michael Sullivan Thu, 05 Oct 2006 06:12:33 -0700

On Wed, 2006-10-04 at 18:57 -0700, Ryan Tandy wrote:
> Michael Sullivan wrote:
> > I'm having a problem with ipkungfu on one of my boxes.  According to the
> > log files, it's running, but it doesn't seem to be firewall-ing.  It's
> > not working on 192.168.1.2.  Here's nmap output from 192.168.1.3:
> > 
> > camille ~ # nmap -sT -PT 192.168.1.2
> > 
> > Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-10-04 20:39
> > CDT
> > Interesting ports on bullet.espersunited.com (192.168.1.2):
> > (The 1657 ports scanned but not shown below are in state: closed)
> > PORT     STATE SERVICE
> > 21/tcp   open  ftp
> > 22/tcp   open  ssh
> > 25/tcp   open  smtp
> > 53/tcp   open  domain
> > 80/tcp   open  http
> > 111/tcp  open  rpcbind
> > 139/tcp  open  netbios-ssn
> > 143/tcp  open  imap
> > 445/tcp  open  microsoft-ds
> > 587/tcp  open  submission
> > 631/tcp  open  ipp
> > 746/tcp  open  unknown
> > 993/tcp  open  imaps
> > 2049/tcp open  nfs
> > 3632/tcp open  distccd
> > MAC Address: 00:10:4B:73:8E:81 (3com)
> > 
> > Nmap finished: 1 IP address (1 host up) scanned in 0.597 seconds
> > 
> 
> OK.  What does iptables -L report?  Is iptables in your default 
> runlevel? (hint: it shouldn't be.)  If iptables is being started after 
> ipkungfu for some reason, it may be overwriting ipkungfu's iptables 
> rules with its saved (blank) ruleset.  Try 'rc-update del iptables && 
> reboot' if iptables is present in any runlevels.  When you start 
> ipkungfu, are there any error messages?


bullet ipkungfu # iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTABLISHED
LOG        all  --  0.0.0.1              anywhere            LOG level
warning prefix `IPKF IPKungFu (--init)'
DROP       all  --  125.250.19.90        anywhere
DROP       all  --  abo-140-170-68.bab.modulonet.fr  anywhere
DROP       all  --  220.163.199.101      anywhere
DROP       all  --  217.10.189.30        anywhere
ACCEPT     all  --  bullet.espersunited.com  anywhere
ACCEPT     all  --  camille.espersunited.com  anywhere
ACCEPT     all  --  catherine.espersunited.com  anywhere
ACCEPT     all  --  bubbles.espersonline.com  anywhere
ACCEPT     all  --  192.168.1.101        anywhere
ACCEPT     all  --  192.168.1.102        anywhere
ACCEPT     all  --  192.168.1.103        anywhere
DROP       all  --  anywhere             anywhere            recent:
CHECK seconds: 120 name: badguy side: source
LOG        tcp  --  anywhere             anywhere            tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG limit: avg 3/sec
burst 5 LOG level warning prefix `IPKF flags ALL: '
LOG        tcp  --  anywhere             anywhere            tcp
flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg 3/sec burst 5 LOG level
warning prefix `IPKF flags NONE: '
LOG        tcp  --  anywhere             anywhere            tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG limit: avg 3/sec burst 5 LOG
level warning prefix `IPKF PORTSCAN (nmap XMAS): '
LOG        tcp  --  anywhere             anywhere            tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN limit: avg 3/sec burst 5 LOG level
warning prefix `IPKF PORTSCAN (nmap FIN): '
LOG        tcp  --  anywhere             anywhere            tcp
flags:FIN,SYN/FIN,SYN limit: avg 3/sec burst 5 LOG level warning prefix
`IPKF flags SYN,FIN: '
LOG        tcp  --  anywhere             anywhere            tcp
flags:SYN,RST/SYN,RST limit: avg 3/sec burst 5 LOG level warning prefix
`IPKF flags SYN,RST: '
LOG        tcp  --  anywhere             anywhere            tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG limit: avg 3/sec burst
5 LOG level warning prefix `IPKF SYN,RST,ACK,FIN,URG: '
LOG        tcp  --  anywhere             anywhere            tcp
flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg 3/sec burst 5 LOG level
warning prefix `IPKF PORTSCAN (nmap NULL): '
DROP       tcp  --  anywhere             anywhere            tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
DROP       tcp  --  anywhere             anywhere            tcp
flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP       tcp  --  anywhere             anywhere            tcp
flags:FIN,SYN/FIN,SYN
DROP       tcp  --  anywhere             anywhere            tcp
flags:SYN,RST/SYN,RST
DROP       tcp  --  anywhere             anywhere            tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
DROP       tcp  --  anywhere             anywhere            tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
DROP       tcp  --  anywhere             anywhere            tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN
DROP       tcp  --  anywhere             anywhere            tcp
flags:FIN,SYN,RST,PSH,ACK,URG/NONE
ACCEPT     icmp --  anywhere             anywhere            icmp
echo-request
LOG        all  --  anywhere             anywhere            state
INVALID limit: avg 3/sec burst 5 LOG level warning prefix `IPKF Invalid
TCP flag: '
DROP       all  --  anywhere             anywhere            state
INVALID
LOG        all  -f  anywhere             anywhere            limit: avg
3/sec burst 5 LOG level warning prefix `IPKF Fragmented Packet: '
DROP       all  -f  anywhere             anywhere
LOG        icmp --  anywhere             anywhere            icmp
timestamp-request limit: avg 3/sec burst 5 LOG level warning prefix
`IPKF ICMP Timestamp: '
DROP       icmp --  anywhere             anywhere            icmp
timestamp-request
syn-flood  tcp  --  anywhere             anywhere            tcp
flags:FIN,SYN,RST,ACK/SYN
LOG        tcp  --  anywhere             anywhere            tcp flags:!
SYN,RST,ACK/SYN state NEW limit: avg 3/sec burst 5 LOG level warning
prefix `IPKF New Not SYN: '
DROP       tcp  --  anywhere             anywhere            tcp flags:!
SYN,RST,ACK/SYN state NEW
DROP       tcp  --  anywhere             anywhere            multiport
dports netbios-ns,6666
DROP       udp  --  anywhere             anywhere            multiport
dports ms-sql-m
ACCEPT     tcp  --  anywhere             anywhere            state NEW
multiport dports ftp,ssh,smtp,http
ACCEPT     all  --  anywhere             anywhere            state NEW
ACCEPT     all  --  192.168.1.0/24       anywhere            state NEW
REJECT     tcp  --  anywhere             anywhere            tcp
dpt:auth reject-with tcp-reset
LOG       !icmp --  anywhere             anywhere            limit: avg
3/sec burst 5 LOG level warning prefix `IPKF INPUT Catch-all: '
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTABLISHED
ACCEPT     all  --  bullet.espersunited.com  anywhere
ACCEPT     all  --  camille.espersunited.com  anywhere
ACCEPT     all  --  catherine.espersunited.com  anywhere
ACCEPT     all  --  bubbles.espersonline.com  anywhere
ACCEPT     all  --  192.168.1.101        anywhere
ACCEPT     all  --  192.168.1.102        anywhere
ACCEPT     all  --  192.168.1.103        anywhere
DROP       all  --  anywhere             anywhere            recent:
CHECK seconds: 120 name: badguy side: source
LOG        tcp  --  anywhere             anywhere            tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG limit: avg 3/sec
burst 5 LOG level warning prefix `IPKF flags ALL: '
LOG        tcp  --  anywhere             anywhere            tcp
flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg 3/sec burst 5 LOG level
warning prefix `IPKF flags NONE: '
LOG        tcp  --  anywhere             anywhere            tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG limit: avg 3/sec burst 5 LOG
level warning prefix `IPKF flags FIN,URG,PSH: '
LOG        tcp  --  anywhere             anywhere            tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN limit: avg 3/sec burst 5 LOG level
warning prefix `IPKF PORTSCAN (nmap XMAS): '
LOG        tcp  --  anywhere             anywhere            tcp
flags:FIN,SYN/FIN,SYN limit: avg 3/sec burst 5 LOG level warning prefix
`IPKF flags SYN,FIN: '
LOG        tcp  --  anywhere             anywhere            tcp
flags:SYN,RST/SYN,RST limit: avg 3/sec burst 5 LOG level warning prefix
`IPKF flags SYN,RST: '
LOG        tcp  --  anywhere             anywhere            tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG limit: avg 3/sec burst
5 LOG level warning prefix `IPKF SYN,RST,ACK,FIN,URG: '
LOG        tcp  --  anywhere             anywhere            tcp
flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg 3/sec burst 5 LOG level
warning prefix `IPKF PORTSCAN (nmap NULL): '
DROP       tcp  --  anywhere             anywhere            tcp
flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP       tcp  --  anywhere             anywhere            tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
DROP       tcp  --  anywhere             anywhere            tcp
flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP       tcp  --  anywhere             anywhere            tcp
flags:FIN,SYN/FIN,SYN
DROP       tcp  --  anywhere             anywhere            tcp
flags:SYN,RST/SYN,RST
DROP       tcp  --  anywhere             anywhere            tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
DROP       tcp  --  anywhere             anywhere            tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
DROP       tcp  --  anywhere             anywhere            tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN
LOG        all  --  anywhere             anywhere            state
INVALID limit: avg 3/sec burst 5 LOG level warning prefix `IPKF Invalid
TCP flag: '
DROP       all  --  anywhere             anywhere            state
INVALID
LOG        all  -f  anywhere             anywhere            limit: avg
3/sec burst 5 LOG level warning prefix `IPKF Fragmented Packet: '
DROP       all  -f  anywhere             anywhere
LOG        icmp --  anywhere             anywhere            icmp
timestamp-request limit: avg 3/sec burst 5 LOG level warning prefix
`IPKF ICMP Timestamp: '
DROP       icmp --  anywhere             anywhere            icmp
timestamp-request
syn-flood  tcp  --  anywhere             anywhere            tcp
flags:FIN,SYN,RST,ACK/SYN
LOG        tcp  --  anywhere             anywhere            tcp flags:!
SYN,RST,ACK/SYN state NEW limit: avg 3/sec burst 5 LOG level warning
prefix `IPKF New Not SYN: '
DROP       tcp  --  anywhere             anywhere            tcp flags:!
SYN,RST,ACK/SYN state NEW
DROP       tcp  --  anywhere             anywhere            multiport
dports netbios-ns,6666
DROP       udp  --  anywhere             anywhere            multiport
dports ms-sql-m
REJECT     tcp  --  anywhere             anywhere            tcp
dpt:auth reject-with tcp-reset

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            state NEW

Chain syn-flood (2 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere            limit: avg
10/sec burst 24
LOG        all  --  anywhere             anywhere            limit: avg
3/sec burst 5 LOG level warning prefix `IPKF SYN flood: '
DROP       all  --  anywhere             anywhere
bullet ipkungfu # rc-update show | grep 'iptables'
bullet ipkungfu # /etc/init.d/ipkungfu restart
 * Stopping ipkungfu ...
Stopping ipkungfu:                                              [  OK  ]
[ ok ] * Starting ipkungfu ...
[ ok ]bullet ipkungfu #

And I can still detect all those ports open from nmap on another
machine.

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] OT - ipkungfu not

Reply via email to