Re: closed ports filtered ???

George Georgalis Tue, 28 May 2002 13:06:54 -0700

On Tue, May 28, 2002 at 02:55:11PM -0400, Ramin Alidousti wrote:
>On Tue, May 28, 2002 at 02:42:51PM -0400, George Georgalis wrote:
>
>> 
>> Hi All,
>> 
>> Why does this nmap scan show these ports filtered, not closed?
>> 
>> 50420/tcp  filtered    unknown                 
>> 50421/tcp  filtered    unknown                 
>> 50422/tcp  open        unknown                 
>> 50423/tcp  filtered    unknown                 
>> 50424/tcp  filtered    unknown                 
>
>"filtered" means: I sent syn and got nothing back.
>



Okay, I found the syntax for reject (below)

>> Also, I was wondering why a connect from the LAN port 50422 (to the
>> firewall) does nat to 192.168.0.1:22? It works from the internet....
>
>What is it supposed to do then? If you only want this from the Internet
>then do:
>
>iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 50422 -j DNAT --to-destination 
>192.168.0.1:22


No, I want the LAN and Internet connections to :50422 to NAT to
192.168.0.1:22 but this command from the LAN hangs... 
ssh -p50422 [EMAIL PROTECTED]
and there is no connection recorded in the 192.168.0.1 log.  I'm
at a loss. Here's the present script:


LANIF=eth0
EXTIF=eth1
TCP_OPEN="22,25,53,80,113,50422"
UDP_OPEN="22,53"

iptables -P INPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $EXTIF -m state --state NEW -p tcp -m multiport --dport $TCP_OPEN 
-j ACCEPT
iptables -A INPUT -i $EXTIF -m state --state NEW -p udp -m multiport --dport $UDP_OPEN 
-j ACCEPT
iptables -A INPUT -i $LANIF -m state --state NEW -j ACCEPT
iptables -A INPUT -i lo     -m state --state NEW -j ACCEPT
iptables -A INPUT -j LOG --log-prefix "INPUT-DROP " 
iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable

iptables -P FORWARD DROP    
iptables -A FORWARD -i $LANIF -o $EXTIF -j ACCEPT
iptables -A FORWARD -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $EXTIF -m state --state RELATED -j ACCEPT
iptables -A FORWARD -i $EXTIF -o $LANIF -p tcp --dport 22 -m state --state 
NEW,RELATED,ESTABLISHED -j ACCEPT 
iptables -A FORWARD -i $LANIF -o $LANIF -p tcp --dport 22 -m state --state 
NEW,RELATED,ESTABLISHED -j ACCEPT 
iptables -A FORWARD -j LOG --log-prefix "FORWARD-DROP "

iptables -t nat -A PREROUTING -p tcp --dport 50422 -j DNAT --to-destination 
192.168.0.1:22
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

iptables -P OUTPUT ACCEPT



Thanks for your help!

// George

-- 
GEORGE GEORGALIS, System Admin/Architect    cell: 347-451-8229 
Security Services, Web, Mail,            mailto:[EMAIL PROTECTED] 
File, Print, DB and DNS Servers.       http://www.galis.org/george

Re: closed ports filtered ???

Reply via email to