tűzfal para

Linux-haladó

Felállás:

Egy Zyxel router protforwarddal, mögötte egy linux-os NAT box, szintén portforward-dal befelé és mögötte egy Windows szerver.

Helyzet:

nmap -sT -v -p 3389 xxx

Starting Nmap 4.62 ( http://nmap.org ) at 2010-07-07 12:05 CEST
Initiating Ping Scan at 12:05
Scanning xxx [2 ports]
Completed Ping Scan at 12:05, 3.02s elapsed (1 total hosts)
Read data files from: /usr/share/nmap
Note: Host seems down. If it is really up, but blocking our ping probes, try -PN
Nmap done: 1 IP address (0 hosts up) scanned in 3.077 seconds
Raw packets sent: 4 (136B) | Rcvd: 1 (84B)

Ellenben:

nmap -P0 -v -p 3389 xxx

Starting Nmap 4.62 ( http://nmap.org ) at 2010-07-07 12:09 CEST
Initiating Parallel DNS resolution of 1 host. at 12:09
Completed Parallel DNS resolution of 1 host. at 12:09, 0.02s elapsed
Initiating SYN Stealth Scan at 12:09
Scanning mail.tza.hu (xxx) [1 port]
Discovered open port 3389/tcp on xxx
Completed SYN Stealth Scan at 12:09, 0.04s elapsed (1 total ports)
Host mail.tza.hu (xxx) appears to be up ... good.
Interesting ports on xxx (xxx):
PORT STATE SERVICE
3389/tcp open ms-term-serv

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.114 seconds
Raw packets sent: 1 (44B) | Rcvd: 1 (46B)

iptables -L --line

Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 all -- anywhere windows.server.local

Chain FORWARD (policy DROP)
num target prot opt source destination
1 DROP tcp -- localnet/24 anywhere tcp dpt:smtp
2 ACCEPT tcp -- anywhere windows.server.local tcp dpt:1723
3 ACCEPT tcp -- anywhere windows.server.local tcp dpt:3389
4 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
5 ACCEPT all -- anywhere anywhere
6 LOG all -- anywhere anywhere LOG level warning

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 all -- windows.server.local anywhere

A linux-ról nézve minden windows-os service (1723 és 3389) open.
Ill. kívülről nézve nmap -P0 és a telnet xxx 3389 porton is OK.

Hol lehet a hiba?

  • 1112 megtekintés

( eyez00 | 2010. 07. 07., sze – 12:30 )

és a lényeg kimaradt: nem érem el kívülről a windows-os service-eket, bááár, telnettel és nmap -P0-al rendben látszik minden.

( eyez00 | 2010. 07. 07., sze – 12:41 )

iptables lényegesebb részei:

echo " Clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

echo " FWD: Allow all connections OUT and only existing and related ones IN"

#smtp deny

$IPTABLES -t filter -A FORWARD -s 10.0.0.0/24 -p tcp --dport 25 -j DROP

#pptpd

$IPTABLES -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.1.2 --dport 1723 -j DNAT --to 10.0.0.2:1723
$IPTABLES -A FORWARD -p tcp -i eth0 -d 10.0.0.2 --dport 1723 -j ACCEPT

#rdp

$IPTABLES -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.1.2 --dport 3389 -j DNAT --to 10.0.0.2:3389
$IPTABLES -A FORWARD -p tcp -i eth0 -d 10.0.0.2 --dport 3389 -j ACCEPT

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF1 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

( eyez00 | 2010. 07. 07., sze – 12:45 )

a linux-ról nézve, befelé:

mail:~# nmap -sT -p 1723 10.0.0.2

Starting Nmap 4.62 ( http://nmap.org ) at 2010-07-07 12:49 CEST
Interesting ports on windows.server.local (10.0.0.2):
PORT STATE SERVICE
1723/tcp open pptp
MAC Address: 00:0C:6E:46:xx:xx (Asustek Computer)

Nmap done: 1 IP address (1 host up) scanned in 0.228 seconds
mail:~# nmap -sT -p 3389 10.0.0.2

Starting Nmap 4.62 ( http://nmap.org ) at 2010-07-07 12:49 CEST
Interesting ports on windows.server.local (10.0.0.2):
PORT STATE SERVICE
3389/tcp open ms-term-serv
MAC Address: 00:0C:6E:46:xx:xx (Asustek Computer)

Nmap done: 1 IP address (1 host up) scanned in 0.226 seconds

( eyez00 | 2010. 07. 07., sze – 13:02 )

Kis fésülés után az RDP meggyógyult, a VPN panaszkodik még a GRE protokolra