 |
 |
 |
 |
| Security and Privacy Sadly, malware, spyware, hackers and privacy threats abound in today's world. Let's be paranoid and secure our penguins, and slam the doors on privacy exploits. |
7th December 2009, 08:49 AM
|
|
Registered User
|
|
Join Date: Sep 2008
Posts: 202
 
|
|
|
Port forwarding: Works to other device, but not server
If I forward port 5764 to port 80 to my VOIP device, I can nmap and get a proper connection. If I forward port 5764 to port 22 to my server, it comes up filtered. It even happens if I try forwarding port 80 to my server. So I'm sure it has something to do with my server, but I'm not sure.
Here's my Linksys iptables:
Code:
:wanin - [0:0]
-A FORWARD -i vlan1 -j wanin
-A wanin -p tcp -m tcp -d 192.168.2.2 --dport 80 -j ACCEPT
-A wanin -p udp -m udp -d 192.168.2.8 -m mport --dports 5060,5061 -j ACCEPT
-A wanin -p udp -m udp -d 192.168.2.8 --dport 10000:20000 -j ACCEPT
# cat /etc/iptables |grep 80
-A PREROUTING -p tcp -d xx.xx.xx.xx--dport 5764 -j DNAT --to-destination 192.168.2.2:80
-A POSTROUTING -p tcp --dport 80 -s 192.168.2.1/255.255.255.0 -d 192.168.2.2 -j SNAT --to-source xx.xx.xx.xx
-A wanin -p tcp -m tcp -d 192.168.2.2 --dport 80 -j ACCEPT
# cat /etc/iptables
*mangle
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i vlan1 -d 192.168.2.1/255.255.255.0 -j DROP
-A PREROUTING -p udp -s 192.168.2.1/255.255.255.0 ! -d 192.168.2.1/255.255.255.0 --dport 53 -j DNAT --to-destination 192.168.2.1
-A PREROUTING -p icmp -d xx.xx.xx.xx -j DNAT --to-destination 192.168.2.1
-A PREROUTING -p tcp -m tcp -d xx.xx.xx.xx --dport 56983 -j DNAT --to-destination 192.168.2.1:443
-A PREROUTING -p tcp -m tcp -d xx.xx.xx.xx --dport 56982 -j DNAT --to-destination 192.168.2.1:22
-A PREROUTING -p tcp -d xx.xx.xx.xx --dport 5764 -j DNAT --to-destination 192.168.2.2:80
-A POSTROUTING -p tcp --dport 80 -s 192.168.2.1/255.255.255.0 -d 192.168.2.2 -j SNAT --to-source xx.xx.xx.xx
-A PREROUTING -p udp -d xx.xx.xx.xx -m mport --dports 5060,5061 -j DNAT --to-destination 192.168.2.8
-A POSTROUTING -p udp -m mport --dports 5060,5061 -s 192.168.2.1/255.255.255.0 -d 192.168.2.8 -j SNAT --to-source xx.xx.xx.xx
-A PREROUTING -p udp -d xx.xx.xx.xx --dport 10000:20000 -j DNAT --to-destination 192.168.2.8
-A POSTROUTING -p udp --dport 10000:20000 -s 192.168.2.1/255.255.255.0 -d 192.168.2.8 -j SNAT --to-source xx.xx.xx.xx
-A POSTROUTING -o vlan1 -j MASQUERADE
COMMIT
*filter
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i br0 -d 69.92.51.22 -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp -d 192.168.2.1 --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp -d 192.168.2.1 --dport 22 -j ACCEPT
:FORWARD DROP [0:0]
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1461: -j TCPMSS --set-mss 1460
:wanin - [0:0]
:wanout - [0:0]
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i vlan1 -j wanin
-A FORWARD -o vlan1 -j wanout
-A FORWARD -i br0 -j ACCEPT
-A wanin -p tcp -m tcp -d 192.168.2.2 --dport 80 -j ACCEPT
-A wanin -p udp -m udp -d 192.168.2.8 -m mport --dports 5060,5061 -j ACCEPT
-A wanin -p udp -m udp -d 192.168.2.8 --dport 10000:20000 -j ACCEPT
COMMIT
And here's my server's iptables:
Code:
*filter
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type any -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i ra0 -p tcp -m state --state NEW --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m multiport --dports 20,22,21,25,53,69,80,111,139,161,443,445,631,636 --syn -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m multiport --dports 849,875,898,990,2049,8037,9830,32803,51235,56750 --syn -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state NEW -m multiport --dports 20,21,53,67,69,111,123,137,138,161,631,849,875,989 -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state NEW -m multiport --dports 990,1812,1813,1900,2049,5353,32769,56750 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
*mangle
COMMIT
*nat
-A POSTROUTING -o ra0 -j MASQUERADE
COMMIT
Thank's for helping
|
17th December 2009, 11:03 PM
|
|
Registered User
|
|
Join Date: Nov 2009
Posts: 36
|
|
|
are you running any utilities to block invalid login attempts/have ssh set to only allow certain IP addresses to login?
__________________
----------------------
Security is Dead
|
17th December 2009, 11:55 PM
|
|
Registered User
|
|
Join Date: Sep 2008
Posts: 202
|
|
|
There's nothing in hosts.allow, and I have fail2ban installed, but not configured. But I don't think it has anything to do with ssh/login because if I turn off iptables or set an rule to accept all traffic the port still shows up as filtered to nmap.
I also tried starting in single mode, starting only ssh and network, but still get the same results. forwarding the port to another devices still appears as open.
|
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
 Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
Current GMT-time: 17:05 (Wednesday, 19-06-2013)
|
|
 |
 |
 |
 |
|
|
