IN PORTS restrictions does not apply at Ubuntu Server

Post Reply
semseoymas
Junior Member
Posts: 4
Joined: 19 Dec 2013, 11:48
Location: MALAGA

IN PORTS restrictions does not apply at Ubuntu Server

Post by semseoymas »

Hello:

Thanks so much for this wonderful software... I am using it at CentOS servers and I am recommending it to my IT friends...

I have a problem at Ubuntu server 12.04.

Configured CSF without problems... I have not included any IP at allow/ignore lists yet.

The problem is the IN port configuration does not apply well... I have:
TCP_IN = "21,22,53,80,8080,8081,30000:50000"
TCP_OUT = "20,21,22,53,80,3306,110,113,443,8080,8081"
UDP_IN = "53,123"
UDP_OUT = "20,21,53,113,123,33434:33523"
TCP6_IN = "21,22,53,80,3306,8080,8081,30000:50000"
TCP6_OUT = "20,21,22,53,80,110,113,443,3306,8080,8081"
UDP6_IN = "53,123"
UDP6_OUT = "20,21,53,113,123,33434:33523"
The OUT config is running OK... by example, I cannot telnet any MTA at port 25 with csf enabled.

The problem is, for any external IP, the access to port 3306 or 10000 is allowed!!! There is nothing I can do to deny traffic input to 10000 or 3306, although correct configuration... repeat, no IP is configured at allow/ignore lists yet.

The csf out when starting:
root@megaserver1 /etc/csf # service csf start
Starting csf:Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:67
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:67
DROP tcp opt in * out * ::/0 -> ::/0 tcp dpt:67
DROP udp opt in * out * ::/0 -> ::/0 udp dpt:67
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:68
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:68
DROP tcp opt in * out * ::/0 -> ::/0 tcp dpt:68
DROP udp opt in * out * ::/0 -> ::/0 udp dpt:68
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:111
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:111
DROP tcp opt in * out * ::/0 -> ::/0 tcp dpt:111
DROP udp opt in * out * ::/0 -> ::/0 udp dpt:111
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:113
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:113
DROP tcp opt in * out * ::/0 -> ::/0 tcp dpt:113
DROP udp opt in * out * ::/0 -> ::/0 udp dpt:113
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpts:135:139
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpts:135:139
DROP tcp opt in * out * ::/0 -> ::/0 tcp dpts:135:139
DROP udp opt in * out * ::/0 -> ::/0 udp dpts:135:139
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:445
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:445
DROP tcp opt in * out * ::/0 -> ::/0 tcp dpt:445
DROP udp opt in * out * ::/0 -> ::/0 udp dpt:445
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:500
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:500
DROP tcp opt in * out * ::/0 -> ::/0 tcp dpt:500
DROP udp opt in * out * ::/0 -> ::/0 udp dpt:500
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:513
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:513
DROP tcp opt in * out * ::/0 -> ::/0 tcp dpt:513
DROP udp opt in * out * ::/0 -> ::/0 udp dpt:513
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:520
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:520
DROP tcp opt in * out * ::/0 -> ::/0 tcp dpt:520
DROP udp opt in * out * ::/0 -> ::/0 udp dpt:520
LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpts:0:1023 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *TCP_IN Blocked* "
LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcpflags: 0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP_OUT Blocked* "
LOG udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpts:0:1023 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *UDP_IN Blocked* "
LOG udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *UDP_OUT Blocked* "
LOG icmp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *ICMP_IN Blocked* "
LOG icmp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *ICMP_OUT Blocked* "
LOG tcp opt in * out * ::/0 -> ::/0 tcp dpts:0:1023 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *TCP6IN Blocked* "
LOG tcp opt in * out * ::/0 -> ::/0 tcpflags: 0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP6OUT Blocked* "
LOG udp opt in * out * ::/0 -> ::/0 udp dpts:0:1023 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *UDP6IN Blocked* "
LOG udp opt in * out * ::/0 -> ::/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *UDP6OUT Blocked* "
LOG icmpv6 opt in * out * ::/0 -> ::/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *ICMP6IN Blocked* "
LOG icmpv6 opt in * out * ::/0 -> ::/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *ICMP6OUT Blocked* "
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
DROP all opt in * out * ::/0 -> ::/0
DROP all opt in * out * ::/0 -> ::/0
DENYOUT all opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0
DENYIN all opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0
ALLOWOUT all opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0
ALLOWIN all opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0
DENYOUT all opt in * out eth0 ::/0 -> ::/0
DENYIN all opt in eth0 out * ::/0 -> ::/0
ALLOWOUT all opt in * out eth0 ::/0 -> ::/0
ALLOWIN all opt in eth0 out * ::/0 -> ::/0
INVDROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 ctstate INVALID
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcpflags: 0x3F/0x00
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcpflags: 0x3F/0x3F
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcpflags: 0x03/0x03
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcpflags: 0x06/0x06
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcpflags: 0x05/0x05
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcpflags: 0x11/0x01
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcpflags: 0x18/0x08
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcpflags: 0x30/0x20
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcpflags:! 0x17/0x02 ctstate NEW
INVDROP all opt in * out * ::/0 -> ::/0 ctstate INVALID
INVDROP tcp opt in * out * ::/0 -> ::/0 tcpflags: 0x3F/0x00
INVDROP tcp opt in * out * ::/0 -> ::/0 tcpflags: 0x3F/0x3F
INVDROP tcp opt in * out * ::/0 -> ::/0 tcpflags: 0x03/0x03
INVDROP tcp opt in * out * ::/0 -> ::/0 tcpflags: 0x06/0x06
INVDROP tcp opt in * out * ::/0 -> ::/0 tcpflags: 0x05/0x05
INVDROP tcp opt in * out * ::/0 -> ::/0 tcpflags: 0x11/0x01
INVDROP tcp opt in * out * ::/0 -> ::/0 tcpflags: 0x18/0x08
INVDROP tcp opt in * out * ::/0 -> ::/0 tcpflags: 0x30/0x20
INVDROP tcp opt in * out * ::/0 -> ::/0 tcpflags:! 0x17/0x02 ctstate NEW
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
INVALID tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0
INVALID tcp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0
DROP all opt in * out * ::/0 -> ::/0
INVALID tcp opt in eth0 out * ::/0 -> ::/0
INVALID tcp opt in * out eth0 ::/0 -> ::/0
ACCEPT all opt -- in eth0 out * 188.78.51.2 -> 0.0.0.0/0
ACCEPT all opt -- in * out eth0 0.0.0.0/0 -> 188.78.51.2
RETURN all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 50/sec burst 350
LOG all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *SYNFLOOD Blocked* "
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
SYNFLOOD tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 tcpflags: 0x17/0x02
CONNLIMIT tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:80flags: 0x17/0x02 #conn src/32 > 350
CONNLIMIT tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:8081flags: 0x17/0x02 #conn src/32 > 60
REJECT tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 reject-with tcp-reset
ACCEPT all opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all opt in eth0 out * ::/0 -> ::/0 ctstate RELATED,ESTABLISHED
ACCEPT all opt in * out eth0 ::/0 -> ::/0 ctstate RELATED,ESTABLISHED
ACCEPT tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW tcp dpt:21
ACCEPT tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW tcp dpt:22
ACCEPT tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW tcp dpt:53
ACCEPT tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW tcp dpt:80
ACCEPT tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW tcp dpt:8080
ACCEPT tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW tcp dpt:8081
ACCEPT tcp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW tcp dpts:30000:50000
ACCEPT tcp opt in eth0 out * ::/0 -> ::/0 ctstate NEW tcp dpt:21
ACCEPT tcp opt in eth0 out * ::/0 -> ::/0 ctstate NEW tcp dpt:22
ACCEPT tcp opt in eth0 out * ::/0 -> ::/0 ctstate NEW tcp dpt:53
ACCEPT tcp opt in eth0 out * ::/0 -> ::/0 ctstate NEW tcp dpt:80
ACCEPT tcp opt in eth0 out * ::/0 -> ::/0 ctstate NEW tcp dpt:3306
ACCEPT tcp opt in eth0 out * ::/0 -> ::/0 ctstate NEW tcp dpt:8080
ACCEPT tcp opt in eth0 out * ::/0 -> ::/0 ctstate NEW tcp dpt:8081
ACCEPT tcp opt in eth0 out * ::/0 -> ::/0 ctstate NEW tcp dpts:30000:50000
ACCEPT tcp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW tcp dpt:20
ACCEPT tcp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW tcp dpt:21
ACCEPT tcp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW tcp dpt:22
ACCEPT tcp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW tcp dpt:53
ACCEPT tcp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW tcp dpt:80
ACCEPT tcp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW tcp dpt:3306
ACCEPT tcp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW tcp dpt:110
ACCEPT tcp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW tcp dpt:113
ACCEPT tcp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW tcp dpt:443
ACCEPT tcp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW tcp dpt:8080
ACCEPT tcp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW tcp dpt:8081
ACCEPT tcp opt in * out eth0 ::/0 -> ::/0 ctstate NEW tcp dpt:20
ACCEPT tcp opt in * out eth0 ::/0 -> ::/0 ctstate NEW tcp dpt:21
ACCEPT tcp opt in * out eth0 ::/0 -> ::/0 ctstate NEW tcp dpt:22
ACCEPT tcp opt in * out eth0 ::/0 -> ::/0 ctstate NEW tcp dpt:53
ACCEPT tcp opt in * out eth0 ::/0 -> ::/0 ctstate NEW tcp dpt:80
ACCEPT tcp opt in * out eth0 ::/0 -> ::/0 ctstate NEW tcp dpt:110
ACCEPT tcp opt in * out eth0 ::/0 -> ::/0 ctstate NEW tcp dpt:113
ACCEPT tcp opt in * out eth0 ::/0 -> ::/0 ctstate NEW tcp dpt:443
ACCEPT tcp opt in * out eth0 ::/0 -> ::/0 ctstate NEW tcp dpt:3306
ACCEPT tcp opt in * out eth0 ::/0 -> ::/0 ctstate NEW tcp dpt:8080
ACCEPT tcp opt in * out eth0 ::/0 -> ::/0 ctstate NEW tcp dpt:8081
ACCEPT udp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW udp dpt:53
ACCEPT udp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW udp dpt:123
ACCEPT udp opt in eth0 out * ::/0 -> ::/0 ctstate NEW udp dpt:53
ACCEPT udp opt in eth0 out * ::/0 -> ::/0 ctstate NEW udp dpt:123
ACCEPT udp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW udp dpt:20
ACCEPT udp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW udp dpt:21
ACCEPT udp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW udp dpt:53
ACCEPT udp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW udp dpt:113
ACCEPT udp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW udp dpt:123
ACCEPT udp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW udp dpts:33434:33523
ACCEPT udp opt in * out eth0 ::/0 -> ::/0 ctstate NEW udp dpt:20
ACCEPT udp opt in * out eth0 ::/0 -> ::/0 ctstate NEW udp dpt:21
ACCEPT udp opt in * out eth0 ::/0 -> ::/0 ctstate NEW udp dpt:53
ACCEPT udp opt in * out eth0 ::/0 -> ::/0 ctstate NEW udp dpt:113
ACCEPT udp opt in * out eth0 ::/0 -> ::/0 ctstate NEW udp dpt:123
ACCEPT udp opt in * out eth0 ::/0 -> ::/0 ctstate NEW udp dpts:33434:33523
ACCEPT icmp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 icmptype 8 limit: avg 1/sec burst 5
ACCEPT icmp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 icmptype 0
ACCEPT icmp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 icmptype 8
ACCEPT icmp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 icmptype 0 limit: avg 1/sec burst 5
ACCEPT icmp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 icmptype 11
ACCEPT icmp opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 icmptype 3
ACCEPT icmp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 icmptype 11
ACCEPT icmp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 icmptype 3
ACCEPT icmpv6 opt in eth0 out * ::/0 -> ::/0
ACCEPT icmpv6 opt in * out eth0 ::/0 -> ::/0
ACCEPT all opt -- in lo out * 0.0.0.0/0 -> 0.0.0.0/0
ACCEPT all opt -- in * out lo 0.0.0.0/0 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0
LOGDROPIN all opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0
ACCEPT all opt in lo out * ::/0 -> ::/0
ACCEPT all opt in * out lo ::/0 -> ::/0
LOGDROPOUT all opt in * out eth0 ::/0 -> ::/0
LOGDROPIN all opt in eth0 out * ::/0 -> ::/0
ACCEPT udp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 udp spt:53
ACCEPT tcp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 tcp spt:53
ACCEPT udp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:53
ACCEPT tcp opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:53
ACCEPT udp opt in * out eth0 ::/0 -> ::/0 udp spt:53
ACCEPT tcp opt in * out eth0 ::/0 -> ::/0 tcp spt:53
ACCEPT udp opt in * out eth0 ::/0 -> ::/0 udp dpt:53
ACCEPT tcp opt in * out eth0 ::/0 -> ::/0 tcp dpt:53
ACCEPT udp opt -- in eth0 out * 213.133.98.98 -> 0.0.0.0/0 udp spt:53
ACCEPT tcp opt -- in eth0 out * 213.133.98.98 -> 0.0.0.0/0 tcp spt:53
ACCEPT udp opt -- in eth0 out * 213.133.98.98 -> 0.0.0.0/0 udp dpt:53
ACCEPT tcp opt -- in eth0 out * 213.133.98.98 -> 0.0.0.0/0 tcp dpt:53
ACCEPT udp opt -- in * out eth0 0.0.0.0/0 -> 213.133.98.98 udp spt:53
ACCEPT tcp opt -- in * out eth0 0.0.0.0/0 -> 213.133.98.98 tcp spt:53
ACCEPT udp opt -- in * out eth0 0.0.0.0/0 -> 213.133.98.98 udp dpt:53
ACCEPT tcp opt -- in * out eth0 0.0.0.0/0 -> 213.133.98.98 tcp dpt:53
ACCEPT udp opt -- in eth0 out * 213.133.99.99 -> 0.0.0.0/0 udp spt:53
ACCEPT tcp opt -- in eth0 out * 213.133.99.99 -> 0.0.0.0/0 tcp spt:53
ACCEPT udp opt -- in eth0 out * 213.133.99.99 -> 0.0.0.0/0 udp dpt:53
ACCEPT tcp opt -- in eth0 out * 213.133.99.99 -> 0.0.0.0/0 tcp dpt:53
ACCEPT udp opt -- in * out eth0 0.0.0.0/0 -> 213.133.99.99 udp spt:53
ACCEPT tcp opt -- in * out eth0 0.0.0.0/0 -> 213.133.99.99 tcp spt:53
ACCEPT udp opt -- in * out eth0 0.0.0.0/0 -> 213.133.99.99 udp dpt:53
ACCEPT tcp opt -- in * out eth0 0.0.0.0/0 -> 213.133.99.99 tcp dpt:53
ACCEPT udp opt -- in eth0 out * 213.133.100.100 -> 0.0.0.0/0 udp spt:53
ACCEPT tcp opt -- in eth0 out * 213.133.100.100 -> 0.0.0.0/0 tcp spt:53
ACCEPT udp opt -- in eth0 out * 213.133.100.100 -> 0.0.0.0/0 udp dpt:53
ACCEPT tcp opt -- in eth0 out * 213.133.100.100 -> 0.0.0.0/0 tcp dpt:53
ACCEPT udp opt -- in * out eth0 0.0.0.0/0 -> 213.133.100.100 udp spt:53
ACCEPT tcp opt -- in * out eth0 0.0.0.0/0 -> 213.133.100.100 tcp spt:53
ACCEPT udp opt -- in * out eth0 0.0.0.0/0 -> 213.133.100.100 udp dpt:53
ACCEPT tcp opt -- in * out eth0 0.0.0.0/0 -> 213.133.100.100 tcp dpt:53
LOCALOUTPUT all opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0
LOCALINPUT all opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0
LOCALOUTPUT all opt in * out eth0 ::/0 -> ::/0
LOCALINPUT all opt in eth0 out * ::/0 -> ::/0
Done
The IPTABLES INPUT:
root@megaserver1 /etc/csf # iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 213.133.100.100 0.0.0.0/0 tcp dpt:53
ACCEPT udp -- 213.133.100.100 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 213.133.100.100 0.0.0.0/0 tcp spt:53
ACCEPT udp -- 213.133.100.100 0.0.0.0/0 udp spt:53
ACCEPT tcp -- 213.133.99.99 0.0.0.0/0 tcp dpt:53
ACCEPT udp -- 213.133.99.99 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 213.133.99.99 0.0.0.0/0 tcp spt:53
ACCEPT udp -- 213.133.99.99 0.0.0.0/0 udp spt:53
ACCEPT tcp -- 213.133.98.98 0.0.0.0/0 tcp dpt:53
ACCEPT udp -- 213.133.98.98 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 213.133.98.98 0.0.0.0/0 tcp spt:53
ACCEPT udp -- 213.133.98.98 0.0.0.0/0 udp spt:53
LOCALINPUT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
SYNFLOOD tcp -- 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x17/0x02
INVALID tcp -- 0.0.0.0/0 0.0.0.0/0
CONNLIMIT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80flags: 0x17/0x02 #conn src/32 > 350
CONNLIMIT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8081flags: 0x17/0x02 #conn src/32 > 60
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:8080
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:8081
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpts:30000:50000
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpt:123
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec burst 5
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 0 limit: avg 1/sec burst 5
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 3
LOGDROPIN all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 213.133.100.100 tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 213.133.100.100 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 213.133.100.100 tcp spt:53
ACCEPT udp -- 0.0.0.0/0 213.133.100.100 udp spt:53
ACCEPT tcp -- 0.0.0.0/0 213.133.99.99 tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 213.133.99.99 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 213.133.99.99 tcp spt:53
ACCEPT udp -- 0.0.0.0/0 213.133.99.99 udp spt:53
ACCEPT tcp -- 0.0.0.0/0 213.133.98.98 tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 213.133.98.98 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 213.133.98.98 tcp spt:53
ACCEPT udp -- 0.0.0.0/0 213.133.98.98 udp spt:53
LOCALOUTPUT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
INVALID tcp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:20
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:3306
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:110
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:113
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:8080
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:8081
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpt:20
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpt:21
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpt:113
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpt:123
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpts:33434:33523
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 3
LOGDROPOUT all -- 0.0.0.0/0 0.0.0.0/0

Chain ALLOWIN (1 references)
target prot opt source destination
ACCEPT all -- 188.78.51.2 0.0.0.0/0

Chain ALLOWOUT (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 188.78.51.2

Chain CONNLIMIT (2 references)
target prot opt source destination
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset

Chain DENYIN (1 references)
target prot opt source destination

Chain DENYOUT (1 references)
target prot opt source destination

Chain INVALID (2 references)
target prot opt source destination
INVDROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x3F/0x00
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x3F/0x3F
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x03/0x03
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x06/0x06
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x05/0x05
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x11/0x01
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x18/0x08
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x30/0x20
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcpflags:! 0x17/0x02 ctstate NEW

Chain INVDROP (10 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain LOCALINPUT (1 references)
target prot opt source destination
ALLOWIN all -- 0.0.0.0/0 0.0.0.0/0
DENYIN all -- 0.0.0.0/0 0.0.0.0/0

Chain LOCALOUTPUT (1 references)
target prot opt source destination
ALLOWOUT all -- 0.0.0.0/0 0.0.0.0/0
DENYOUT all -- 0.0.0.0/0 0.0.0.0/0

Chain LOGDROPIN (1 references)
target prot opt source destination
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:68
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:68
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:111
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:111
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:113
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:113
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:135:139
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:135:139
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:445
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:500
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:500
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:513
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:513
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:520
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:520
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:0:1023 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *TCP_IN Blocked* "
LOG udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:0:1023 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *UDP_IN Blocked* "
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *ICMP_IN Blocked* "
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain LOGDROPOUT (1 references)
target prot opt source destination
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP_OUT Blocked* "
LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *UDP_OUT Blocked* "
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *ICMP_OUT Blocked* "
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain SYNFLOOD (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 50/sec burst 350
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *SYNFLOOD Blocked* "
DROP all -- 0.0.0.0/0 0.0.0.0/0

The question, I guess is... why?

How could I fix it!
Top
semseoymas
Junior Member
Posts: 4
Joined: 19 Dec 2013, 11:48
Location: MALAGA

Re: IN PORTS restrictions does not apply at Ubuntu Server

Post by semseoymas »

From external:
Nmap scan report for XXXXXXXX (x.x.x.x)
Host is up (0.15s latency).
rDNS record for x.x.x.x: xxxxxxx
Not shown: 992 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp PureFTPd
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.1 (protocol 2.0)
53/tcp open domain
80/tcp open http nginx
3306/tcp open mysql MySQL 5.5.34-MariaDB-1~precise-log
8080/tcp open http-proxy?
8081/tcp open http nginx
10000/tcp open http MiniServ 1.660 (Webmin httpd)
Service Info: OS: Linux

Service detection performed. Please report any incorrect results at xxxxxxxxxx
Nmap done: 1 IP address (1 host up) scanned in 239.95 seconds
Top
ForumAdmin
Moderator
Posts: 1524
Joined: 01 Oct 2008, 09:24

Re: IN PORTS restrictions does not apply at Ubuntu Server

Post by ForumAdmin »

Make sure the IP address that you are scanning from is not in /etc/csf/csf.allow
Top
semseoymas
Junior Member
Posts: 4
Joined: 19 Dec 2013, 11:48
Location: MALAGA

Re: IN PORTS restrictions does not apply at Ubuntu Server

Post by semseoymas »

Hello!

Thanks!

csf.allow and csf.ignore are defaults and there is no IP included... checked. Also, if they were, they probably would appear at the reports I uploaded before, I guess...
Top
ForumAdmin
Moderator
Posts: 1524
Joined: 01 Oct 2008, 09:24

Re: IN PORTS restrictions does not apply at Ubuntu Server

Post by ForumAdmin »

I'd suggest you try leaving ETH_DEVICE empty so that iptables uses !lo instead of a specified NIC and try again.
Top
semseoymas
Junior Member
Posts: 4
Joined: 19 Dec 2013, 11:48
Location: MALAGA

Re: IN PORTS restrictions does not apply at Ubuntu Server

Post by semseoymas »

Hi!

I did write eth0 to ETH_DEVICE just testing because of this problems... I have just emptied them and restart firewall (stop and start).
root@megaserver1 /etc/csf # service csf start
Starting csf:Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:67
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:67
DROP tcp opt in * out * ::/0 -> ::/0 tcp dpt:67
DROP udp opt in * out * ::/0 -> ::/0 udp dpt:67
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:68
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:68
DROP tcp opt in * out * ::/0 -> ::/0 tcp dpt:68
DROP udp opt in * out * ::/0 -> ::/0 udp dpt:68
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:111
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:111
DROP tcp opt in * out * ::/0 -> ::/0 tcp dpt:111
DROP udp opt in * out * ::/0 -> ::/0 udp dpt:111
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:113
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:113
DROP tcp opt in * out * ::/0 -> ::/0 tcp dpt:113
DROP udp opt in * out * ::/0 -> ::/0 udp dpt:113
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpts:135:139
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpts:135:139
DROP tcp opt in * out * ::/0 -> ::/0 tcp dpts:135:139
DROP udp opt in * out * ::/0 -> ::/0 udp dpts:135:139
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:445
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:445
DROP tcp opt in * out * ::/0 -> ::/0 tcp dpt:445
DROP udp opt in * out * ::/0 -> ::/0 udp dpt:445
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:500
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:500
DROP tcp opt in * out * ::/0 -> ::/0 tcp dpt:500
DROP udp opt in * out * ::/0 -> ::/0 udp dpt:500
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:513
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:513
DROP tcp opt in * out * ::/0 -> ::/0 tcp dpt:513
DROP udp opt in * out * ::/0 -> ::/0 udp dpt:513
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:520
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:520
DROP tcp opt in * out * ::/0 -> ::/0 tcp dpt:520
DROP udp opt in * out * ::/0 -> ::/0 udp dpt:520
LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpts:0:1023 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *TCP_IN Blocked* "
LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcpflags: 0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP_OUT Blocked* "
LOG udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpts:0:1023 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *UDP_IN Blocked* "
LOG udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *UDP_OUT Blocked* "
LOG icmp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *ICMP_IN Blocked* "
LOG icmp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *ICMP_OUT Blocked* "
LOG tcp opt in * out * ::/0 -> ::/0 tcp dpts:0:1023 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *TCP6IN Blocked* "
LOG tcp opt in * out * ::/0 -> ::/0 tcpflags: 0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP6OUT Blocked* "
LOG udp opt in * out * ::/0 -> ::/0 udp dpts:0:1023 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *UDP6IN Blocked* "
LOG udp opt in * out * ::/0 -> ::/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *UDP6OUT Blocked* "
LOG icmpv6 opt in * out * ::/0 -> ::/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *ICMP6IN Blocked* "
LOG icmpv6 opt in * out * ::/0 -> ::/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *ICMP6OUT Blocked* "
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
DROP all opt in * out * ::/0 -> ::/0
DROP all opt in * out * ::/0 -> ::/0
DENYOUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
DENYIN all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
ALLOWOUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
ALLOWIN all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
DENYOUT all opt in * out !lo ::/0 -> ::/0
DENYIN all opt in !lo out * ::/0 -> ::/0
ALLOWOUT all opt in * out !lo ::/0 -> ::/0
ALLOWIN all opt in !lo out * ::/0 -> ::/0
INVDROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 ctstate INVALID
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcpflags: 0x3F/0x00
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcpflags: 0x3F/0x3F
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcpflags: 0x03/0x03
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcpflags: 0x06/0x06
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcpflags: 0x05/0x05
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcpflags: 0x11/0x01
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcpflags: 0x18/0x08
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcpflags: 0x30/0x20
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcpflags:! 0x17/0x02 ctstate NEW
INVDROP all opt in * out * ::/0 -> ::/0 ctstate INVALID
INVDROP tcp opt in * out * ::/0 -> ::/0 tcpflags: 0x3F/0x00
INVDROP tcp opt in * out * ::/0 -> ::/0 tcpflags: 0x3F/0x3F
INVDROP tcp opt in * out * ::/0 -> ::/0 tcpflags: 0x03/0x03
INVDROP tcp opt in * out * ::/0 -> ::/0 tcpflags: 0x06/0x06
INVDROP tcp opt in * out * ::/0 -> ::/0 tcpflags: 0x05/0x05
INVDROP tcp opt in * out * ::/0 -> ::/0 tcpflags: 0x11/0x01
INVDROP tcp opt in * out * ::/0 -> ::/0 tcpflags: 0x18/0x08
INVDROP tcp opt in * out * ::/0 -> ::/0 tcpflags: 0x30/0x20
INVDROP tcp opt in * out * ::/0 -> ::/0 tcpflags:! 0x17/0x02 ctstate NEW
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
INVALID tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
INVALID tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
DROP all opt in * out * ::/0 -> ::/0
INVALID tcp opt in !lo out * ::/0 -> ::/0
INVALID tcp opt in * out !lo ::/0 -> ::/0
ACCEPT all opt -- in !lo out * 188.78.51.2 -> 0.0.0.0/0
ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 188.78.51.2
RETURN all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 50/sec burst 350
LOG all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *SYNFLOOD Blocked* "
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
SYNFLOOD tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 tcpflags: 0x17/0x02
CONNLIMIT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:80flags: 0x17/0x02 #conn src/32 > 350
CONNLIMIT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:8081flags: 0x17/0x02 #conn src/32 > 60
REJECT tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 reject-with tcp-reset
ACCEPT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all opt in !lo out * ::/0 -> ::/0 ctstate RELATED,ESTABLISHED
ACCEPT all opt in * out !lo ::/0 -> ::/0 ctstate RELATED,ESTABLISHED
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW tcp dpt:21
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW tcp dpt:22
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW tcp dpt:53
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW tcp dpt:80
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW tcp dpt:8080
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW tcp dpt:8081
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW tcp dpts:30000:50000
ACCEPT tcp opt in !lo out * ::/0 -> ::/0 ctstate NEW tcp dpt:21
ACCEPT tcp opt in !lo out * ::/0 -> ::/0 ctstate NEW tcp dpt:22
ACCEPT tcp opt in !lo out * ::/0 -> ::/0 ctstate NEW tcp dpt:53
ACCEPT tcp opt in !lo out * ::/0 -> ::/0 ctstate NEW tcp dpt:80
ACCEPT tcp opt in !lo out * ::/0 -> ::/0 ctstate NEW tcp dpt:3306
ACCEPT tcp opt in !lo out * ::/0 -> ::/0 ctstate NEW tcp dpt:8080
ACCEPT tcp opt in !lo out * ::/0 -> ::/0 ctstate NEW tcp dpt:8081
ACCEPT tcp opt in !lo out * ::/0 -> ::/0 ctstate NEW tcp dpts:30000:50000
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW tcp dpt:20
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW tcp dpt:21
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW tcp dpt:22
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW tcp dpt:53
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW tcp dpt:80
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW tcp dpt:3306
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW tcp dpt:110
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW tcp dpt:113
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW tcp dpt:443
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW tcp dpt:8080
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW tcp dpt:8081
ACCEPT tcp opt in * out !lo ::/0 -> ::/0 ctstate NEW tcp dpt:20
ACCEPT tcp opt in * out !lo ::/0 -> ::/0 ctstate NEW tcp dpt:21
ACCEPT tcp opt in * out !lo ::/0 -> ::/0 ctstate NEW tcp dpt:22
ACCEPT tcp opt in * out !lo ::/0 -> ::/0 ctstate NEW tcp dpt:53
ACCEPT tcp opt in * out !lo ::/0 -> ::/0 ctstate NEW tcp dpt:80
ACCEPT tcp opt in * out !lo ::/0 -> ::/0 ctstate NEW tcp dpt:110
ACCEPT tcp opt in * out !lo ::/0 -> ::/0 ctstate NEW tcp dpt:113
ACCEPT tcp opt in * out !lo ::/0 -> ::/0 ctstate NEW tcp dpt:443
ACCEPT tcp opt in * out !lo ::/0 -> ::/0 ctstate NEW tcp dpt:3306
ACCEPT tcp opt in * out !lo ::/0 -> ::/0 ctstate NEW tcp dpt:8080
ACCEPT tcp opt in * out !lo ::/0 -> ::/0 ctstate NEW tcp dpt:8081
ACCEPT udp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW udp dpt:53
ACCEPT udp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW udp dpt:123
ACCEPT udp opt in !lo out * ::/0 -> ::/0 ctstate NEW udp dpt:53
ACCEPT udp opt in !lo out * ::/0 -> ::/0 ctstate NEW udp dpt:123
ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW udp dpt:20
ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW udp dpt:21
ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW udp dpt:53
ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW udp dpt:113
ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW udp dpt:123
ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 ctstate NEW udp dpts:33434:33523
ACCEPT udp opt in * out !lo ::/0 -> ::/0 ctstate NEW udp dpt:20
ACCEPT udp opt in * out !lo ::/0 -> ::/0 ctstate NEW udp dpt:21
ACCEPT udp opt in * out !lo ::/0 -> ::/0 ctstate NEW udp dpt:53
ACCEPT udp opt in * out !lo ::/0 -> ::/0 ctstate NEW udp dpt:113
ACCEPT udp opt in * out !lo ::/0 -> ::/0 ctstate NEW udp dpt:123
ACCEPT udp opt in * out !lo ::/0 -> ::/0 ctstate NEW udp dpts:33434:33523
ACCEPT icmp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 icmptype 8 limit: avg 1/sec burst 5
ACCEPT icmp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 icmptype 0
ACCEPT icmp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 icmptype 8
ACCEPT icmp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 icmptype 0 limit: avg 1/sec burst 5
ACCEPT icmp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 icmptype 11
ACCEPT icmp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 icmptype 3
ACCEPT icmp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 icmptype 11
ACCEPT icmp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 icmptype 3
ACCEPT icmpv6 opt in !lo out * ::/0 -> ::/0
ACCEPT icmpv6 opt in * out !lo ::/0 -> ::/0
ACCEPT all opt -- in lo out * 0.0.0.0/0 -> 0.0.0.0/0
ACCEPT all opt -- in * out lo 0.0.0.0/0 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
LOGDROPIN all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
ACCEPT all opt in lo out * ::/0 -> ::/0
ACCEPT all opt in * out lo ::/0 -> ::/0
LOGDROPOUT all opt in * out !lo ::/0 -> ::/0
LOGDROPIN all opt in !lo out * ::/0 -> ::/0
ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 udp spt:53
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 tcp spt:53
ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:53
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:53
ACCEPT udp opt in * out !lo ::/0 -> ::/0 udp spt:53
ACCEPT tcp opt in * out !lo ::/0 -> ::/0 tcp spt:53
ACCEPT udp opt in * out !lo ::/0 -> ::/0 udp dpt:53
ACCEPT tcp opt in * out !lo ::/0 -> ::/0 tcp dpt:53
ACCEPT udp opt -- in !lo out * 213.133.98.98 -> 0.0.0.0/0 udp spt:53
ACCEPT tcp opt -- in !lo out * 213.133.98.98 -> 0.0.0.0/0 tcp spt:53
ACCEPT udp opt -- in !lo out * 213.133.98.98 -> 0.0.0.0/0 udp dpt:53
ACCEPT tcp opt -- in !lo out * 213.133.98.98 -> 0.0.0.0/0 tcp dpt:53
ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 213.133.98.98 udp spt:53
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 213.133.98.98 tcp spt:53
ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 213.133.98.98 udp dpt:53
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 213.133.98.98 tcp dpt:53
ACCEPT udp opt -- in !lo out * 213.133.99.99 -> 0.0.0.0/0 udp spt:53
ACCEPT tcp opt -- in !lo out * 213.133.99.99 -> 0.0.0.0/0 tcp spt:53
ACCEPT udp opt -- in !lo out * 213.133.99.99 -> 0.0.0.0/0 udp dpt:53
ACCEPT tcp opt -- in !lo out * 213.133.99.99 -> 0.0.0.0/0 tcp dpt:53
ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 213.133.99.99 udp spt:53
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 213.133.99.99 tcp spt:53
ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 213.133.99.99 udp dpt:53
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 213.133.99.99 tcp dpt:53
ACCEPT udp opt -- in !lo out * 213.133.100.100 -> 0.0.0.0/0 udp spt:53
ACCEPT tcp opt -- in !lo out * 213.133.100.100 -> 0.0.0.0/0 tcp spt:53
ACCEPT udp opt -- in !lo out * 213.133.100.100 -> 0.0.0.0/0 udp dpt:53
ACCEPT tcp opt -- in !lo out * 213.133.100.100 -> 0.0.0.0/0 tcp dpt:53
ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 213.133.100.100 udp spt:53
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 213.133.100.100 tcp spt:53
ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 213.133.100.100 udp dpt:53
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 213.133.100.100 tcp dpt:53
LOCALOUTPUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
LOCALINPUT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
LOCALOUTPUT all opt in * out !lo ::/0 -> ::/0
LOCALINPUT all opt in !lo out * ::/0 -> ::/0
Done
But just the same, still could access to 10000 and 3306:
PORT STATE SERVICE VERSION
21/tcp open ftp PureFTPd
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.1 (protocol 2.0)
53/tcp open domain
80/tcp open http nginx
3306/tcp open mysql MySQL 5.5.34-MariaDB-1~precise-log
8080/tcp open http-proxy?
8081/tcp open http nginx
10000/tcp open http MiniServ 1.660 (Webmin httpd)
Top
Post Reply

Return to “General Discussion (csf)”