From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:0.9.1) Gecko/20010607 Netscape6/6.1b1 Description of problem: iptables allows smb and pop3 through firewall (open) on Gibson Research's "Probe your ports" (http://grc.com). Exact duplicate of firewall in ipchains does not. Several other ports show up as "closed" (REJECT) as well. How reproducible: Always Steps to Reproduce: 1. set up a firewall router with two network cards (eth0 is internal network, eth1 is external network). 2. enable the following services: samba, routed, pop3, telnetd, bind, and Ted Lemon's DHCP V3rc10 client and server 3. connect eth1 to a DSL modem with a dynamic address 4. create a chain just for eth1 to follow as IP address changes 5. http and https must be enabled for grc.com to operate 6. test the following chains (tables): /sbin/iptables -F dsl-in /sbin/iptables -F dsl-out /sbin/iptables -F dsl-for /sbin/iptables -A dsl-in -j ACCEPT -p icmp /sbin/iptables -A dsl-out -j ACCEPT -p icmp /sbin/iptables -A dsl-for -j ACCEPT -p icmp ## Set up (local) DNS outgoing querry rules /sbin/iptables -A dsl-out -o eth1 -p udp -s $eth1_addr --sport $unassgn --dport domain -j ACCEPT /sbin/iptables -A dsl-in -i eth1 -p udp --sport domain -d $eth1_addr --dport $unassgn -j ACCEPT /sbin/iptables -A dsl-in -i eth1 -p tcp --sport domain -d $eth1_addr --dport $unassgn -j ACCEPT # http stuff /sbin/iptables -A dsl-out -o eth1 -p tcp -s $eth1_addr --sport $unassgn --dport www -j ACCEPT /sbin/iptables -A dsl-in -i eth1 -p tcp ! --syn --sport www -d $eth1_addr --dport $unassgn -j ACCEPT # https (secure) stuff /sbin/iptables -A dsl-out -o eth1 -p tcp -s $eth1_addr --sport $unassgn --dport https -j ACCEPT /sbin/iptables -A dsl-in -i eth1 -p tcp ! --syn --sport https -d $eth1_addr --dport $unassgn -j ACCEPT /sbin/iptables -A dsl-in -j DROP /sbin/iptables -A dsl-out -j DROP /sbin/iptables -A dsl-for -j DROP Actual Results: firewall lets pop3 and smb through Expected Results: grc.com's "probe your ports" should show all ports as "closed" (DROP) Additional info: Reproducing will require the entire firewall. Please eMail me and I will send it to you. (If possible, I wish it to remain private)
Please try iptables-1.2.2-3 from rawhide. If it doesn't fix the problem, please send me (bero) the whole config.
Received an email in response, not a bug after all (ipchains and iptables loaded simultaneously)
Hi All, Actually, ipchains was removed from the system (rpm -e ipchains) and the system was rebooted several times. (My letter, and two follow up letters, to bero stated this very clearly.) When I went to reproduce it, I found that I had removed the S08iptables links from rc3.d and rc5.d. Placing them back and rebooting solved the problem. (I had mistakenly thought that S08iptables was setting up a competing firewall.) What was really strange was that my firewall calls to iptables did not cause iptables to complain (other than syntax errors). When I tried the same firewall in ipchains with S08ipchains removed, ipchains complained bitterly every time I made a call to it. (And, no, ipchains was not installed during my troubles with iptables -- iptables bitches loud and hard if ipchains is loaded. And, I double and tripple checked that ipchains was gone -- find, which, locate, rpm -q ipchains, etc.) This trouble should not be closed until the lack of error messages (other than syntax errors) from iptables when S08iptables is removed is investigated. (It is probably another goof on my part, but should be investigated anyway.) --Tony