Bug 50206 - iptables lets smb amd pop3 through
Summary: iptables lets smb amd pop3 through
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: iptables
Version: 7.1
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Bernhard Rosenkraenzer
QA Contact: David Lawrence
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2001-07-28 01:07 UTC by Need Real Name
Modified: 2007-04-18 16:35 UTC (History)
0 users

Clone Of:
Last Closed: 2001-08-25 09:36:40 UTC

Attachments (Terms of Use)

Description Need Real Name 2001-07-28 01:07:25 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:0.9.1)
Gecko/20010607 Netscape6/6.1b1

Description of problem:
iptables allows smb and pop3 through firewall (open) on Gibson Research's
"Probe your ports" (http://grc.com).  Exact duplicate of firewall 
in ipchains does not.  Several other ports show up as "closed" (REJECT) 
as well.

How reproducible:

Steps to Reproduce:
1. set up a firewall router with two network cards (eth0 is internal
network, eth1 is external network).
2. enable the following services: samba, routed, pop3, telnetd, bind,
and Ted Lemon's DHCP V3rc10 client and server
3. connect eth1 to a DSL modem with a dynamic address
4. create a chain just for eth1 to follow as IP address changes
5. http and https must be enabled for grc.com to operate
6. test the following chains (tables):

/sbin/iptables -F dsl-in
/sbin/iptables -F dsl-out
/sbin/iptables -F dsl-for
/sbin/iptables -A dsl-in   -j ACCEPT -p icmp
/sbin/iptables -A dsl-out  -j ACCEPT -p icmp
/sbin/iptables -A dsl-for  -j ACCEPT -p icmp

## Set up (local) DNS outgoing querry rules
/sbin/iptables -A dsl-out   -o eth1  -p udp  -s $eth1_addr --sport $unassgn
--dport domain  -j ACCEPT
/sbin/iptables -A dsl-in    -i eth1  -p udp  --sport domain -d $eth1_addr
--dport $unassgn  -j ACCEPT
/sbin/iptables -A dsl-in    -i eth1  -p tcp  --sport domain -d $eth1_addr
--dport $unassgn  -j ACCEPT

# http stuff
/sbin/iptables -A dsl-out  -o eth1  -p tcp  -s $eth1_addr --sport $unassgn
--dport www  -j ACCEPT
/sbin/iptables -A dsl-in   -i eth1  -p tcp  ! --syn --sport www -d
$eth1_addr --dport $unassgn  -j ACCEPT

# https (secure) stuff
/sbin/iptables -A dsl-out  -o eth1  -p tcp  -s $eth1_addr --sport $unassgn
--dport https  -j ACCEPT
/sbin/iptables -A dsl-in   -i eth1  -p tcp  ! --syn --sport https -d
$eth1_addr --dport $unassgn  -j ACCEPT

/sbin/iptables -A dsl-in  -j DROP
/sbin/iptables -A dsl-out -j DROP
/sbin/iptables -A dsl-for -j DROP


Actual Results:  firewall lets pop3 and smb through

Expected Results:  grc.com's "probe your ports" should show all ports as
"closed" (DROP)

Additional info:

Reproducing will require the entire firewall.  Please eMail me
and I will send it to you. (If possible, I wish it to remain private)

Comment 1 Bernhard Rosenkraenzer 2001-07-30 13:19:38 UTC
Please try iptables-1.2.2-3 from rawhide.
If it doesn't fix the problem, please send me (bero@redhat.com) the whole 

Comment 2 Bernhard Rosenkraenzer 2001-08-25 09:36:36 UTC
Received an email in response, not a bug after all (ipchains and iptables 
loaded simultaneously)

Comment 3 Need Real Name 2001-09-04 01:43:09 UTC
Hi All,

   Actually, ipchains was removed from the  system (rpm -e ipchains) and
the system was rebooted several times.  (My letter, and two follow
up letters, to bero@redhat.com stated this very clearly.)

   When I went to reproduce it, I found that I had removed the S08iptables
links from rc3.d and rc5.d.  Placing them back and rebooting solved the 
problem.  (I had mistakenly thought that S08iptables was setting up a
competing firewall.)

   What was really strange was that my firewall calls to iptables
did not cause iptables to complain (other than syntax errors).  
When I tried the same firewall in ipchains with S08ipchains removed, 
ipchains complained bitterly every time I made a call to it.   (And,
no, ipchains was not installed during my troubles with iptables -- iptables
bitches loud and hard if ipchains is loaded.  And, I double and tripple
checked that ipchains was gone -- find, which, locate, rpm -q ipchains, etc.)

   This trouble should not be closed until the lack of error messages
(other than syntax errors) from iptables when S08iptables is removed
is investigated.  (It is probably another goof on my part, but should
be investigated anyway.)


Note You need to log in before you can comment on or make changes to this bug.