Bug 50206 – iptables lets smb amd pop3 through

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 50206 - iptables lets smb amd pop3 through

Summary:	iptables lets smb amd pop3 through

Status:	CLOSED NOTABUG

Aliases:	None

Product:	Red Hat Linux
Classification:	Retired
Component:	iptables (Show other bugs)
Sub Component:
Version:	7.1
Hardware:	i386 Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Bernhard Rosenkraenzer
QA Contact:	David Lawrence
Docs Contact:

URL:
Whiteboard:
Keywords:	Security

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2001-07-27 21:07 EDT by Need Real Name
Modified:	2007-04-18 12:35 EDT (History)
CC List:	0 users

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2001-08-25 05:36:40 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Need Real Name 2001-07-27 21:07:25 EDT

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:0.9.1)
Gecko/20010607 Netscape6/6.1b1

Description of problem:
iptables allows smb and pop3 through firewall (open) on Gibson Research's
"Probe your ports" (http://grc.com).  Exact duplicate of firewall 
in ipchains does not.  Several other ports show up as "closed" (REJECT) 
as well.


How reproducible:
Always

Steps to Reproduce:
1. set up a firewall router with two network cards (eth0 is internal
network, eth1 is external network).
2. enable the following services: samba, routed, pop3, telnetd, bind,
and Ted Lemon's DHCP V3rc10 client and server
3. connect eth1 to a DSL modem with a dynamic address
4. create a chain just for eth1 to follow as IP address changes
5. http and https must be enabled for grc.com to operate
6. test the following chains (tables):

/sbin/iptables -F dsl-in
/sbin/iptables -F dsl-out
/sbin/iptables -F dsl-for
/sbin/iptables -A dsl-in   -j ACCEPT -p icmp
/sbin/iptables -A dsl-out  -j ACCEPT -p icmp
/sbin/iptables -A dsl-for  -j ACCEPT -p icmp

## Set up (local) DNS outgoing querry rules
/sbin/iptables -A dsl-out   -o eth1  -p udp  -s $eth1_addr --sport $unassgn
--dport domain  -j ACCEPT
/sbin/iptables -A dsl-in    -i eth1  -p udp  --sport domain -d $eth1_addr
--dport $unassgn  -j ACCEPT
/sbin/iptables -A dsl-in    -i eth1  -p tcp  --sport domain -d $eth1_addr
--dport $unassgn  -j ACCEPT

# http stuff
/sbin/iptables -A dsl-out  -o eth1  -p tcp  -s $eth1_addr --sport $unassgn
--dport www  -j ACCEPT
/sbin/iptables -A dsl-in   -i eth1  -p tcp  ! --syn --sport www -d
$eth1_addr --dport $unassgn  -j ACCEPT

# https (secure) stuff
/sbin/iptables -A dsl-out  -o eth1  -p tcp  -s $eth1_addr --sport $unassgn
--dport https  -j ACCEPT
/sbin/iptables -A dsl-in   -i eth1  -p tcp  ! --syn --sport https -d
$eth1_addr --dport $unassgn  -j ACCEPT

/sbin/iptables -A dsl-in  -j DROP
/sbin/iptables -A dsl-out -j DROP
/sbin/iptables -A dsl-for -j DROP



	

Actual Results:  firewall lets pop3 and smb through


Expected Results:  grc.com's "probe your ports" should show all ports as
"closed" (DROP)


Additional info:

Reproducing will require the entire firewall.  Please eMail me
and I will send it to you. (If possible, I wish it to remain private)

Comment 1 Bernhard Rosenkraenzer 2001-07-30 09:19:38 EDT

Please try iptables-1.2.2-3 from rawhide.
If it doesn't fix the problem, please send me (bero@redhat.com) the whole 
config.

Comment 2 Bernhard Rosenkraenzer 2001-08-25 05:36:36 EDT

Received an email in response, not a bug after all (ipchains and iptables 
loaded simultaneously)

Comment 3 Need Real Name 2001-09-03 21:43:09 EDT

Hi All,

   Actually, ipchains was removed from the  system (rpm -e ipchains) and
the system was rebooted several times.  (My letter, and two follow
up letters, to bero@redhat.com stated this very clearly.)

   When I went to reproduce it, I found that I had removed the S08iptables
links from rc3.d and rc5.d.  Placing them back and rebooting solved the 
problem.  (I had mistakenly thought that S08iptables was setting up a
competing firewall.)

   What was really strange was that my firewall calls to iptables
did not cause iptables to complain (other than syntax errors).  
When I tried the same firewall in ipchains with S08ipchains removed, 
ipchains complained bitterly every time I made a call to it.   (And,
no, ipchains was not installed during my troubles with iptables -- iptables
bitches loud and hard if ipchains is loaded.  And, I double and tripple
checked that ipchains was gone -- find, which, locate, rpm -q ipchains, etc.)

   This trouble should not be closed until the lack of error messages
(other than syntax errors) from iptables when S08iptables is removed
is investigated.  (It is probably another goof on my part, but should
be investigated anyway.)

--Tony

Note You need to log in before you can comment on or make changes to this bug.