Page 1 of 1
Windows 2000 IPSEC+ICS help
Posted: 2004-01-01 06:01pm
by Pu-239
How do I enable IPSEC and still allow ICS connections from my Linux box through? I've enabled it and tested it at GRC and got this:
GRC Port Authority Report created on UTC: 2004-01-01 at 22:13:53
Results from scan of ports: 0-1055
0 Ports Open
1048 Ports Closed
8 Ports Stealth
---------------------
1056 Ports Tested
NO PORTS were found to be OPEN.
Ports found to be STEALTH were: 23, 135, 139, 389, 445, 1002,
1025, 1029
Other than what is listed above, all ports are CLOSED.
TruStealth: FAILED - NOT all tested ports were STEALTH,
- Received one or more unsolicited packets,
- NO Ping reply (ICMP Echo) was received.
Also, how do I specify port ranges- blocking individual ports is a pain with stupid GUIs, and I know nothing of advanced batch scripting to automate this w/ the command line tool(might not matter, since I'm installing cygwin in the future anyway). And there's no way you can block incoming stuff selectively depending on if it was a response to an outgoing connection like iptables, right?
Posted: 2004-01-01 06:33pm
by Faram
First off ignore GRC Steve Gibson is a wako that thinks his so called Stealth ports is somehow safer than a closed port.
I am heading to bead but if noone else answers your question's ill help you tomorrow.
Posted: 2004-01-01 07:31pm
by Pu-239
Faram wrote:First off ignore GRC Steve Gibson is a wako that thinks his so called Stealth ports is somehow safer than a closed port.
I am heading to bead but if noone else answers your question's ill help you tomorrow.
The scanning functionality is still useful, eg. since nmaping localhost/192.168.0.1/<some dynamic IP address) does not work due to having the loopback interface allow everything (might be moot now, since nmap works on W2k too). I thought stealth was better though if
all ports were "stealthed" though (but it isn't practical, since some ports above 1023 have to be open for clients right?)
Can you or someone also check my iptables script
#/bin/bash
# Sets up default route
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
route add default gw up metric 3 &>/dev/null
# Very loosely based on stuff from the iptables tutorial and the IP-Masq HOWTO
# Initial setup
#---------------------------------------------------------------------
# Sets path
#---------------------------------
PATH="/sbin"
export PATH
#---------------------------------
#---------------------------------
# Resets firewall rules
#---------------------------------
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -F
iptables -X
#---------------------------------
#---------------------------------------------------------------------
# Creates chain for dropping and logging packets (ie "stealth")
#---------------------------------------------------------------------
iptables -N DROPLOG
iptables -A DROPLOG -j ULOG
iptables -A DROPLOG -j DROP
#---------------------------------------------------------------------
# Creates chain for rejecting and logging packets
#---------------------------------------------------------------------
iptables -N REJECTLOG
iptables -A REJECTLOG -j ULOG
iptables -A REJECTLOG -j REJECT
#---------------------------------------------------------------------
iptables -N DISPOSE
iptables -A DISPOSE -j REJECTLOG
#22/tcp open ssh
#25/tcp open smtp
#139/tcp open netbios-ssn
#445/tcp open microsoft-ds
#631/tcp open ipp
iptables -N TCPFILTIN
iptables -A TCPFILTIN -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j DISPOSE
iptables -A TCPFILTIN -p tcp --dport 1500: -j ACCEPT
iptables -A TCPFILTIN -p tcp --dport 22 -j ACCEPT
iptables -A TCPFILTIN -i eth0 -s 192.168.0.0/24 -j ACCEPT
iptables -A TCPFILTIN -i lo -j ACCEPT
iptables -A TCPFILTIN -p tcp --sport 25 -j DISPOSE
iptables -A TCPFILTIN -p tcp --sport 139 -j DISPOSE
iptables -A TCPFILTIN -p tcp --sport 445 -j DISPOSE
iptables -A TCPFILTIN -p tcp --sport 631 -j DISPOSE
iptables -A TCPFILTIN -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A TCPFILTIN -j DISPOSE
iptables -N UDPFILTIN
iptables -A UDPFILTIN -i eth0 -s 192.168.0.0/24 -j ACCEPT
iptables -A UDPFILTIN -p udp --dport 22 -j ACCEPT
#iptables -A UDPFILTIN -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A UDPFILTIN -p UDP -s 207.172.3.0/24 -j ACCEPT
# Allows access to my ISP's DNS servers
# Allows access to my computers services from upstairs
iptables -A UDPFILTIN -j DISPOSE
iptables -N ICMPFILTIN
#iptables -A ICMPFILTIN -p icmp --icmp-type echo-request -j ACCEPT
#iptables -A ICMPFILTIN -p icmp --icmp-type echo-reply -j ACCEPT
#iptables -A ICMPFILTIN -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A ICMPFILTIN -i eth0 -s 192.168.0.0/24 -j ACCEPT
#iptables -A ICMPFILTIN -i lo -j ACCEPT
#iptables -A ICMPFILTIN -j DISPOSE
iptables -A ICMPFILTIN -j ACCEPT
#accept pings from p2p peers, needs to be tweaked
iptables -A INPUT -p tcp -j TCPFILTIN
iptables -A INPUT -p udp -j UDPFILTIN
iptables -A INPUT -p icmp -j ICMPFILTIN
iptables -A INPUT -j DISPOSE
iptables -A OUTPUT -j ACCEPT
# Allow all outgoing traffic
iptables -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT
iptables -A FORWARD -j DISPOSE
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# Sets up NAT
exit 0
Posted: 2004-01-03 06:19pm
by Pu-239
Bump