The following are my iptable rules on a ubuntu cloud server:
#cat /etc/iptables.rules



# Generated by iptables-save v1.4.4 on Wed Mar 10 12:24:06 2010
*filter
:INPUT DROP [598:41912]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [456:35354]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state -i eth0 --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -s mycompany.dyndns.com -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s mycompany.dyndns.com -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -s mycompany.dyndns.com -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -j DROP
COMMIT


I did not open the ftp port 21 in the above iptable rules but I'm allowed to connect to the server via ftp. How?


#nmap server-ip


Not shown: 987 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
389/tcp open ldap
445/tcp filtered microsoft-ds
1050/tcp open java-or-OTGfileshare
2401/tcp open cvspserver
3306/tcp open mysql

Nmap done: 1 IP address (1 host up) scanned in 17.46 seconds


why these many ports are shown as open. I'm clear that these services are running on the server but how it could list or connect(ftp) these ports when it is not included in the iptable rules?.

need help...

You listed the rules file but have you confirmed that iptables is actually using those rules at this time? Try, sudo iptables -vnL to see what rules are in effect.

If you are using nmap to scan yourself it may have decided to use the loopback interface. I'm not sure it does that but I can't see why else it would give you those results if the iptables rules are in effect. Try using the -e option to make sure it uses the eth0 interface, or better yet scan from another machine to be sure.

Also make sure you're not scanning your router by mistake. If for example you scan your public IP (the one your ISP gives you) then you are actually scanning your router and only the forwarded ports would get sent on to the server locating inside the LAN.

However, it seems more likely that your rules aren't being loaded into iptables at boot. They don't get there by default. There needs to be a script that loads them. Typically the way to do it is to add a script to the /etc/network/if-up.d/ directory so they are loaded when the interface is brought up.

Yes I have applied the rules by the commands iptables-restore, iptables-apply -t 120 /etc/iptables.rules and I have also checked iptables -L and only allowed ports are listed.

Yes the cloud servers has static public ip addresses. And its strange its allowing ftp for which I didn't include in the iptable file.

FYI, when I removed the entry ' -A INPUT -i lo -j ACCEPT ' on my local machine then it listed only the opened ports when I checked with nmap. I'm afraid of removing this entry on cloud servers. However I use 'iptables-apply' to avoid misconfiguration.

And I did not understand that you said "Try using the -e option to make sure it uses the eth0 interface,...".

The fact that removing the loopback rule on your machine points to using nmap incorrectly. It must be scanning your loopback interface rather than the target server's, otherwise it wouldn't get different results when that rule is present or not. This is what I was thinking when I suggested using the -e option.

nmap -e eth0 ...etc

To tell it to scan from the eth0 interface. Normally it won't scan using "lo" but I can't see what you're doing and why it would be doing that. Doesn't really make sense so I'm just poking around with suggestions.

I tried nmap -e eth0 server-ip and was giving some error. Actually I didn't find the right command.

I have a virtual machine(ubuntu server) and nmap is installed on it. I was using nmap command on the virtual machine and it listed all the ports on which services are running. I also have nmap installed on my base system(physical). When I check virtual machine with nmap from the base system, it listed only the ports allowed in the iptables. Here it's fine then.

But on cloud servers I have not installed nmap. whenever I check cloud servers with namp from my base system, It lists all the ports as if nmap is executed on servers.

Is it like this that the listed ports are open for the system on which nmap is executed or to all the remote systems?.

Not sure how I fix this. Thank you for your interest.

Whether the ports are open on the local machine depends on how the services are configured to listen. If they are set to listen on "*" then they will listen on every interface. If they are set to listen on the specific IP then they will listen on only the interface the IP is assigned to. The loopback interface "lo" is not usually an issue for security as only processes on the local machine can connect and use them.

iptables can block/accept traffic dependent on interface, or if not specified then any interface by port only. Usually since "lo" is not a security issue the usual iptables rule is to ACCEPT all for it.

In the case of a VM you would have to look more closely as how the VM is configured for network connections. It's possible for it to be set up using a virtual interface like eg. vnet0 or have it use the regular interface eg. eth0.

I think that nmap will use any interface it finds and so it may be that it is scanning on the virtual interface as well as physical and "lo" as well. If you can get it to use only one interface you may be able to limit what it scans. It's possible nmap is getting confused and only gives reliable results when scanning other machines, not itself.

The following script will be running at every 5 mins on cloud servers to update their iptables for the dyndns domain name:


#!/bin/bash
#
# A script to update iptable records for dynamic dns hosts.
# Written by: Dave Horner (http://dave.thehorners.com)
# Released into public domain.
#
# Run this script in your cron table to update ips.
#
# You might want to put all your dynamic hosts in a sep. chain.
# That way you can easily see what dynamic hosts are trusted.
#
# create the chain in iptables.
/sbin/iptables -N dynamichosts
# insert the chain into the input chain @ the head of the list.
/sbin/iptables -I INPUT 1 -j dynamichosts
# flush all the rules in the chain
/sbin/iptables -F dynamichosts

HOST=$1
HOSTFILE="/root/host-$HOST"
CHAIN="dynamichosts" # change this to whatever chain you want.
IPTABLES="/sbin/iptables"

# check to make sure we have enough args passed.
if [ "${#@}" -ne "1" ]; then
echo "$0 hostname"
echo "You must supply a hostname to update in iptables."
exit
fi

# lookup host name from dns tables
IP=`/usr/bin/dig +short $HOST | /usr/bin/tail -n 1`
if [ "${#IP}" = "0" ]; then
echo "Couldn't lookup hostname for $HOST, failed."
exit
fi

OLDIP=""
if [ -a $HOSTFILE ]; then
OLDIP=`cat $HOSTFILE`
# echo "CAT returned: $?"
fi

# save off new ip.
echo $IP>$HOSTFILE

echo "Updating $HOST in iptables."
if [ "${#OLDIP}" != "0" ]; then
echo "Removing old rule ($OLDIP)"
`$IPTABLES -D $CHAIN -s $OLDIP/32 -j ACCEPT`
fi
echo "Inserting new rule ($IP)"
`$IPTABLES -A $CHAIN -s $IP/32 -j ACCEPT`

This is the output of "ipables -L" on the cloud server.


dynamichosts all -- anywhere anywhere
dynamichosts all -- anywhere anywhere
dynamichosts all -- anywhere anywhere
dynamichosts all -- anywhere anywhere
dynamichosts all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- APKGS-AP-dynamic-145.136.165.59.airtelbroadband.in anywhere tcp dpt:ssh
ACCEPT tcp -- APKGS-AP-dynamic-145.136.165.59.airtelbroadband.in anywhere tcp dpt:10000
ACCEPT tcp -- APKGS-AP-dynamic-145.136.165.59.airtelbroadband.in anywhere tcp dpt:mysql
DROP all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain dynamichosts (937 references)
target prot opt source destination
ACCEPT all -- Telemedia-AP-dynamic-145.86.175.59.airtelbroadband.in anywhere
Here the airtelbroadband is mine(dyndns domainname). I think the previously posted script creates new chain and from this domain everything is allowed -is it so?. May be the allowed ports ssh, webmin, mysql and www are useless entries. But I want this domain should be allowed only to these ports. Any more help...?

Thank you!

I think I should append a line that allows a specific domain with -s switch to connect to multiple ports and with ! to drop all. I don't know the exact syntax. Like the one below(not exactly and not working),

-A INPUT -s 24.112.23.227 -p tcp -m tcp --dport ! 80,22,10000,3306 -j DROP

It is said that the last line of the script which says `$IPTABLES -A $CHAIN -s $IP/32 -j ACCEPT` can be replaced with something like the below



$IPTABLES -A $CHAIN -s $IP/32 -p tcp --dport 22 -j ACCEPT
$IPTABLES -A $CHAIN -s $IP/32 -p tcp --dport 80 -j ACCEPT
$IPTABLES -A $CHAIN -s $IP/32 -p tcp --dport 443 -j ACCEPT
$IPTABLES -A $CHAIN -s $IP/32 -p tcp --dport 3306 -j ACCEPT


I'm afraid of doing this if it locks...