Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

(M2N: no subject)

0 views
Skip to first unread message

Yuichiro Abe

unread,
Apr 8, 2002, 9:43:12 AM4/8/02
to linux...@plathome.co.jp
auth d8ca1aaa subscribe linux-users li...@myular.com

--
Yuichiro Abe mailto:li...@myular.com


樋口 崇

unread,
Apr 8, 2002, 10:47:52 AM4/8/02
to linux...@linux.or.jp
樋口です。
只今、IPマスカレードを実現してインターネットの実行中です。
先日から、外部に向けてポートを開けようとしています。
使っているのは、RedHat 7.1Jでipchainsではなくiptablesを
使っています。ipchainsは削除しました。
http://grc.com/x/ne.dll?bh0bkyd2
で、ポートスキャンテストをしてみました。

Port Service Status Security Implications
21 FTP Stealth! There is NO EVIDENCE WHATSOEVER that a port
(or even any computer) exists at this IP address!
23 Telnet Stealth! There is NO EVIDENCE WHATSOEVER that a port
(or even any computer) exists at this IP address!
25 SMTP Stealth! There is NO EVIDENCE WHATSOEVER that a port
(or even any computer) exists at this IP address!
79 Finger Stealth! There is NO EVIDENCE WHATSOEVER that a port
(or even any computer) exists at this IP address!
80 HTTP Stealth! There is NO EVIDENCE WHATSOEVER that a port
(or even any computer) exists at this IP address!
110 POP3 Stealth! There is NO EVIDENCE WHATSOEVER that a port
(or even any computer) exists at this IP address!
113 IDENT Stealth! There is NO EVIDENCE WHATSOEVER that a port
(or even any computer) exists at this IP address!
135 RPC Stealth! There is NO EVIDENCE WHATSOEVER that a port
(or even any computer) exists at this IP address!
139 NetBIOS Stealth! There is NO EVIDENCE WHATSOEVER that a port
(or even any computer) exists at this IP address!
143 IMAP Stealth! There is NO EVIDENCE WHATSOEVER that a port
(or even any computer) exists at this IP address!
443 HTTPS Stealth! There is NO EVIDENCE WHATSOEVER that a port
(or even any computer) exists at this IP address!
445 MSFT DS Stealth! There is NO EVIDENCE WHATSOEVER that a port
(or even any computer) exists at this IP address!
5000 UPnP Stealth! There is NO EVIDENCE WHATSOEVER that a port
(or even any computer) exists at this IP
address!

という結果になりました。すなわち、ポートが全て閉じているということで
すね。
RedHatはインストール時にファイアーウォールを設定しないと全てポートを
閉じてしまうようですが、iptablesを用いてポートを開くことを試みて
おりますがうまくいってません。
下が、ポートを開けるためのスクリプトの一部です。
何か、見落としていることがあるのでしょうか?
AcceptInt() {
protocol=$1
ports=$2
srcs=$3
for port in `echo $ports | sed 's/,/ /g'`
do
if [ "$srcs" = "" ] ; then
/sbin/iptables -A INPUT -i $EXTIF -p $protocol --sport $port \
-m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTIF -p $protocol --dport $port \
-m state --state NEW,ESTABLISHED -j ACCEPT
else
for src in `echo $srcs | sed 's/,/ /g'`
do
/sbin/iptables -A INPUT -i $EXTIF -s $src -p $protocol --sport $port \
-m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTIF -d $src -p $protocol --dport $port \
-m state --state NEW,ESTABLISHED -j ACCEPT
done
fi
done
}
AcceptExt() {
protocol=$1
ports=$2
srcs=$3
for port in `echo $ports | sed 's/,/ /g'`
do
if [ "$srcs" = "" ] ; then
/sbin/iptables -A INPUT -i $EXTIF -p $protocol --dport $port \
-m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTIF -p $protocol --sport $port \
-m state --state ESTABLISHED -j ACCEPT
else
for src in `echo $srcs | sed 's/,/ /g'`
do
/sbin/iptables -A INPUT -i $EXTIF -d $src -p $protocol --dport $port \
-m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTIF -s $src -p $protocol --sport $port \
-m state --state ESTABLISHED -j ACCEPT
done

done
}
AcceptInt tcp 80,20,21,25,23,22,110,113
AcceptExt tcp 80,20,21,25,22,113

> 神奈川県横浜市青葉区
> 樋口 崇
> higu...@m21.alpha-net.ne.jp


---
(樋口)

Toshiaki Okada

unread,
Apr 12, 2002, 9:31:29 PM4/12/02
to linux...@linux.or.jp
unsubscribe linux-users Toshiak...@NIandC.co.jp

橋端 博士

unread,
Apr 14, 2002, 9:40:23 AM4/14/02
to linux...@linux.or.jp
subscribe linux-users


0 new messages