Purpose: To illustrate, in basic terms, how iptables relates to port traffic, and provide methods for looking at port traffic. Basically, describe iptables -L, netstat -ntlp, netstat -an, and what ports are associated to what services.
Incoming Traffic Ports for Unsolicited Traffic
The iptables service is the firewall running under Linux that ultimately controls access to the system. The way it generally works is that outgoing sessions, which are established using applications such as Firefox and Sametime Connect, are granted access though the firewall automatically and any unsolicited access is only allowed if the port is open. For example, if the SSH service is running on the local system, the only way traffic would be allowed in, is for the firewall to allow access to the port used for SSH, port 22.
Conversely, users from the local system would be allowed to SSH into other machines, regardless of whether the port was opened or not, since it originated from inside the firewall. This process is similar to a home router that denies access to outsiders, but the computers inside the local network are allowed to function as if the router was not there.
Commonly used ports
Each type of service has a unique port number assigned to it, that is universal to any machine using Windows, Linux, AIX, etc.
Commonly used ports in Open Client for Linux:
| Port number | Service type |
| 20,21 | ftp |
| 22 | ssh |
| 23 | telnet |
| 80 | web pages (http), CLAIM, yum |
| 111 | rpc portmap |
| 515 | LPR printing |
| 631 | IPP/ CUPSD printing |
| 789 | rpc mountd |
| 1352 | Lotus Notes Plugin (use this port when replicating) |
| 1500 | TSM (backup software) |
| 1533 | IBM Sanity, Sametime Connect |
| 2049 | NFS , GSA |
| 2809 | LWP login |
| 4000-4003 | NFS ports |
| 5190 | AOL AIM, chat port |
| 5901 | default VNC server port |
| 59xx | defined VNC ports |
| 6000 | X11 Gnome KDE Windows display port |
| 700x | AFS servers |
| 7001, 7002 | AFS Client UDP ports |
| 8979 | Mobility Client |
| 9100 | printing |
| 10555 | Mobility Client |
Iptables Ruleset
To view the firewall rules, log in as root, using su - , and type iptables at the prompt.
Note: This example is a generalization; iptables can become much more complicated, which is not in the scope of this document.
[root @host ~]# /sbin/iptables -L INPUT | grep ACCEPT
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpt:isakmp
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:20000
ACCEPT tcp -- anywhere anywhere tcp dpt:cfengine
ACCEPT tcp -- anywhere anywhere tcp dpt:5900
ACCEPT tcp -- anywhere anywhere tcp dpt:5901
ACCEPT tcp -- anywhere anywhere tcp dpts:5901:cvsup
ACCEPT tcp -- anywhere anywhere tcp dpt:5656
Services Waiting For Incoming Traffic
Using the netstat -ntlpcommand, users can determine what services are waiting for incoming connections from either external unsolicited sources, such as SSH, or even internal services, such as X11. External connection requests will never reach these waiting services if the iptables rules do not allow them in. For example, if the iptables rules do not allow in SSH, the SSH server service will endlessly be waiting for incoming connections that will ultimately never reach it. This is working as designed, as other service ports such as 6000 (X11) can be compromised in some cases, leading to malicious users gaining access to whatever information is displayed on the user's desktop.
# /bin/netstat -ntlp
| Proto | Recv-Q | Send-Q | Local Address | Foreign Address | State | PID/Program name |
| tcp | 0 | 0 | 0.0.0.0:2049 | 0.0.0.0: * | LISTEN | - |
| tcp | 0 | 0 | 0.0.0.0:32769 | 0.0.0.0: * | LISTEN | 2607/rpc.statd |
| tcp | 0 | 0 | 0.0.0.0:32770 | 0.0.0.0: * | LISTEN | - |
| tcp | 0 | 0 | 0.0.0.0:111 | 0.0.0.0: * | LISTEN | 2585/portmap |
| tcp | 0 | 0 | 0.0.0.0: 6000 | 0.0.0.0: * | LISTEN | 3860/X |
| tcp | 0 | 0 | 0.0.0.0: 8979 | 0.0.0.0: * | LISTEN | 20422/wcstatusd |
| tcp | 0 | 0 | 0.0.0.0: 789 | 0.0.0.0: * | LISTEN | 3154/rpc.mountd |
| tcp | 0 | 0 | 0.0.0.0: 22 | 0.0.0.0: * | LISTEN | 3029/sshd |
| tcp | 0 | 0 | 0.0.0.0: 631 | 0.0.0.0: * | LISTEN | 2973/cupsd |
| tcp | 0 | 0 | 0.0.0.0: 10555 | 0.0.0.0: * | LISTEN | 20412/wclientd |
Looking at all of the current connections
If users want more detail, they can try starting everything on a machine and see which ports are being used by typing netstat, netstat -an, or netstat -s -p, in a prompt.
Typing *netstat -an | egrep -i "udp|tcp"*allows users to see all of the port interaction currently occurring on their systems. TCP is one type of connection and UDP is another. Generally speaking, the columns below are port type, status, port number, incoming IP, and state, for all of the UDP/TCP ports. The LISTEN ports indicate services, such as SSH, waiting for incoming traffic; ESTABLISHED are current sessions from services or applications such as Firefox, and UDP ports are not going to have a listing status.
[user@host ~]$ netstat -an | egrep -i "udp|tcp"
| tcp | 0 | 0 | 0.0.0.0:32768 | 0.0.0.0.* | LISTEN |
| tcp | 0 | 0 | 0.0.0.0:32769 | 0.0.0.0.* | LISTEN |
| tcp | 0 | 0 | 0.0.0.0:2049 | 0.0.0.0.* | LISTEN |
| tcp | 0 | 0 | 0.0.0.0:808 | 0.0.0.0.* | LISTEN |
| tcp | 0 | 0 | 0.0.0.0:782 | 0.0.0.0.* | LISTEN |
| tcp | 0 | 0 | 0.0.0.0:111 | 0.0.0.0.* | LISTEN |
| tcp | 0 | 0 | 0.0.0.0:6000 | 0.0.0.0.* | LISTEN |
| tcp | 0 | 0 | 127.0.0.1:8979 | 0.0.0.0.* | LISTEN |
| tcp | 0 | 0 | 0.0.0.0:50644 | 0.0.0.0.* | LISTEN |
| tcp | 0 | 0 | 0.0.0.0:22 | 0.0.0.0.* | LISTEN |
| tcp | 0 | 0 | 127.0.0.1:631 | 0.0.0.0.* | LISTEN |
| tcp | 0 | 0 | 127.0.0.1:10555 | 0.0.0.0.* | LISTEN |
| tcp | 0 | 0 | 0.0.0.0:14942 | 0.0.0.0.* | LISTEN |
| tcp | 0 | 0 | 0.0.0.0:14943 | 0.0.0.0.* | LISTEN |
| tcp | 0 | 0 | 9.62.14.191:35576 | 9.17.136.20:1533 | ESTABLISHED |
| tcp | 0 | 0 | 9.62.14.191:35588 | 9.10.228.164:389 | ESTABLISHED |
| tcp | 0 | 0 | 9.62.14.191:35553 | 9.2.253.106:119 | ESTABLISHED |
| tcp | 0 | 0 | 9.62.14.191:35441 | 9.56.227.79:1352 | ESTABLISHED |
| tcp | 1 | 0 | 127.0.0.1:35096 | 127.0.0.1:631 | CLOSE_WAIT |
| udp | 0 | 0 | 0.0.0.0:32768 | 0.0.0.0.* | |
| udp | 0 | 0 | 0.0.0.0:2049 | 0.0.0.0.* | |
| udp | 0 | 0 | 0.0.0.0:32770 | 0.0.0.0.* | |
| udp | 0 | 0 | 0.0.0.0:779 | 0.0.0.0.* | |
| udp | 0 | 0 | 0.0.0.0:805 | 0.0.0.0.* | |
| udp | 0 | 0 | 0.0.0.0:177 | 0.0.0.0.* | |
| udp | 0 | 0 | 0.0.0.0:68 | 0.0.0.0.* | |
| udp | 0 | 0 | 0.0.0.0:111 | 0.0.0.0.* | |
| udp | 0 | 0 | 0.0.0.0:754 | 0.0.0.0.* | |
| udp | 0 | 0 | 0.0.0.0:631 | 0.0.0.0.* | |
| udp | 0 | 0 | 192.168.1.15:123 | 0.0.0.0.* | |
| udp | 0 | 0 | 127.0.0.1:123 | 0.0.0.0.* | |
| udp | 0 | 0 | 0.0.0.0:123 | 0.0.0.0.* |
0 comments
Post a Comment