1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Port Blocking

Discussion in 'Tomato Firmware' started by mikester, Feb 9, 2007.

  1. mikester

    mikester Network Guru Member

    Seems that Tomato leaves pretty much every port open and responds to most port scans.

    I've tried using IP tables under scripts/firewall but they don't seem to make any difference. Any hints?

    iptables -I INPUT -s 4.79.142.192 -j DROP
     
  2. ntest7

    ntest7 Network Guru Member

    Not true. You need to scan from outside your network.
    Even from inside, only the ports you enable (DNS, ssh, telnet, web admin) are open.
     
  3. digitalgeek

    digitalgeek Network Guru Member

  4. larsrya8

    larsrya8 LI Guru Member

    You don't have anything in the DMZ do you?
     
  5. mikester

    mikester Network Guru Member

    DMZ is closed and I ran a port scan on "shields up" which is where I found the problem. HTTP, HTTPS and FTP are all considered "stealth" mode but most other ports are reported as "open" by shields up.

    What got my attention was that Wallwatcher identified one IP that has been hitting our firewall daily checking TCP ports 1080 and 6588.

    I've been watching LAN network traffic using wireshark but don't see any "errant" processes going out to make connections..

    So what do you guys recommend?
     
  6. myersw

    myersw Network Guru Member

    Interesting. I just tried shields up and was in True Stealth mode. The router is in defaults except for setting up wireless and my PPoE connection.
    --bill
     
  7. roadkill

    roadkill Super Moderator Staff Member Member

    I got the same results... True Stealth and I don't have anything special configured...
    mikester: maybe you got some UPNP rules configured...dunno :dunce:
    you can check open connection and listen ports using TCPview
     
  8. fareal

    fareal LI Guru Member

    more true stealth results here
     
  9. JensG

    JensG Network Guru Member

    And true stealth here too.
     
  10. mikester

    mikester Network Guru Member

    What the heck's going on then...anybody care to post their iptables -L (block out IP's and MAC of course)?

    UPnP is disabled...

    Maybe time to re-install 1.04?
     
  11. larsrya8

    larsrya8 LI Guru Member

    unknown login: root
    Password:


    Tomato v1.03.0943


    BusyBox v1.2.2 (2007.01.21-13:43+0000) Built-in shell (ash)
    Enter 'help' for a list of built-in commands.

    # iptables -L
    Chain INPUT (policy DROP)
    target prot opt source destination
    DROP 0 -- anywhere anywhere state INVALID
    ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
    ACCEPT 0 -- anywhere anywhere
    ACCEPT 0 -- anywhere anywhere

    Chain FORWARD (policy DROP)
    target prot opt source destination
    ACCEPT 0 -- anywhere anywhere
    DROP 0 -- anywhere anywhere state INVALID
    TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN tcpmss match 1461:65535 TCPMSS set 1460
    restrict 0 -- anywhere anywhere
    ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
    wanin 0 -- anywhere anywhere
    wanout 0 -- anywhere anywhere
    ACCEPT 0 -- anywhere anywhere
    upnp 0 -- anywhere anywhere

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Chain restrict (1 references)
    target prot opt source destination
    rres01 0 -- anywhere anywhere

    Chain rres01 (1 references)
    target prot opt source destination
    DROP tcp -- anywhere anywhere tcp dpt:auth
    DROP udp -- anywhere anywhere udp dpt:113

    Chain upnp (1 references)
    target prot opt source destination
    ACCEPT udp -- anywhere 192.168.1.108 udp dpt:#####
    ACCEPT udp -- anywhere 192.168.1.105 udp dpt:#####
    ACCEPT udp -- anywhere Brandon udp dpt:#####
    ACCEPT udp -- anywhere donnie udp dpt:#####
    ACCEPT tcp -- anywhere donnie tcp dpt:#####
    ACCEPT udp -- anywhere Hal udp dpt:#####
    ACCEPT tcp -- anywhere Hal tcp dpt:#####
    ACCEPT tcp -- anywhere Hal tcp dpt:#####

    Chain wanin (1 references)
    target prot opt source destination

    Chain wanout (1 references)
    target prot opt source destination
    #


    I added the 113 rule, otherwise it's just UPnP and the stock settings. Haven't installed 1.04 because I don't need it... should be the same though.
     
  12. digitalgeek

    digitalgeek Network Guru Member

    My router is bacically default... PPPoE/DynDns/2 Ports Hard forward/I even have SSH enabled I got true stealth.
     
  13. mikester

    mikester Network Guru Member

    Thanks Larsrya8 - I'm gonna do a comparison of the IPTABLES

    Here's the screen shot from Shields Up

    I cleared NVRAM

    Downgraded to stock linksys firmware using default settings
    then tried hyperwrt using default settings
    then went back to 1.04 using default settings

    all got the same results

    yes I cleared browser cache in between tests too.

    Would anybody be willing to post their results from Shieldsup?

    Mike
     

    Attached Files:

  14. larsrya8

    larsrya8 LI Guru Member

    My ShieldsUp is all green. Is it showing the correct IP address when you start the test?
     
  15. digitalgeek

    digitalgeek Network Guru Member

    Here you go... no firewall script... basically default config.

    [​IMG]

    [​IMG]
     
  16. mikester

    mikester Network Guru Member

    Well I'm ready to give up - maybe I'll swap routers and see if there's a difference.

    Here's a thought - my IP comes from the SAT modem
    SAT Modem xxx.xxx.xxx.123
    WRT xxx.xxx.xxx.124

    And I'm coming in through xxx.xxx.xxx.124

    Could the SAT modem be responding to the port requests because of the routing? (I'm grasping at straws here) Wallwatcher says the port requests are being ignored yet Shieldsup says the get a response. Doesn't make any sense to me.
     
  17. digitalgeek

    digitalgeek Network Guru Member

    I can't see why a SAT isp would make any difference. I have run GRC at work and gotten mostly TruStealth. (Port 113- which most routers have diffcult stealthing) I have seen similar results with cable and dsl connections.

    Have you tried running the port test from Thibor or original?
     
  18. mikester

    mikester Network Guru Member

    I did the port test with stock linksys, then Thibor 15.c, then Tomato 1.02. All with standard out of the box firewall settings. I finally went back to my config.

    Here's the interesting part - all other port test web sites show my Sat NOC/Proxy's address, not my static IP. Shieldsup is the only one that displays my real Static IP. I'm wondering if the proxy is responding to the shieldsup port scan, not my firewall.

    I think shields up is doing something odd. I just scanned port 80 and it says it's open when I know it's closed.

    Wallwatcher only shows port 443 being accessed during the test from grc.com as outgoing connections.

    hackerwatch.org reports everything closed, but I don't know what IP it's scanning.
     
  19. GeeTek

    GeeTek Guest

    The big router at satellite ISPeez is very goofy, and will give you the types of results you see. It has nothing to do with your home Tomato router.
     
  20. mikester

    mikester Network Guru Member

    Thanks GeeTek.

    I was getting a little nervous as I had someone run a nmap scan. Internally nmap showed everything was closed, externally it was a mixed bag.

    Finally got a "semi" explaination on a SAT user forum. Other users have reported the same responses about their firewalls. I'm posting it here for others who might find the same problem in the future with SAT isp's.

    http://www.dslreports.com/forum/remark,8320158

    At least I now have a "plausible" explaination for seeing persistant attempts on my firewall by a particular IP address on ports 1080 and 6588.
     

Share This Page