I'm running a server where iptables is configured with a default DROP policy and I’ve only explicitly allowed certain ports (e.g., HTTP, HTTPS, SSH on port 22, etc.). Despite never adding a rule for port 1111 that i configured to listen also for ssh, I can still successfully SSH into port 1111 from an external IP (my phone’s hotspot). I’ve confirmed the firewall script sets a DROP policy for all incoming connections except the ports I allow, and yet 1111 remains open. I’ve ruled out loopback traffic, and I’m not reusing an established connection. The big mystery is why port 1111 is accessible even though iptables seems to show it should be dropped.
case "$1" in
start)
echo "[Firewall] Démarrage des règles complètes..."
# Reset
$IPT -t filter -F
$IPT -t filter -X
# Politique par défaut : tout bloquer
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP
# Reset
#$IPT -t filter -F
#$IPT -t filter -X
# Connexions déjà établies
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#$IPT -A INPUT -j ACCEPT
#$IPT -A OUTPUT -j ACCEPT
#SSH
$IPT -I INPUT 1 -p tcp --dport 22 ! -s $ENTREPRISE_IP -j DROP
#Loopback
$IPT -I INPUT 1 -i lo -j ACCEPT
$IPT -I OUTPUT 1 -o lo -j ACCEPT
# HTTP/HTTPS
$IPT -A INPUT -p tcp --dport 80 -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -p tcp --dport 443 -j ACCEPT
$IPT -A INPUT -p tcp --dport 8443 -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 443 -j ACCEPT
# ICMP limité
$IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
$IPT -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
# Anti scan/paquets suspects
$IPT -A INPUT -m state --state INVALID -j DROP
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Protection contre SYN flood
$IPT -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j ACCEPT
$IPT -A INPUT -p tcp --syn -j DROP
# SSH uniquement depuis une IP précise
$IPT -A INPUT -p tcp --dport 22 -s 77.159.220.158 -j ACCEPT
$IPT -A INPUT -p tcp --dport 22 -j DROP
#$IPT -A OUTPUT -p tcp --dport 22 -j ACCEPT , à revoir si le serveur se connecte ailleurs avec ssh
# DNS (résolution uniquement)
$IPT -A OUTPUT -p udp --dport 53 -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 53 -j ACCEPT
$IPT -A INPUT -p tcp --dport 53 -j ACCEPT
$IPT -A INPUT -p tcp --dport 53 -j ACCEPT
# FTP (SFTP personnalisé ? sur port 2222)
$IPT -A INPUT -p tcp --dport 2222 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 2222 -s 149.202.189.40 -j ACCEPT
# Mail (port 587)
$IPT -A INPUT -p tcp --dport 587 -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 587 -j ACCEPT #à revoir
# MySQL (accès restreint à IP entreprise)
$IPT -A INPUT -p tcp --dport 3306 -s $ENTREPRISE_IP -j ACCEPT
# Nagios
$IPT -A INPUT -p tcp --dport 5666 -s 149.202.189.40 -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 5666 -j ACCEPT
# NTP
$IPT -A OUTPUT -p udp --dport 123 -j ACCEPT
# YAZ (port 210) à discuter
$IPT -A INPUT -p tcp --dport 210 -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 210 -j ACCEPT
echo "[Firewall] Règles complètes appliquées."
exit 0
;;
stop)
# Reset et tout autoriser
echo "[Firewall] Mode minimal (SSH uniquement)..."
$IPT -F
$IPT -X
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP
#$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#$IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#$IPT -A INPUT -i lo -j ACCEPT
#$IPT -A OUTPUT -o lo -j ACCEPT
#$IPT -A INPUT -p tcp --dport 22 -s $ENTREPRISE_IP -j ACCEPT
exit 0
;;
restart)
$0 stop
sleep 1
$0 start
exit 0
;;
*)
echo "Usage: /etc/init.d/firewall {start|stop|restart}"
exit 1
;;
esacroot@betalimbgallery:/home/ubuntu# iptables -L -v
Chain INPUT (policy DROP 5 packets, 220 bytes)
pkts bytes target prot opt in out source destination
8669 3126K ACCEPT all -- lo any anywhere anywhere
15 900 DROP tcp -- any any !158.220.159.77.rev.sfr.net anywhere tcp dpt:ssh
6565 2460K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
4 208 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http
31 1920 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:8443
211 6966 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
257 10304 DROP all -- any any anywhere anywhere state INVALID
1833 224K DROP tcp -- any any anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
74 3880 ACCEPT tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 3
1 52 DROP tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
0 0 ACCEPT tcp -- any any 158.220.159.77.rev.sfr.net anywhere tcp dpt:ssh
0 0 DROP tcp -- any any anywhere anywhere tcp dpt:ssh
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:domain
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:domain
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:2222 state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:submission
0 0 ACCEPT tcp -- any any 158.220.159.77.rev.sfr.net anywhere tcp dpt:mysql
0 0 ACCEPT tcp -- any any 149.202.189.40 anywhere tcp dpt:nrpe
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:z3950
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 2 packets, 80 bytes)
pkts bytes target prot opt in out source destination
8669 3126K ACCEPT all -- any lo anywhere anywhere
8572 8164K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-reply
26 2045 ACCEPT udp -- any any anywhere anywhere udp dpt:domain
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:domain
0 0 ACCEPT tcp -- any any 149.202.189.40 anywhere tcp dpt:2222
259 15520 ACCEPT tcp -- any any anywhere anywhere tcp dpt:submission
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:nrpe
5 380 ACCEPT udp -- any any anywhere anywhere udp dpt:ntp
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:z3950
root@betalimbgallery:/home/ubuntu#
Asked by Achraf Maakoul
(1 rep)
Mar 31, 2025, 12:38 PM
Last activity: Apr 27, 2025, 06:13 PM
Last activity: Apr 27, 2025, 06:13 PM