Firewall não abre as portas

wellrodrigues
(usa Debian)

Enviado em 07/04/2016 - 16:38h

Galera é o seguinte,

Estou configurando um proxy aqui na empresa, ao tentar abrir as portas no iptables me parece que elas não esta sendo abertas, quando uso co comando do nmap ele me retorna a seguinte resposta:

root@FSASRVPROXY:~# nmap -sT -O localhost



Starting Nmap 6.47 ( http://nmap.org ) at 2016-04-07 15:34 BRT

Nmap scan report for localhost (127.0.0.1)

Host is up (0.00057s latency).

Other addresses for localhost (not scanned): 127.0.0.1

Not shown: 990 closed ports

PORT      STATE SERVICE

22/tcp    open  ssh

25/tcp    open  smtp

53/tcp    open  domain

80/tcp    open  http

111/tcp   open  rpcbind

139/tcp   open  netbios-ssn

445/tcp   open  microsoft-ds

631/tcp   open  ipp

3128/tcp  open  squid-http

10000/tcp open  snet-sensor-mgmt

Device type: general purpose

Running: Linux 3.X

OS CPE: cpe:/o:linux:linux_kernel:3

OS details: Linux 3.7 - 3.15

Network Distance: 0 hops



OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 2.69 seconds

 

Vejam que algumas portas estão abertas mas no caso não fui eu que abri elas e sim a instalação dos programas .

se eu der um ifconfig lo down e repetir o comando tenho o seguinte resultado:

root@FSASRVPROXY:~# nmap -sT -O localhost



Starting Nmap 6.47 ( http://nmap.org ) at 2016-04-07 15:49 BRT

pcap_open_live(lo, 8192, 0, 200) FAILED. Reported error: lo: That device is not up.  Will wait 5 seconds then retry.

pcap_open_live(lo, 8192, 0, 200) FAILED. Reported error: lo: That device is not up.  Will wait 25 seconds then retry.

Call to pcap_open_live() failed three times. There are several possible reasons for this, depending on your operating system:

LINUX: If you are getting Socket type not supported, try modprobe af_packet or recompile your kernel with PACKET enabled.

 *BSD:  If you are getting device not configured, you need to recompile your kernel with Berkeley Packet Filter support.  If you are getting No such file or directory, try creating the device (eg cd /dev; MAKEDEV <device>; or use mknod).

*WINDOWS:  Nmap only supports ethernet interfaces on Windows for most operations because Microsoft disabled raw sockets as of Windows XP SP2.  Depending on the reason for this error, it is possible that the --unprivileged command-line argument will help.

SOLARIS:  If you are trying to scan localhost or the address of an interface and are getting '/dev/lo0: No such file or directory' or 'lo0: No DLPI device found', complain to Sun.  I don't think Solaris can support advanced localhost scans.  You can probably use "-Pn -sT localhost" though.





QUITTING!

 

Quando tento usar meu endereço de ip:

root@FSASRVPROXY:~# nmap 192.168.0.230



Starting Nmap 6.47 ( http://nmap.org ) at 2016-04-07 16:29 BRT

pcap_open_live(lo, 256, 0, 200) FAILED. Reported error: lo: That device is not up.  Will wait 5 seconds then retry.

pcap_open_live(lo, 256, 0, 200) FAILED. Reported error: lo: That device is not up.  Will wait 25 seconds then retry.

Call to pcap_open_live() failed three times. There are several possible reasons for this, depending on your operating system:

LINUX: If you are getting Socket type not supported, try modprobe af_packet or recompile your kernel with PACKET enabled.

 *BSD:  If you are getting device not configured, you need to recompile your kernel with Berkeley Packet Filter support.  If you are getting No such file or directory, try creating the device (eg cd /dev; MAKEDEV <device>; or use mknod).

*WINDOWS:  Nmap only supports ethernet interfaces on Windows for most operations because Microsoft disabled raw sockets as of Windows XP SP2.  Depending on the reason for this error, it is possible that the --unprivileged command-line argument will help.

SOLARIS:  If you are trying to scan localhost or the address of an interface and are getting '/dev/lo0: No such file or directory' or 'lo0: No DLPI device found', complain to Sun.  I don't think Solaris can support advanced localhost scans.  You can probably use "-Pn -sT localhost" though.





QUITTING!

 

mas no meu firewall já adicionei diversas regras e aparecem somente as portas abetas acima e nenhuma outra nova regra adicionada no meu iptables.

acredito que meu firewall esteja direcionando minhas portas para a interface de loopback por isso nada faz efeito, nenhuma regra funciona para nada, pior que sempre verifico pelo iptables -L e vejo q a regra esta ativa no iptables mas na pratica não funciona.

R3nan
(usa Debian)

Enviado em 07/04/2016 - 17:53h

seguinte, o firewall só serve para controlar o acesso a serviços de rede, o serviço de rede é quem é responsável pela porta em si, um exemplo: o serviço de acesso remoto ssh, que roda por padrão na porta 22, se vc parar esse serviço, mesmo sem regra nem uma de firewall aplicada e tentar usar o nmap, a porta 22 não sera mostrada, pq não existe serviço rodando nessa porta, deu pra intender?

souzacarlos
(usa Outra)

Enviado em 08/04/2016 - 08:42h

Bom dia.

Posta teu código ai