All of lore.kernel.org
 help / color / mirror / Atom feed
From: Tasha Smith <natasha3641@yahoo.com>
To: netfilter@lists.netfilter.org
Subject: Why are XMAS and NULLS scans not filtered with these rules?
Date: Fri, 25 Oct 2002 18:13:29 -0700 (PDT)	[thread overview]
Message-ID: <20021026011329.71679.qmail@web40707.mail.yahoo.com> (raw)

Why when scanning my system using nmap from a machine on a different network for
NULL scans and XMAS scans these rules still dont filter my ports from these
sorts of scans?  Here are my rules...anoything else i can try to get them to
filter these scans??? I tyred REJECT instead of DROP also but nothing they still
get through!

#!/bin/bash

# Enable broadcast echo protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Disable source routed packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
	echo 0 > $f
done

# Disable ICMP Redirect Acceptence
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
	echo 0 > $f
done
# Dont't send Redirect Messages
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
	echo 0 > $f
done

# Enable TCP SYN Cookie protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# This will also update my ipaddress.
INET_IP=`/sbin/ifconfig eth0 | grep inet | cut -d -f2: | cut -d\ -f1`

# Remove any existing rules from all chains.
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush

# Unlimited access on the loopback interface.
iptables -A INPUT  -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Set the default policy to drop.
iptables --policy INPUT DROP
iptables --policy FORWARD DROP
iptables --policy OUTPUT ACCEPT

# iptables -t nat --policy PREROUTING DROP
# iptables -t nat --policy OUTPUT DROP
# iptables -t nat --policy POSTROUTING DROP

# All of the bits are cleared
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP# tryed REJECT
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP# tryed REJECT
# SYN and FIN are both set
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP # tryed REJECT
iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP# tryed REJECT
# SYN and RST are both set.
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP# tryed REJECT
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP# tryed REJECT
# FIN and RST are both set
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP# tryed REJECT
iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j DROP# tryed REJECT
# FIN is the only bit set, without the expected accompanyuing ACK
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP# tryed REJECT
iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j DROP# tryed REJECT
# PSH is the only bit set, without the expected accompaying ACK
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP# tryed REJECT
iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j DROP# tryed REJECT
# URG is the only bit set, without the expected accompayning ACK
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP# tryed REJECT
iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j DROP# tryed REJECT

# Log Policy for first 25 ports UDP/TCP.
iptables -I INPUT -i eth0 -p tcp \
         --dport 0:25 -j LOG --log-prefix "PortScans to 0-25TCP: "

iptables -I INPUT -i eth0 -p udp \
         --dport 0:25 -j LOG --log-prefix "PortScan-to 0-25UDP: "

# Allow stateful connections 
iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow access for accessing remote web servers.
if [ "$CONNECTION_TRACKING" = "1" ]; then
    iptables -A OUTPUT -o eth0 -p tcp \
             --sport 1024:65535 \
             --dport 80 -m state --state NEW -j ACCEPT
fi

iptables -A OUTPUT -o eth0 -p tcp --dport 80 -s $eth0_address --sport 1024:65535
-j ACCEPT

        
          

# FOR MY ISP DHCP
#iptables -A INPUT -i eth0 -p udp \
#         -s xxx.53.4.149 --sport 67 \
#         --dport 68 -j ACCEPT
#iptables -A OUTPUT -o eth0 -p udp \
#         -s eth0 --sport 68 \
#         -d xxx.53.4.149 --dport 67 -j ACCEPT


# echo 1 > /proc/sys/net/ipv4/ip_forward


# Forwarding is allowed in the direction
iptables -A FORWARD -i eth1 -o eth0 -s 192.168.0.0/24 -j ACCEPT 

# Enables Packet Forwarding
iptables -t nat -A POSTROUTING -o eth0  -j MASQUERADE


__________________________________________________
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
http://webhosting.yahoo.com/


             reply	other threads:[~2002-10-26  1:13 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2002-10-26  1:13 Tasha Smith [this message]
2002-10-26 10:46 ` Why are XMAS and NULLS scans not filtered with these rules? Maciej Soltysiak

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20021026011329.71679.qmail@web40707.mail.yahoo.com \
    --to=natasha3641@yahoo.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.