* Why are XMAS and NULLS scans not filtered with these rules?
@ 2002-10-26 1:13 Tasha Smith
2002-10-26 10:46 ` Maciej Soltysiak
0 siblings, 1 reply; 2+ messages in thread
From: Tasha Smith @ 2002-10-26 1:13 UTC (permalink / raw)
To: netfilter
Why when scanning my system using nmap from a machine on a different network for
NULL scans and XMAS scans these rules still dont filter my ports from these
sorts of scans? Here are my rules...anoything else i can try to get them to
filter these scans??? I tyred REJECT instead of DROP also but nothing they still
get through!
#!/bin/bash
# Enable broadcast echo protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Disable source routed packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
# Disable ICMP Redirect Acceptence
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
# Dont't send Redirect Messages
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
# Enable TCP SYN Cookie protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# This will also update my ipaddress.
INET_IP=`/sbin/ifconfig eth0 | grep inet | cut -d -f2: | cut -d\ -f1`
# Remove any existing rules from all chains.
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
# Unlimited access on the loopback interface.
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Set the default policy to drop.
iptables --policy INPUT DROP
iptables --policy FORWARD DROP
iptables --policy OUTPUT ACCEPT
# iptables -t nat --policy PREROUTING DROP
# iptables -t nat --policy OUTPUT DROP
# iptables -t nat --policy POSTROUTING DROP
# All of the bits are cleared
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP# tryed REJECT
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP# tryed REJECT
# SYN and FIN are both set
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP # tryed REJECT
iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP# tryed REJECT
# SYN and RST are both set.
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP# tryed REJECT
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP# tryed REJECT
# FIN and RST are both set
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP# tryed REJECT
iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j DROP# tryed REJECT
# FIN is the only bit set, without the expected accompanyuing ACK
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP# tryed REJECT
iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j DROP# tryed REJECT
# PSH is the only bit set, without the expected accompaying ACK
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP# tryed REJECT
iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j DROP# tryed REJECT
# URG is the only bit set, without the expected accompayning ACK
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP# tryed REJECT
iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j DROP# tryed REJECT
# Log Policy for first 25 ports UDP/TCP.
iptables -I INPUT -i eth0 -p tcp \
--dport 0:25 -j LOG --log-prefix "PortScans to 0-25TCP: "
iptables -I INPUT -i eth0 -p udp \
--dport 0:25 -j LOG --log-prefix "PortScan-to 0-25UDP: "
# Allow stateful connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow access for accessing remote web servers.
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o eth0 -p tcp \
--sport 1024:65535 \
--dport 80 -m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o eth0 -p tcp --dport 80 -s $eth0_address --sport 1024:65535
-j ACCEPT
# FOR MY ISP DHCP
#iptables -A INPUT -i eth0 -p udp \
# -s xxx.53.4.149 --sport 67 \
# --dport 68 -j ACCEPT
#iptables -A OUTPUT -o eth0 -p udp \
# -s eth0 --sport 68 \
# -d xxx.53.4.149 --dport 67 -j ACCEPT
# echo 1 > /proc/sys/net/ipv4/ip_forward
# Forwarding is allowed in the direction
iptables -A FORWARD -i eth1 -o eth0 -s 192.168.0.0/24 -j ACCEPT
# Enables Packet Forwarding
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
__________________________________________________
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
http://webhosting.yahoo.com/
^ permalink raw reply [flat|nested] 2+ messages in thread* Re: Why are XMAS and NULLS scans not filtered with these rules?
2002-10-26 1:13 Why are XMAS and NULLS scans not filtered with these rules? Tasha Smith
@ 2002-10-26 10:46 ` Maciej Soltysiak
0 siblings, 0 replies; 2+ messages in thread
From: Maciej Soltysiak @ 2002-10-26 10:46 UTC (permalink / raw)
To: Tasha Smith; +Cc: netfilter
Hi,
Try -j REJECT --reject-with tcp-reset
This way you'll tell nmap: go away, the port is closed.
normal REJECT will issue an ICMP error message:
destination unreachable/port unreachable.
If you use DROP or simple REJECT nmap will say: filtered
If you use REJECT --reject-with tcp-reset it will say closed.
Note that, if you use any REJECT and not DROP, nmap will get the packets
and will try OS fingerprinting on them.
Also note that it does not really give a scanner anything. I recommend
using DROP and not caring about the nmap results.
NMAP also sends a ping and then a TCP ACK packet with --dport 80, just
before it starts scanning. You may want to track down the UNRELATED TCP
ACKs with -p tcp and -m state --state NEW together.
Regards,
Maciej Soltysiak
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2002-10-26 10:46 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-10-26 1:13 Why are XMAS and NULLS scans not filtered with these rules? Tasha Smith
2002-10-26 10:46 ` Maciej Soltysiak
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.