Port Scanning: Is there a difference between stateful INVALID filtering and stateless TCP flag filtering?

Port Scanning: Is there a difference between stateful INVALID filtering and stateless TCP flag filtering?

[paddy joesoap]

Hello everyone,

When preventing (nmap) port scans is it better to use the
connection-tracking INVALID option or use a set of TCP flag filters or
both?

Note, by my calculations there are 21 possible combinations of TCP
flags, this includes legal and illegal flag combinations.

ASIDE:
Can stateful filtering using NEW and ESTABLISHED on their own also
work, given that connection-tracking is supposed to be tracking
connections?
For example, allow outbound NEW and ESTABLISHED traffic and allow
inbound traffic recognised as ESTABLISHED.
Would these stateful operations prevent nmap scanning?

I saw a few examples where the stateless tcp syn flag match was used
(by checking that no other flag was set) in conjunction with the NEW
operator.
For example, iptables -A INPUT -p tcp ! --syn -m state --state NEW -j
DROP # using the not (!) operator

Why is this the case? I would have imagined that the NEW operator,
would require by default that only a syn flag be present. Unless the
NEW operator does not check by default that no other flag is enabled
in conjunction with the syn flag. Would this be the case?

Re: Port Scanning: Is there a difference between stateful INVALID filtering and stateless TCP flag filtering?

[Mart Frauenlob]

On 24.02.2010 09:18, netfilter-owner@vger.kernel.org wrote:
> Hello everyone,
> 
> When preventing (nmap) port scans is it better to use the
> connection-tracking INVALID option or use a set of TCP flag filters or
> both?
> 
> Note, by my calculations there are 21 possible combinations of TCP
> flags, this includes legal and illegal flag combinations.
> 
> ASIDE:
> Can stateful filtering using NEW and ESTABLISHED on their own also
> work, given that connection-tracking is supposed to be tracking
> connections?
> For example, allow outbound NEW and ESTABLISHED traffic and allow
> inbound traffic recognised as ESTABLISHED.
> Would these stateful operations prevent nmap scanning?

Why are you so much afraid of nmap scans???
You cannot prevent them, you can just drop them.
It's not the first time you come here to ask the same thing.
Did you ever TRY IT OUT?

iptables -I INPUT -m state --state INVALID -j LOG
iptables -I INPUT -m state --state INVALID -j DROP

then start your nmap scans... you will see what it catches....

http://jengelh.medozas.de/projects/chaostables/ <- read this!
http://xtables-addons.sf.net/ <- includes portscan detection module.


> 
> I saw a few examples where the stateless tcp syn flag match was used
> (by checking that no other flag was set) in conjunction with the NEW
> operator.
> For example, iptables -A INPUT -p tcp ! --syn -m state --state NEW -j
> DROP # using the not (!) operator
Any new tcp connection attempt that does NOT have the SYN bit set -j DROP.

> 
> Why is this the case? I would have imagined that the NEW operator,
> would require by default that only a syn flag be present. Unless the
> NEW operator does not check by default that no other flag is enabled
> in conjunction with the syn flag. Would this be the case?

State NEW is any packet not already known to be
ESTABLISHED,RELATED,INVALID,(UNTRACKED).


regards

Mart

Re: Port Scanning: Is there a difference between stateful INVALID filtering and stateless TCP flag filtering?

[Mart Frauenlob]

On 24.02.2010 12:14, netfilter-owner@vger.kernel.org wrote:
> On 24.02.2010 09:18, netfilter-owner@vger.kernel.org wrote:
>> Hello everyone,
>>

> 
> iptables -I INPUT -m state --state INVALID -j LOG
> iptables -I INPUT -m state --state INVALID -j DROP
just the other way round...

> 

Re: Port Scanning: Is there a difference between stateful INVALID filtering and stateless TCP flag filtering?

[ratheesh k]

awesome document .

On Wed, Feb 24, 2010 at 4:50 PM, Mart Frauenlob
<mart.frauenlob@chello.at> wrote:
> On 24.02.2010 12:14, netfilter-owner@vger.kernel.org wrote:
>> On 24.02.2010 09:18, netfilter-owner@vger.kernel.org wrote:
>>> Hello everyone,
>>>
>
>>
>> iptables -I INPUT -m state --state INVALID -j LOG
>> iptables -I INPUT -m state --state INVALID -j DROP
> just the other way round...
>
>>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: Port Scanning: Is there a difference between stateful INVALID filtering and stateless TCP flag filtering?

[J. Bakshi]

On 02/24/2010 04:42 PM, Mart Frauenlob wrote:

> iptables -I INPUT -m state --state INVALID -j LOG
> iptables -I INPUT -m state --state INVALID -j DROP
>
> then start your nmap scans... you will see what it catches....
>
> http://jengelh.medozas.de/projects/chaostables/ <- read this!
> http://xtables-addons.sf.net/ <- includes portscan detection module.
>
>   


Mart, thanks a lot for the links. I was also looking for such a solution
but didn't know much about xtable and add-on.
wish you a nice day.

-- 
জয়দীপ বক্সী