checking iptables with nmap
hi everyone
i 've been reading the iptables how to my first question is there a clearer how to that explains everything and my second question is can i use nmap to check my firewall rules |
My favourite tutorial is at http://www.netfilter.org/documentati...-tutorial.html
and look carefully at the use of -j LOG rules. If you use nmap, you will need to see what is dropped, where it is dropped and the best place for rules. Also look at nessus Be aware that any open servers need their own software configured safely. See http://www.linuxquestions.org/questi...threadid=35047 |
Thx for the quick reply
i have another question when i sett up rules that nobody can access ssh (As test) but i can still see that the port is open in nmap or is this quite normal |
Depends on what your rules are sending back out...
If you REJECT, the port must be open nmap is very good at diagnosing the return packets and comparing replies from different ports. |
i use
iptables -A INPUT -p tcp -j DROP -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 22 |
Ok,
so nmap would get suspicious about the lack of icmp response that a non-existent port would generate. If there is no server running on a port and there isn't a rule to drop the packet before it hits localhost, an icmp "port_unreachable" is generated. |
thank you very much for your response
well as you guess i am new with network and packet behavior i am reading the rfc's of the most commen protocols Can a portscanner be used as a tester for my firewall or does the portscanner always knows which ports are open? and is a portscanner a tool which can help me with my journey of the network principles? if so could you give me some examples thx again for your help |
Sure, very useful..
An example would be to open a dns server and use the port scanner to see what it responds to, sending it different packets to port 53, udp & tcp. Then with iptables logging, watch the incoming packets, which ones you DONT want to see there and make rules to suit... Then start to close off who can use it and test the address restrictions by spoofing the packets from the scanner.... Needs a combination of -j LOG entries, "tail -f /var/log/~" to watch the logs realtime and some scanner sense to create the packets... |
thx again
i tried it and it worked i found the messages with grep /val/log /messages but is there a way to redirect the entries of iptables to for example /var/log/iptables?? thx again for your wisdom |
Yup......(standard answer #1)
/etc/syslog.conf controls what info goes where... There should be a line as follows *.info;mail.none,authpriv.none;cron.none /var/log/messages change that to *.info;kern.none;mail.none;authpriv.none;cron.none /var/log/messages and add a line as follows... kern.=info /var/log/iptables then restart syslogd... service syslog restart In your iptables rules, make sure the -j LOG entries have --log-level 6 on the end. This will make them end up in /var/log/iptables. |
thx again for helping me again
but i had to do this *.info;kern.none;mail.none;authpriv.none;cron.none /var/log/messages and kern.* /var/log/iptables and this worked because all the other entries looked lije that but again my thx is GREAT |
The *.info means all messages priority info or higher (more important)
kern.=info means kernel messages level info only. And saying that, I can see a mistake in my last reply... (oops) There are 3 lines needed kern.!=info /var/log/messages *.info;kern.none;mail.none;authpriv.none;cron.none /var/log/messages kern.=info /var/log/iptables otherwise the more important kernel messages will be in your /var/log/iptables file... |
thx again for your reply
i will try it (you're only human) i have another set of questions 1)i moderated the firewall.txt for my needs but when i put this in $IPTABLES -t mangle -A PREROUTING -i ppp0 -j TTL --ttl-set 64 i got this response iptables: No chain/target/match by that name is there something i haven't been loading 2) are there any tutorials about sys log i looked around but couldn't find nothing major thx for sharing your wisdom |
Quote:
Read the instructions on recompiling a kernel from the HOWTO... I am surprised you want to alter the incoming ttl value, especially to 64 rather then just 3 or 4... It's more useful to alter the outgoing ttl to mask the pc's behind the firewall... & a syslog tutorial... |
thx again
i will give it a try had some bad experience with kernel compiling and youre right i have to use POSTROUTING and thx for the tutorial |
All times are GMT -5. The time now is 12:40 AM. |