OS Fingerprinting and IPtables

cirrusgr · 12-07-2002, 01:59 PM

I'm tring to block remote OS fingerprinting scans using IPtables.

What I'm using at the moment is (assuming that eth0 is my internet connection):

Code:

#block ICMP
iptables -N ICMP_BLOCK
iptables -A INPUT -p icmp --icmp-type address-mask-request -j ICMP_BLOCK -i eth0
iptables -A INPUT -p icmp --icmp-type address-mask-reply -j ICMP_BLOCK -i eth0
iptables -A ICMP_BLOCK -m limit --limit 5/m --limit-burst 40 -j LOG --log-prefix "ICMP -- Reject "
iptables -A ICMP_BLOCK -j DROP -i eth0

#block packets with bad flags (used by nmap's FIN, NULL, XMAS scan)
iptables -N BADFLAG
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j BADFLAG -i eth0
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j BADFLAG -i eth0
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j BADFLAG -i eth0
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j BADFLAG -i eth0
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j BADFLAG -i eth0
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j BADFLAG -i eth0
iptables -A BADFLAG -m limit --limit 5/m --limit-burst 40 -j LOG --log-prefix "FLAG -- Reject "
iptables -A BADFLAG -j DROP -i eth0

It seems to work, but I was wondering if anybody knows any better way to achieve this.

Thanks

peter_robb · 12-07-2002, 04:50 PM

http://iptables-tutorial.frozentux.n...-tutorial.html

cirrusgr · 12-07-2002, 06:48 PM

yea i know i've read through that. just asking what everybody else is using.