LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-19-2002, 04:20 PM   #1
Mux
Member
 
Registered: May 2002
Location: Bs.As., Argentina
Distribution: Slackware; Debian; Suse; RedHat
Posts: 66

Rep: Reputation: 15
Stealth iptables ruleset


I recently did the Shields up and probe ports test, and i got that my almost all my ports where closed, but none of them had stealth condition.







What should i add to my current ruleset to make it stealth?? Or is this out of reach for iptables alone?







BTW, I'm running slack 8 with a recompiled 2.4.5 kernel with iptables 1.2.4, with eth0 as the externel if (using dhcpcd ) and eth1 as the internal if with ip 192.168.0.1, and a second winblows box with static ip 192.168.0.2.





Mux

Last edited by Mux; 05-19-2002 at 04:42 PM.
 
Old 05-19-2002, 04:44 PM   #2
Mux
Member
 
Registered: May 2002
Location: Bs.As., Argentina
Distribution: Slackware; Debian; Suse; RedHat
Posts: 66

Original Poster
Rep: Reputation: 15
Talking Answering my own question..

I've already found what i was looking for, the example ruleset rc.firewal-2.4-stronger of the IP-Masquerade HOWTO, works perfectly and gives me stealth status in all ports.

Thanks
Mux
 
Old 06-26-2003, 11:11 AM   #3
blakehammon
LQ Newbie
 
Registered: Jun 2003
Posts: 7

Rep: Reputation: 0
Where did you find this. How do you make it all stealth
 
Old 06-26-2003, 10:05 PM   #4
beltorak
LQ Newbie
 
Registered: Dec 2002
Distribution: slackware 8.1
Posts: 15

Rep: Reputation: 0
btw; 'sheilds up' is rudimentary at best, and there is some controversy regarding the site author.... but anyway;
you can also go to sygate's scanner for more comprehnsive tests....

The easiest way to stealth is to drop all non-established and non-related traffick; ie
Code:
iptables -P INPUT DROP
iptables -F INPUT
iptables -N inbound
iptables -A INPUT -i eth0 -j inbound
iptables -A INPUT -i lo -j ACCEPT

iptables -A inbound -m state --state ESTABLISHED -j ACCEPT
iptables -A inbound -m state --state RELATED -j ACCEPT
This allows all desired traffick outward (provided your OUTPUT chain is set up correctly), but only packets that are part of a connection or related to one (ftp, for example) are allowed back in.

The reason I have the new chain (inbound) if for local box testing. Do the following:
Code:
iptables -R INPUT 2 -i lo -j inbound
and you can run nmap against yourself. I am not positive that this will give you the same results as using nmap from a remote box, but I hav had good consistant results with it. And to re-allow local traffick:
Code:
iptables -R INPUT 2 -i lo -j ACCEPT
hope this helps.

-t.

ps: you should see my firewall managing script now....
2909 lines.... 21 files (give or take).
 
Old 06-27-2003, 10:11 AM   #5
blakehammon
LQ Newbie
 
Registered: Jun 2003
Posts: 7

Rep: Reputation: 0
WoW! thank you for the insight

I am new to working with IP tables. Do you know of a few good references to get up to speed with Netfilter Iptables

And do you know where all of the default config files are for iptables.

I am running Red Hat 9, first time using linux as a firewall. Red H
Hat does some initiall configuration at the setup. And the file it reads in is /etc/sysconfig/iptables.

What is defined in that file, and what is actually being passed through the firewall do not line up. So I was wondering if you could point me to the rest of the iptables config.

Thanks
 
Old 06-27-2003, 03:07 PM   #6
Pcghost
Senior Member
 
Registered: Feb 2003
Location: The Real Washington
Distribution: Ubuntu, Debian, SuSE, UnSlung, Android
Posts: 1,819

Rep: Reputation: 46
What is the controversy surrounding Steve Gibson?
 
Old 06-27-2003, 05:37 PM   #8
beltorak
LQ Newbie
 
Registered: Dec 2002
Distribution: slackware 8.1
Posts: 15

Rep: Reputation: 0
Try this post for a list of them. My favorite is the linux guruz page.

-t.
 
Old 08-10-2003, 12:49 PM   #9
burnt_toast
Member
 
Registered: Aug 2003
Distribution: RedHat (What else?)
Posts: 36

Rep: Reputation: 15
Actually, a quick and dirty way I've found is to drop all tcp syn packets. This way you're virtually undetectable to portscanners. Basically, you're dropping all TCP packets that weren't initiated by your local computer/network.

iptables -A INPUT -i eth0 -p tcp --syn -j DROP

I've noticed that this doesn't kill port 0 & 1 for some reason, so those have to be turned off as well

iptables -A INPUT -i eth0 -p tcp --dport 0 -j DROP
iptables -A INPUT -i eth0 -p tcp --dport 1 -j DROP

Hope this helps
 
Old 02-21-2007, 02:42 AM   #10
NoobieDoobieDo
Member
 
Registered: Oct 2004
Distribution: Debian 4.0
Posts: 65

Rep: Reputation: 15
Thumbs up

Quote:
Originally Posted by burnt_toast
Actually, a quick and dirty way I've found is to drop all tcp syn packets. This way you're virtually undetectable to portscanners. Basically, you're dropping all TCP packets that weren't initiated by your local computer/network.

iptables -A INPUT -i eth0 -p tcp --syn -j DROP

I've noticed that this doesn't kill port 0 & 1 for some reason, so those have to be turned off as well

iptables -A INPUT -i eth0 -p tcp --dport 0 -j DROP
iptables -A INPUT -i eth0 -p tcp --dport 1 -j DROP

Hope this helps
Excellent tip - worked like a charm !
 
Old 02-21-2007, 02:54 AM   #11
b0uncer
Guru
 
Registered: Aug 2003
Distribution: CentOS, OS X
Posts: 5,131

Rep: Reputation: Disabled
Does it also fool port scanner software like nmap, which in normal conditions will "see" your machine's port status even if those ShieldsUp-type scanners don't? I used to believe nmap-kind software is pretty difficult to cheat on. And to have your machine "stealth" isn't really "secure", it's just 'what you can't see you can't touch' ideology. I would still consume more time on hardening the machine itself, rather than trying to hide it from candy port scanners. And usually if you just go on denying some packets and drop traffic to some ports results in you being unable to do something. If you don't really need the ports open it's a wise thing to do, and if you think you never need to accept any syn packets (for example) it's again a wise thing to do. But when you do need them, you'll have to open your setup. A completely "stealth" setup, along with a 'secure' one, is ok if you have a personal desktop machine that you never use to any communication, but in normal conditions I'd recommend not necessarily spending hours to get your machine stealth (surely there always is something that can reveal your ports' status) but spend enough time to make it difficult to breach despite of somebody seeing what ports you have closed and what not.

I also suggest you to run nmap (and possibly some other similar) scans to your machine (note: they won't work from inside your own machine well, you should run them from another machine, for example on inside your ethernet) to see what they reveal. A thing to know is that not all ISPs like people doing port scans in their networks, so that's why it'd be a good idea to run nmap scans (etc.) in a local ethernet rather than over internet from your pal's computer.
 
  


Reply

Tags
iptables, security, stealth


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IPtables failing to load: unknown ruleset bureado Linux - Software 3 06-19-2008 10:32 PM
Problem with Arno's IPTables ruleset? slacquer Slackware 1 01-26-2004 09:06 AM
iptables ruleset for nameserver DaveL Linux - Newbie 4 01-07-2003 12:11 AM
Iptables ruleset Paul_assheton Linux - Networking 1 08-31-2002 07:01 AM
Iptables ruleset Kinstonian Linux - Security 1 04-04-2002 02:58 AM


All times are GMT -5. The time now is 03:01 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration