LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Ping and UDP stealth (https://www.linuxquestions.org/questions/linux-networking-3/ping-and-udp-stealth-61003/)

Seal-X 05-21-2003 11:34 AM
Ping and UDP stealth
 
Hi everyone at LinuxQuestions.org,

I was wondering how simple it could be for having all the ports that I don't use, lets say everything but 22, 25, 1741 and 5900, to be stealth instead of close.

I am using Iptables on a red hat 8.0 system.

What would be better ? Being stealth :jawa: or just closed :tisk: ?

Just closed could eventually lead to a security breach if I am not mistaken.



But one thing for sure, I cannot stealth everything because I am having remote clients connection to services such as VPN, so i need random ports too.


Have a good day everybody.


:Pengy:

tarballedtux 05-21-2003 02:35 PM
It's is better to be stealth so then your computer won't reply to a port being close so scanners might not see your computer on-line, if they don't scan for the ports you have open.

I can't be 100% certain but you shouldn't need random inbound ports just random outbound ports. You should just be worried about what inbound ports you need open. And add them to an appropriate iptables script. Then have this line after everything.

IPTABLES -A INPUT -p udp -j DROP

Or just set up all the ports that you want through and make the the OUTPUT CHAIN be default drop

IPTABLES -P OUTPUT -j DROP

Robert0380 05-22-2003 01:08 AM
iptables -P OUTPUT DROP (no -j on the policy settings). Also, tarball could u explain why you would drop OUTPUT rather than except all OUTPUT but DROP all INPUT?

i.e.

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

if you drop all OUTPUT, you could potentially block yourself from the internet.

tarballedtux 05-22-2003 02:18 PM
I wasn't intending for that to be the whole iptables script. Your right you should have the appropriate rules in your script to allow you to use the internet. So a more appropriate script might be.

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

iptables -A INPUT -p {tcp,udp} -s {known source IPs} --dport {22,25,1741,5900} -j ACCEPT

Obviously you would expand the list to include multiple rules as you would want to filter based on protocol and if you know what the source IPs will always be. So what you should do, is make several rules along these lines.

iptables -A INPUT -p tcp -s {if its always the same source} --dport 22 -j ACCEPT
iptables -A INPUT -p udp --dport 5900 {I'm assuming thats the port for CS} -j ACCEPT

Try to make the rules as restrictive as possible but still functional.

Seal-X 05-23-2003 02:01 AM
Re:Stealthing
 
Thanks for answering back guys.
Ok if I forget about the whole thing for an instance; lets say that my iptables is not set for masquerading the LAN, pretend I have no rules set for fowarding orts to local services running on a different server then the firewall box ok.

If I had ust freshly installed the iptables for an exemple; I would start by blocking what ? Everything from coming-in right. Like you are mentioning 'DROP'ing everything from the Internet "first" for UDP and TCP as well.
And after that simply copy back the rulesets that are already running on my iptables right now.

The rules that I have right now are the following:
*The real /etc/sysconfig/iptable is listed at the END of this post.

- One rule to masquerade the Internet to the whole Lan.

- I have a VPN server that connects to port 1723 and is fowarded
to 192.168.1.1:1723

- I also have fowarded protocol 47 to the above otherwise it wonth connect.

- I have a VNC running at 192.168.1.1 who also needed the fowarding using port 5900. (nope, wasnt CS, not yet) :)

- And I have SSH running on the Firewall. I did not need any rules for this one since I think I'm not really blocking anything from the Internet.

I just want the Firewall stealth as much as posible. This firewall is a "premiere" so I have to learn.

After blocking everything and re-entering my rules, iptables will always be listening (OPEN) on ports 22,1743 and 5900 am I wrong ? So if I port scan it I will see the ports as OPEN. That doesnt bother me for now even if there is a way to stealth it too.



So how should I proceed ?
(I am excited as if I was a kid lost in an amusement park now.)
Heres what I see if I type these commands:


[root@Lan root]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp dpt:printer
DROP tcp -- anywhere anywhere tcp dpt:sunrpc
DROP udp -- anywhere anywhere udp dpt:sunrpc
DROP udp -- anywhere anywhere udp dpt:ms-sql-s

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination


[root@Lan root]# cat /etc/sysconfig/iptables.now
# Generated by iptables-save v1.2.6a on Mon May 12 12:11:43 2003
#NAT set
*nat
:PREROUTING ACCEPT [7717:584576]
:POSTROUTING ACCEPT [77:5614]
:OUTPUT ACCEPT [119:8446]
# Rule for Port Fowarding VPN Clients on 1723 to Local VPN server. (Protocol 47)
[13:624] -A PREROUTING -p tcp -m tcp --dport 1723 -j DNAT --to-destination 192.168.1.1
[0:0] -A PREROUTING -p udp -m udp --dport 1723 -j DNAT --to-destination 192.168.1.1
[1:50] -A PREROUTING -p 47 -j DNAT --to-destination 192.168.1.1
[0:0] -A PREROUTING -d xxx.xxx.xxx.xxx -i eth1 -p tcp -m tcp --sport 1024:65535 --dport 1723 -j DNAT --to-destination 192.168.1.1:1723
# Rule for VNC to Server at 192.168.1.1
[1:48] -A PREROUTING -d xxx.xxx.xxx.xxx -i eth1 -p tcp -m tcp --sport 1024:65535 --dport 5900 -j DNAT --to-destination 192.168.1.1:5900
# Rule for LAN to gain access to the Internet
[4619:228702] -A POSTROUTING -s 192.168.1.0/255.255.255.0 -j MASQUERADE
COMMIT
#
#
#

This is my config. It probably looks really ugly but listen, its my first attempt. :newbie:

tarballedtux 05-23-2003 01:51 PM
Double post with spelling errors.

tarballedtux 05-23-2003 01:52 PM
OK, from the rules you have you seem to be well versed IPTABLES. If not read this small HOWTO: http://www.linuxguruz.com/iptables/h...s-HOWTO-1.html
What you should first do is write down in plain English syntax what you want your rules to do. i.e:

VPN incoming to port 1723 forwarded to 192.168.1.1:1723 - protocol TCP
SSH incoming port 22 - protocol TCP
SMTP incoming port 25 - protocol TCP


Then translate that into IPTABLES syntax and make a bash script. Include this at the beginning to erase all previous rules and zero the counters so you don't end up adding to the chains instead of replacing them.


# Flush Rules, get rid of any user-defined chains, zero counters:
iptables -F
iptables -F -t nat
iptables -X
iptables -Z


Since you dont want to any outbound filtering, you just have to set up the policies like so:

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT


Also it looks like your not writing your iptables in any sort of plaintext editor. I rather like to make all my rules in a bash script and then run it from /root. i.e /root/iptables

There really isn't anyway to make open ports stealth unless you limit where the connections can come from. But that all depends on the type of setup you require. Here is an excerpt from my script with comments on why its there or otherwise.
eth1 = internet interface

# Kernel Flags
echo 61 > /proc/sys/net/ipv4/ip_default_ttl # if the TTL needs to be higher - get a new ISP
echo "5" > /proc/sys/net/ipv4/tcp_syn_retries
echo "1" > /proc/sys/net/ipv4/tcp_rfc1337
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
echo "1" > /proc/sys/net/ipv4/ip_forward

for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo "1" > ${interface}
done


# Drop "unclean" packets, accept packets on the loopback interface - not sure what is does but sounds good
iptables -A INPUT -m unclean -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# SYN-flooding protection
iptables -N syn-flood
iptables -A INPUT -i eth1 -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP

# Make sure new tcp connections are SYN packets
iptables -A INPUT -i eth1 -p tcp ! --syn -m state --state NEW -j DROP

#Drop non-first fragments (after logging)
iptables -A INPUT -i eth1 -f -j LOG --log-prefix "IPTABLES fragments: "
iptables -A INPUT -i eth1 -f -j DROP

## Drop IP spoofing candidates
# from myself
iptables -A INPUT -i eth1 -s <yourself> -j DROP
# to loopback interface
iptables -A INPUT -i eth1 -d 127.0.0.0/8 -j DROP
# refuse broadcast address packets
iptables -A INPUT -i eth1 -d $broadcast -j DROP

#Stop un-possible networks - that either shoudn't be on your intra-net interface or on the internet interface!
iptables -A INPUT -d 172.16.0.0/12 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -s 172.16.0.0/12 -j DROP
iptables -A INPUT -d 10.0.0.0/8 -j DROP
iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -s 10.0.0.0/8 -j DROP



Basically test and see, all rules not intended for everyone.

--tarballedtux

Seal-X 05-23-2003 03:14 PM
Thanks a lot for your time and you patience.
I'll go and read about what you said.
But befor I'll go get drunk and I'll figure this out in the weekend.


All times are GMT -5. The time now is 06:15 PM.