LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-27-2011, 02:04 PM   #1
vonlz
LQ Newbie
 
Registered: Apr 2011
Posts: 13

Rep: Reputation: 0
Exclamation Detect nmap with iptables


i have a problem with iptables when i use nmap to scan ports then ports shown.this is my rules on my firewall.I need a help
Quote:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1002:40080]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A INPUT -i lo -p icmp -m icmp --icmp-type 8 -j test
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -o eth1 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 23 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --syn -j DROP
-A RH-Firewall-1-INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A RH-Firewall-1-INPUT -p tcp -m conntrack --ctstate NEW -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j DROP
-A RH-Firewall-1-INPUT -p tcp -m conntrack --ctstate NEW -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP
-A RH-Firewall-1-INPUT -p tcp -m conntrack --ctstate NEW -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG ACK -j DROP
-A RH-Firewall-1-INPUT -p tcp -m conntrack --ctstate NEW -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A RH-Firewall-1-INPUT -p tcp -m conntrack --ctstate INVALID -m tcp ! --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
 
Old 04-27-2011, 02:26 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981
you mean you don't want iptables to permit scans? Well you don't sound like you really appreciate that whether it's nmap opening a port or a real client app doing it, it initially looks the same. If nmap only hits one port, you can't stop that. You need to be much cleverer, maybe have a look at psad to intelligently watch your iptables logs, or just use some basic recent module rules - http://volc-hara.blogspot.com/2008/0...an-tricks.html
 
Old 04-27-2011, 11:25 PM   #3
vonlz
LQ Newbie
 
Registered: Apr 2011
Posts: 13

Original Poster
Rep: Reputation: 0
thank you again.i don't want iptables permit nmap scan my firewall but i configure my firewall anti nmap(TCP-SCAN,XMAS,NULL,...) in my iptables and when i use client use nmap scan with nmap -sS then port shown.i dont know way to resovle.i had read your link below and configure but nmap still shown my firewall ports.I use CentOS 5
 
Old 04-28-2011, 01:56 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981
Again, there is nothing always defining a port scan. It doesn't use a special "nasty port scan " packet or such. There are measures you can take to minimize it but you can't just wholesale turn it "off " as that makes no sense.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Can nmap detect port-sharing? Seffy Linux - Networking 7 09-30-2010 10:02 PM
How to detect nmap SYN scan w snort jmARC Linux - Security 1 06-09-2005 12:09 PM
nmap on solaris does not detect all ports Mike_the_Man Solaris / OpenSolaris 1 03-17-2004 01:46 PM
iptables and nmap dekket Linux - Security 4 02-09-2004 03:41 AM
nmap hangs on UDP detect jpbarto Linux - Software 0 08-14-2003 03:05 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:12 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration