Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
12-12-2006, 08:22 PM
|
#1
|
Member
Registered: Jan 2004
Posts: 35
Rep:
|
IPtables help
i need to create a script that implements iptables for the INPUT chain for host 142.204.2.2 (the source) that prevents the follwing scans:
a) TCP SYN scan
b) TCP UDP scan
c) TCP FIN scan
d) TCP Xmas Tree scan
e) TCP null scan
I also need the nmap commands that perform the scans and save the results to syn.scan, udp.scan, fin.scan, xmas.scan, and null.scan respectively.
Help would be greatly appreciated
|
|
|
12-12-2006, 08:49 PM
|
#2
|
LQ Guru
Registered: Jan 2003
Location: Seymour, Indiana
Distribution: Distribution: RHEL 5 with Pieces of this and that.
Kernel 2.6.23.1, KDE 3.5.8 and KDE 4.0 beta, Plu
Posts: 5,700
Rep:
|
Pulled this from my firewall script.
Code:
###############################################################################
## Special chain CHECK_FLAGS that will DROP and log TCP packets with certain
## TCP flags set.
## We set some limits here to limit the amount of crap that gets sent to the logs.
## Keep in mind that these rules should never match normal traffic, they
## are designed to capture obviously messed up packets... but there's alot of
## wierd shit out there, so who knows.
$IPTABLES -N CHECK_FLAGS
$IPTABLES -F CHECK_FLAGS
##------------------------------------------------------------------------##
## NMAP FIN/URG/PSH
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -m limit \
--limit 5/minute -j LOG --log-level $LOG_LEVEL --log-prefix "NMAP-XMAS:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
##------------------------------------------------------------------------##
##------------------------------------------------------------------------##
## SYN/RST
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -m limit \
--limit 5/minute -j LOG --log-level $LOG_LEVEL --log-prefix "SYN/RST:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
##------------------------------------------------------------------------##
##------------------------------------------------------------------------##
## SYN/FIN -- Scan(probably)
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit \
--limit 5/minute -j LOG --log-level $LOG_LEVEL --log-prefix "SYN/FIN:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
##------------------------------------------------------------------------##
##------------------------------------------------------------------------##
## Make some types of port scans annoyingly slow, also provides some
## protection against certain DoS attacks. The rule in chain KEEP_STATE
## referring to the INVALID state should catch most TCP packets with the
## RST or FIN bits set that aren't associate with an established connection.
## Still, these will limit the amount of stuff that is accepted through our
## open ports(if any). I suggest you test these for your configuration before
## you uncomment them, as they could cause problems.
# $IPTABLES -A CHECK_FLAGS -m limit --limit 5/second -p tcp --tcp-flags ALL RST -j ACCEPT
# $IPTABLES -A CHECK_FLAGS -m limit --limit 5/second -p tcp --tcp-flags ALL FIN -j ACCEPT
# $IPTABLES -A CHECK_FLAGS -m limit --limit 5/second -p tcp --tcp-flags ALL SYN -j ACCEPT
##------------------------------------------------------------------------##
Many of these answers can be found search the links here and looking at the firewall scripts. http://www.linuxguruz.com/iptables/
Other links I found from a quick search on google. Many listed there.
http://www.linuxjournal.com/article/4876
http://www.linuxforums.org/forum/lin...iguration.html
http://www.linuxguruz.com/iptables/s...rewall_023.txt
Check out this link to build your own firewall script based on info you provide. Not sure if defaults have scan blocking. If not refer to other links here to add and fine tune. http://easyfwgen.morizot.net/gen/
Brian
Last edited by Brian1; 12-12-2006 at 08:51 PM.
|
|
|
12-12-2006, 09:04 PM
|
#3
|
Member
Registered: Jan 2004
Posts: 35
Original Poster
Rep:
|
ok so my rules would be?
#Prevent TCP FIN scan
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN -j DROP
#Prevent TCP SYN scan
$IPTABLES -A INPUT -p tcp --tcp-flags SYN -j DROP
#Prevent UDP scan
$IPTABLES -A INPUT -p udp -j DROP
??? is that correct
|
|
|
12-13-2006, 04:09 PM
|
#4
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
no, they would go something like this IIRC:
Code:
# TCP FIN Scan:
$IPT -I INPUT -p TCP --tcp-flags ALL FIN -j DROP
# TCP XMAS Scan:
$IPT -I INPUT -p TCP --tcp-flags ALL FIN,URG,PSH -j DROP
# TCP NULL Scan:
$IPT -I INPUT -p TCP --tcp-flags ALL NONE -j DROP
i'm not sure how one would filter a TCP SYN scan, and i'm not sure what you mean by "TCP UDP" scan, so i can't help you with those...
as for performing these scans from nmap:
SYN is like " nmap -sS [...]"
FIN is like " nmap -sF [...]"
XMAS is like " nmap -sX [...]"
NULL is like " nmap -sN [...]"
check the nmap manpage to make sure (and to learn other scans)...
just my ...
PS: keep in mind that you'll need to add a "-s 142.204.2.2" to the rules if you want them to apply only to packets with that source address...
Last edited by win32sux; 12-13-2006 at 06:40 PM.
|
|
|
All times are GMT -5. The time now is 05:03 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|