LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-24-2004, 10:30 PM   #1
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 50
IPTables to block IP protocol


Hi

I tried the following ...

--- on one host, say 192.168.168.192 ---
#iptables -P INPUT DROP
#iptables -P OUTPUT DROP
#iptables -P FORWARD DROP

from another host

#nmap -sO -P0 192.168.168.192

Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-06-25 08:34 IST
Interesting protocols on 192.168.168.192:
PROTOCOL STATE SERVICE
0 open hopopt
1 open icmp
2 open igmp
3 open ggp
4 open ip
5 open st
6 open tcp
7 open cbt
8 open egp
9 open igp
10 open bbn-rcc-mon
11 open nvp-ii
12 open pup
13 open argus
14 open emcon
15 open xnet
16 open chaos
17 open udp
18 open mux
19 open dcn-meas
20 open hmp
21 open prm
22 open xns-idp
23 open trunk-1
24 open trunk-2
25 open leaf-1
26 open leaf-2
27 open rdp
28 open irtp
29 open iso-tp4
30 open netblt
31 open mfe-nsp
32 open merit-inp
33 open sep
34 open 3pc
35 open idpr
36 open xtp
37 open ddp
38 open idpr-cmtp
39 open tp++
40 open il
41 open ipv6
42 open sdrp
<rest snipped>

Is there even a remote chance that these could get exploited? If they can, how can it be thwarted.

If an attack (if possible) is directed towards the upper layers (of the OSI stack), would/wouldn't the iptables rules block them?

Am I being too paranoid? ... Perhaps ...
 
Old 06-25-2004, 12:21 AM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
I believe the -sO scan (IP protocol scan) is one of those "no reply from host == open" type of scans. The theory being that if you send a packet to a host with a protocol type that is un-supported, it will send back an error message. If the protocol is supported, then the remote host doesn't send back anything. So I guess it's almost like a "reverse"-type of scan. Fire up tcpdump when you do a -sO scan and you'll see that the remote host isn't sending any packets back at all. The problem with this scan (as you observed) is that if the host isn't replying then the scan thinks all the protocol types are supported.

So the scan packets are still getting dropped early on by iptables and aren't even touching those OSI layers yet.

Last edited by Capt_Caveman; 06-25-2004 at 12:22 AM.
 
Old 06-25-2004, 03:55 PM   #3
benjithegreat98
Senior Member
 
Registered: Dec 2003
Location: Shelbyville, TN, USA
Distribution: Fedora Core, CentOS
Posts: 1,019

Rep: Reputation: 45
from the nmap man page
Quote:
-sO IP protocol scans: This method is used to determine which IP
protocols are supported on a host. The technique is to send raw
IP packets without any further protocol header to each specified
protocol on the target machine. If we receive an ICMP protocol
unreachable message, then the protocol is not in use. Otherwise
we assume it is open. Note that some hosts (AIX, HP-UX, Digital
UNIX) and firewalls may not send protocol unreachable messages.
This causes all of the protocols to appear "open".

Because the implemented technique is very similar to UDP port
scanning, ICMP rate limit might apply too. But the IP protocol
field has only 8 bits, so at most 256 protocols can be probed
which should be possible in reasonable time anyway.
as root, try
nmap -v -P0 192.168.168.192
 
Old 06-26-2004, 02:20 AM   #4
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Original Poster
Rep: Reputation: 50
Of course, with iptables set to DROP everything,

#nmap -v -P0 <IP addr>

would come up with nothing.

I had read the nmap man page before using the -sO option. Just wanted to confirm that this "route" could not be exploited.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Can you block programs (like p2p) by protocol examining? servnov Linux - Networking 3 10-02-2005 04:33 PM
IPTables and PPTPD :S (to block or not to block) thewonka Linux - Networking 0 03-24-2005 06:58 PM
IPtables - Block all except what I allow ]SK[ Linux - Software 4 02-10-2005 06:14 AM
Is that a good thing to block ICMP protocol on a Web server? Iced Earth Linux - Security 2 06-15-2004 06:49 AM
Block UT2003 with iptables Kostko Linux - Networking 1 11-23-2002 08:29 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:16 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration