stealthing port 113
Hello,
Just wondering if port 113 can be successfully 'stealthed' or hidden so that it does not appear as 'closed' when port scanned. Currently I have these firewall rules, which allow access to port 113 freely. iptables --new-chain block iptables --append block --match state --state ESTABLISHED,RELATED --jump ACCEPT iptables --append block --match state --state NEW --in-interface ! ppp0 --jump ACCEPT iptables --append block --match state --state NEW --protocol tcp --destination-port 113 --in-interface ppp0 --jump ACCEPT iptables --append block --jump DROP iptables --append INPUT --jump block iptables --append FORWARD --jump block Now if I get rid of the rule pertaining to port 113, things like IRC and mail and other stuff don't work correctly. So how do I make it so only legit traffic can pass through port 113 whilst blocking everything else? Any practical examples? Also, can someone tell me a safe if this NAT / MASQ rule is safe? iptables --table nat --append POSTROUTING --source 192.168.0.0/24 \ --destination ! 192.168.0.0/24 --out-interface ppp0 --jump MASQUERADE I heard somewhere that anyone could spoof their ip address and be forwarded successfully, has anyone got any practical examples of how I can secure this? thankyou for your time. |
Greetings!
Personally I find it strange that blocking packets to port 113 would deny access to "irc, mail and other stuff". Maybe you could try allowing outbound connections to this port but deny incoming connections with state NEW to this port. That way you could theoretically allow necessary connections on this port (outbound and related/established inbound). About your NAT rule... I personally consider it quite safe. But if you are worried about spoofed IPs (and I do get some of them) you could add anti-spoof rules. Those would look like kind of like this: Code:
iptables -I INPUT 1 -i ppp0 -s 192.168.0.0/24 -j SPOOF_RULE An example is this: I get incoming connections like this: Quote:
Pls bear in mind that this is all theoretical. I have rules quite like this but did not confirm the ones I posted as I altered them a bit. There certainly are ppl that have more experience with this than me so feel free to accept other advice. And to all the others: Pls feel free to correct me if I'm wrong. I'm also learning all the time. ;) |
IRC and several other services do an IDENT query to each IP that connects to their network, in a weak attempt to identify users logging on (I think this is historical and no longer needed for any good reason). In any case, if the lookup times-out it will have a serious impact on the usability of such services. If the IDENT time-out is longer than the IRC time-out, then you'll get dropped before the IDENT finally quits trying.
The simple way to get around this is to REJECT rather than DROP 113/tcp. Nearly all good firewall scripts have 113/tcp set to reject. What this does is--instead of dropping packets silently--to immediately send an RST packet back to the server that queried you. This tells the remote server that you're not going to respond to IDENT queries, so the remote server knows that you're not going to give it info and it just lets you log on any way (thus the reason why having the IDENT check is stupid, since it's ignored if it gets refused). |
Hello once again,
Thankyou for your time gundelgauk and chort, it's been very informative :) Only one minor question to ask, setting port 113 to reject still upsets alot of lame IRC servers. Good thing freenode is never that bad. I tried this rule at first... Quote:
Quote:
If you see any problems with my logic, don't be afraid to criticise. |
Man, that is really picky if an IRC daemon will only give you a pass if you return a certain ICMP type and code... Like I said, I have no idea why that legacy IDENT check is still performed: It's worthless.
Yell at the IRCOPs to remove to turn off that option. |
All times are GMT -5. The time now is 06:01 PM. |