Hi Jeff, thanks for this email. It remainded me about fishing in my iptables rules as promised ;-) On Wed, Oct 30, 2002 at 03:02:27PM -0500, Jeff Bonner wrote: # Thanks to everyone for their input on my ICMP questions. BTW, I finally # got around to reading "Linux Firewalls 2nd Edition"; it says that I should # allow 3, 4, 11 and 12... pretty much what I had read online. # # Now I'm working on my `hostile flags' sections. This is what I have: # # $IPT -N FLAGS # $IPT -A INPUT -p tcp -i $EXT --tcp-flags ALL FIN,URG,PSH -j FLAGS # $IPT -A INPUT -p tcp -i $EXT --tcp-flags ALL ALL -j FLAGS # $IPT -A INPUT -p tcp -i $EXT --tcp-flags ALL SYN,RST,ACK,FIN,URG -j FLAGS This one my rules lack. Whats that about? Seems to me a derivation type of xmas :) It blinks all around.. # $IPT -A INPUT -p tcp -i $EXT --tcp-flags ALL NONE -j FLAGS # $IPT -A INPUT -p tcp -i $EXT --tcp-flags SYN,RST SYN,RST -j FLAGS # $IPT -A INPUT -p tcp -i $EXT --tcp-flags SYN,FIN SYN,FIN -j FLAGS # $IPT -A FLAGS -j LOG --log-level info --log-prefix "**BAD FLAGS** " # $IPT -A FLAGS -j DROP # # My question is, are these the right ones to detect intentional TCP flag # manipulation? And what exactly could the potential hacker accomplish by # using any of these? Here is what gets fished: ### watch_flags dot; $IPTABLES -t nat -N watch_flags $IPTABLES -t nat -A watch_flags -p tcp --tcp-flags ALL NONE \ -m limit $LIMIT_LEVEL -j LOG $LOG_LEVEL --log-prefix "NULL PAKET: " $IPTABLES -t nat -A watch_flags -p tcp --tcp-flags ALL ALL \ -m limit $LIMIT_LEVEL -j LOG $LOG_LEVEL --log-prefix "X-MAS PAKET: " $IPTABLES -t nat -A watch_flags -p tcp --tcp-flags ALL FIN,URG,PSH \ -m limit $LIMIT_LEVEL -j LOG $LOG_LEVEL --log-prefix "NMAP X-MAS PAKET: " $IPTABLES -t nat -A watch_flags -p tcp --tcp-flags SYN,RST SYN,RST \ -m limit $LIMIT_LEVEL -j LOG $LOG_LEVEL --log-prefix "SYN/RST PAKET: " $IPTABLES -t nat -A watch_flags -p tcp --syn \ -m limit $LIMIT_LEVEL -j LOG $LOG_LEVEL --log-prefix "SYN PAKET: " $IPTABLES -t nat -A watch_flags -p tcp --tcp-flags SYN,FIN SYN,FIN \ -m limit $LIMIT_LEVEL -j LOG $LOG_LEVEL --log-prefix "POSSIBLE SCAN: " $IPTABLES -t nat -A watch_flags -f \ -m limit $LIMIT_LEVEL -j LOG $LOG_LEVEL --log-prefix "FRAGMENT: " $IPTABLES -t nat -A watch_flags -j DROP kind regards, Nils -- * N.Radtke@ * University of Stuttgart * icq / lc * * www.Think-Future.de * dep.comp.science * 9336272/92045 * :x :) You canna change the laws of physics, Captain; I've got to have thirty minutes!
Attachment:
pgpTMuYf7vFfi.pgp
Description: PGP signature