[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: IPtables Question II: `Hostile' Flags

        Hi Jeff,

 thanks for this email. 
It remainded me about fishing in my iptables rules as promised ;-)

On Wed, Oct 30, 2002 at 03:02:27PM -0500, Jeff Bonner wrote: 
# Thanks to everyone for their input on my ICMP questions.  BTW, I finally
# got around to reading "Linux Firewalls 2nd Edition"; it says that I should
# allow 3, 4, 11 and 12... pretty much what I had read online.
# 
# Now I'm working on my `hostile flags' sections.  This is what I have:
# 
#  $IPT -N FLAGS
#  $IPT -A INPUT -p tcp -i $EXT --tcp-flags ALL FIN,URG,PSH         -j FLAGS
#  $IPT -A INPUT -p tcp -i $EXT --tcp-flags ALL ALL                 -j FLAGS
#  $IPT -A INPUT -p tcp -i $EXT --tcp-flags ALL SYN,RST,ACK,FIN,URG -j FLAGS
This one my rules lack. Whats that about?
Seems to me a derivation type of xmas :) It blinks all around..

#  $IPT -A INPUT -p tcp -i $EXT --tcp-flags ALL NONE                -j FLAGS
#  $IPT -A INPUT -p tcp -i $EXT --tcp-flags SYN,RST SYN,RST         -j FLAGS
#  $IPT -A INPUT -p tcp -i $EXT --tcp-flags SYN,FIN SYN,FIN         -j FLAGS
#  $IPT -A FLAGS -j LOG --log-level info --log-prefix "**BAD FLAGS** "
#  $IPT -A FLAGS -j DROP
# 
# My question is, are these the right ones to detect intentional TCP flag
# manipulation?  And what exactly could the potential hacker accomplish by
# using any of these?

Here is what gets fished:

### watch_flags
 dot;
 $IPTABLES -t nat -N watch_flags
 $IPTABLES -t nat -A watch_flags -p tcp --tcp-flags ALL NONE        \
        -m limit $LIMIT_LEVEL -j LOG $LOG_LEVEL --log-prefix "NULL PAKET: "
 $IPTABLES -t nat -A watch_flags -p tcp --tcp-flags ALL ALL         \
        -m limit $LIMIT_LEVEL -j LOG $LOG_LEVEL --log-prefix "X-MAS PAKET: "
 $IPTABLES -t nat -A watch_flags -p tcp --tcp-flags ALL FIN,URG,PSH \
        -m limit $LIMIT_LEVEL -j LOG $LOG_LEVEL --log-prefix "NMAP X-MAS PAKET: "
 $IPTABLES -t nat -A watch_flags -p tcp --tcp-flags SYN,RST SYN,RST \
        -m limit $LIMIT_LEVEL -j LOG $LOG_LEVEL --log-prefix "SYN/RST PAKET: "
 $IPTABLES -t nat -A watch_flags -p tcp --syn                       \
        -m limit $LIMIT_LEVEL -j LOG $LOG_LEVEL --log-prefix "SYN PAKET: "
 $IPTABLES -t nat -A watch_flags -p tcp --tcp-flags SYN,FIN SYN,FIN \
        -m limit $LIMIT_LEVEL -j LOG $LOG_LEVEL --log-prefix "POSSIBLE SCAN: "
 $IPTABLES -t nat -A watch_flags -f \
        -m limit $LIMIT_LEVEL -j LOG $LOG_LEVEL --log-prefix "FRAGMENT: "
 $IPTABLES -t nat -A watch_flags -j DROP

        kind regards,

                Nils 



-- 

* N.Radtke@                 * University of Stuttgart *    icq / lc   *
*      www.Think-Future.de  *    dep.comp.science     * 9336272/92045 *
:x                                                                   :)

   You canna change the laws of physics, Captain; I've got to have
   thirty minutes!

Attachment: pgpTMuYf7vFfi.pgp
Description: PGP signature

Reply to: