Re: 'mirror' with iptables

To: debian-security@lists.debian.org
Subject: Re: 'mirror' with iptables
From: Yotam Rubin <yotam@makif.omer.k12.il>
Date: Tue, 13 Nov 2001 07:45:51 +0200
Message-id: <[🔎] 20011113074551.A3163@insomnia17>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 01111302065601.00381@phadell>
References: <[🔎] 01111302065601.00381@phadell>

On Tue, Nov 13, 2001 at 02:06:56AM -0200, phadell wrote:
> hello there,
> 
> I would like to do a rule that mirror the packets that incoming from a 
> portscanner. 
> The rule must return the packets to the source.  If anyone scan my machine 
> ports, the result will be the list of source address open ports.
> 
> Anyone could help me with this rule?

See the the MIRROR target in the iptables man page. However, this will not
yield the desired effect. 

1) Source ports sending the SYN/whatever are not in the LISTEN state.
2) By mirroring the packets, you effectively destroy any chance of normal
   connection establishment. For instance, the scanner sends a SYN,
   it expects a SYN-ACK, but it receives the exact same SYN, thus screwing
   up the handshake.

	Regards, Yotam Rubin

> 
> phadell
> 
> ps.: sorry for my terrible english!  :-(
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>

Reply to:

References:
- 'mirror' with iptables
  - From: phadell <fadel@siteplanet.com.br>

Prev by Date: Re: Vulnerable SSH versions
Next by Date: Re: Vulnerable SSH versions
Previous by thread: 'mirror' with iptables
Next by thread: Re: 'mirror' with iptables
Index(es):
- Date
- Thread