Re: iptables and nmap
Joan Hérisson wrote:
Chain INPUT (policy DROP 17 packets, 1088 bytes)
pkts bytes target prot opt in out source
destination
1 64 ACCEPT tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:8080
225 18816 bad_tcp_packets tcp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT tcp -- eth1 * 192.168.0.3
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- eth1 * 192.168.0.12
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- eth1 * 192.168.0.31
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- eth1 * 192.168.0.28
0.0.0.0/0 tcp dpt:22
0 0 REJECT tcp -- eth1 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 reject-with icmp-port-unreachable
162 18088 ACCEPT all -- eth1 * 192.168.0.0/24
0.0.0.0/0
you accept all eth1 packets from the inner network.
10 1219 ACCEPT all -- lo * 127.0.0.1
0.0.0.0/0
4 156 ACCEPT all -- lo * 192.168.0.1
0.0.0.0/0
8 528 ACCEPT all -- lo * 193.51.128.146
0.0.0.0/0
0 0 ACCEPT udp -- eth1 * 0.0.0.0/0
0.0.0.0/0 udp spts:67:68 dpts:67:68
hmm
140 10422 ACCEPT all -- * * 0.0.0.0/0
193.51.128.146 state RELATED,ESTABLISHED
20 1280 tcp_packets tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0
chain "tcp_packets" is parsed only for eth0 traffic.
so your rules with -i eth1 in tcp_packets will never be hit.
0 0 udp_packets udp -- eth0 * 0.0.0.0/0
0.0.0.0/0
10 640 icmp_packets icmp -- eth0 * 0.0.0.0/0
0.0.0.0/0
0 0 DROP all -- eth0 * 0.0.0.0/0
224.0.0.0/8
3 192 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 3/min burst 3 LOG flags 0 level 7 prefix
`IPT INPUT packet died: '
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 bad_tcp_packets tcp -- * * 0.0.0.0/0
0.0.0.0/0
2 152 ACCEPT all -- eth1 * 0.0.0.0/0
0.0.0.0/0
2 152 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 3/min burst 3 LOG flags 0 level 7 prefix
`IPT FORWARD packet died: '
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
169 22018 bad_tcp_packets tcp -- * * 0.0.0.0/0
0.0.0.0/0
10 1219 ACCEPT all -- * * 127.0.0.1
0.0.0.0/0
166 16632 ACCEPT all -- * * 192.168.0.1
0.0.0.0/0
120 16559 ACCEPT all -- * * 193.51.128.146
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 3/min burst 3 LOG flags 0 level 7 prefix
`IPT OUTPUT packet died: '
iptables will drop (and log) all outgoing packets?
So you cannot have a tcp connection if you are not
in one of the 3 named machines.
Chain allowed (20 references)
pkts bytes target prot opt in out source
destination
3 192 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0
Chain bad_tcp_packets (3 references)
pkts bytes target prot opt in out source
destination
0 0 REJECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x12/0x12 state NEW reject-with tcp-reset
1 40 LOG tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:!0x16/0x02 state NEW LOG flags 0 level 4
prefix `New not syn:'
The author don't understand what NEW means. (NEW (first hit) connection
in netfilter, not a new (--syn) tcp connection)
1 40 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:!0x16/0x02 state NEW
Chain icmp_packets (1 references)
pkts bytes target prot opt in out source
destination
10 640 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 11
Chain tcp_packets (1 references)
pkts bytes target prot opt in out source
destination
0 0 allowed tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21
0 0 allowed tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpts:51000:52000
0 0 allowed tcp -- eth0 * 195.221.162.126
0.0.0.0/0 tcp dpt:22
0 0 allowed tcp -- eth0 * 81.57.83.190
0.0.0.0/0 tcp dpt:22
0 0 allowed tcp -- eth0 * 193.52.24.125
0.0.0.0/0 tcp dpt:22
0 0 allowed tcp -- eth0 * 129.175.58.218
0.0.0.0/0 tcp dpt:22
0 0 allowed tcp -- eth0 * 82.230.68.31
0.0.0.0/0 tcp dpt:22
0 0 allowed tcp -- eth0 * 82.246.152.215
0.0.0.0/0 tcp dpt:22
0 0 allowed tcp -- eth0 * 86.67.133.75
0.0.0.0/0 tcp dpt:22
0 0 allowed tcp -- eth0 * 88.171.133.128
0.0.0.0/0 tcp dpt:22
0 0 allowed tcp -- eth0 * 157.136.22.133
0.0.0.0/0 tcp dpt:22
0 0 allowed tcp -- eth0 * 129.104.48.4
0.0.0.0/0 tcp dpt:22
0 0 allowed tcp -- eth0 * 129.104.48.5
0.0.0.0/0 tcp dpt:22
0 0 allowed tcp -- eth0 * 129.104.48.3
0.0.0.0/0 tcp dpt:22
0 0 LOG tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 LOG flags 0 level 7 prefix `IPT INPUT SSH
FORBIDDEN: '
1 64 allowed tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80
2 128 allowed tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:443
0 0 allowed tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 multiport ports 143,993,110,995
0 0 allowed tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53
0 0 allowed tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:25
0 0 allowed tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:113
Chain udp_packets (1 references)
pkts bytes target prot opt in out source
destination
0 0 REJECT udp -- eth0 * 0.0.0.0/0
0.0.0.0/0 udp dpt:515 reject-with icmp-port-unreachable
0 0 DROP udp -- eth0 * 0.0.0.0/0
193.51.128.151 multiport ports 513,631
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:123
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:443
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0
0.0.0.0/0 multiport ports 143,993,110,995
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:10000
0 0 DROP udp -- eth0 * 0.0.0.0/0
193.51.128.151 udp dpts:135:139
0 0 DROP udp -- eth0 * 0.0.0.0/0
255.255.255.255 udp dpts:67:68
IMHO, you should write you own rules from scratch!
ciao
cate
Reply to: