[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: iptables and nmap

Joan Hérisson wrote:


Chain INPUT (policy DROP 17 packets, 1088 bytes)
pkts bytes target prot opt in out source destination 1 64 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 225 18816 bad_tcp_packets tcp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- eth1 * 192.168.0.3 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- eth1 * 192.168.0.12 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- eth1 * 192.168.0.31 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- eth1 * 192.168.0.28 0.0.0.0/0 tcp dpt:22 0 0 REJECT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 reject-with icmp-port-unreachable 162 18088 ACCEPT all -- eth1 * 192.168.0.0/24 0.0.0.0/0 

you accept all eth1 packets from the inner network.
10 1219 ACCEPT all -- lo * 127.0.0.1 0.0.0.0/0 4 156 ACCEPT all -- lo * 192.168.0.1 0.0.0.0/0 8 528 ACCEPT all -- lo * 193.51.128.146 0.0.0.0/0 0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 udp spts:67:68 dpts:67:68 

hmm
140 10422 ACCEPT all -- * * 0.0.0.0/0 193.51.128.146 state RELATED,ESTABLISHED 20 1280 tcp_packets tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 

chain "tcp_packets" is parsed only for eth0 traffic.
so your rules with -i eth1 in tcp_packets will never be hit.
0 0 udp_packets udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 10 640 icmp_packets icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- eth0 * 0.0.0.0/0 224.0.0.0/8 3 192 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 3 LOG flags 0 level 7 prefix `IPT INPUT packet died: ' 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination 0 0 bad_tcp_packets tcp -- * * 0.0.0.0/0 0.0.0.0/0 2 152 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 2 152 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 3 LOG flags 0 level 7 prefix `IPT FORWARD packet died: ' 

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination 169 22018 bad_tcp_packets tcp -- * * 0.0.0.0/0 0.0.0.0/0 10 1219 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0 166 16632 ACCEPT all -- * * 192.168.0.1 0.0.0.0/0 120 16559 ACCEPT all -- * * 193.51.128.146 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 3 LOG flags 0 level 7 prefix `IPT OUTPUT packet died: ' 

iptables will drop (and log) all outgoing packets?
So you cannot have a tcp connection if you are not
in one of the 3 named machines.



Chain allowed (20 references)
pkts bytes target prot opt in out source destination 3 192 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 
Chain bad_tcp_packets (3 references)
pkts bytes target prot opt in out source destination 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x12/0x12 state NEW reject-with tcp-reset 1 40 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02 state NEW LOG flags 0 level 4 prefix `New not syn:' 

The author don't understand what NEW means. (NEW (first hit) connection
in netfilter, not a new (--syn) tcp connection)
1 40 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02 state NEW 

Chain icmp_packets (1 references)
pkts bytes target prot opt in out source destination 10 640 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11 

Chain tcp_packets (1 references)
pkts bytes target prot opt in out source destination 0 0 allowed tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 0 0 allowed tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:51000:52000 0 0 allowed tcp -- eth0 * 195.221.162.126 0.0.0.0/0 tcp dpt:22 0 0 allowed tcp -- eth0 * 81.57.83.190 0.0.0.0/0 tcp dpt:22 0 0 allowed tcp -- eth0 * 193.52.24.125 0.0.0.0/0 tcp dpt:22 0 0 allowed tcp -- eth0 * 129.175.58.218 0.0.0.0/0 tcp dpt:22 0 0 allowed tcp -- eth0 * 82.230.68.31 0.0.0.0/0 tcp dpt:22 0 0 allowed tcp -- eth0 * 82.246.152.215 0.0.0.0/0 tcp dpt:22 0 0 allowed tcp -- eth0 * 86.67.133.75 0.0.0.0/0 tcp dpt:22 0 0 allowed tcp -- eth0 * 88.171.133.128 0.0.0.0/0 tcp dpt:22 0 0 allowed tcp -- eth0 * 157.136.22.133 0.0.0.0/0 tcp dpt:22 0 0 allowed tcp -- eth0 * 129.104.48.4 0.0.0.0/0 tcp dpt:22 0 0 allowed tcp -- eth0 * 129.104.48.5 0.0.0.0/0 tcp dpt:22 0 0 allowed tcp -- eth0 * 129.104.48.3 0.0.0.0/0 tcp dpt:22 0 0 LOG tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 LOG flags 0 level 7 prefix `IPT INPUT SSH FORBIDDEN: ' 1 64 allowed tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 2 128 allowed tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 0 0 allowed tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 multiport ports 143,993,110,995 0 0 allowed tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 0 0 allowed tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 0 0 allowed tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 

Chain udp_packets (1 references)
pkts bytes target prot opt in out source destination 0 0 REJECT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:515 reject-with icmp-port-unreachable 0 0 DROP udp -- eth0 * 0.0.0.0/0 193.51.128.151 multiport ports 513,631 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:443 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 multiport ports 143,993,110,995 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:10000 0 0 DROP udp -- eth0 * 0.0.0.0/0 193.51.128.151 udp dpts:135:139 0 0 DROP udp -- eth0 * 0.0.0.0/0 255.255.255.255 udp dpts:67:68 



IMHO, you should write you own rules from scratch!

ciao
	cate
Reply to: