You are not logged in.
Pages: 1
I followed the simple statefull wiki howto.
I also did the SYN TCP scan and UDP scan blocking:
https://wiki.archlinux.org/index.php/Si … t_scanners
iptables -nvL --line-numbers
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 30/min burst 8
2 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
3 4358K 6323M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
4 117 6956 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
5 129 5160 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
6 6370 1702K UDP udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
7 0 0 TCP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 ctstate NEW
8 109 18829 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: UDP-PORTSCAN side: source mask: 255.255.255.255 reject-with icmp-port-unreachable
9 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: TCP-PORTSCAN side: source mask: 255.255.255.255 reject-with tcp-reset
10 2 64 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-proto-unreachable
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1105K packets, 93M bytes)
num pkts bytes target prot opt in out source destination
Chain TCP (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 recent: UPDATE seconds: 60 name: TCP-PORTSCAN side: source mask: 255.255.255.255 reject-with tcp-reset
2 0 0 ACCEPT tcp -- * * 192.168.1.199 0.0.0.0/0 tcp spt:631 dpt:631 state NEW
Chain UDP (1 references)
num pkts bytes target prot opt in out source destination
1 6261 1683K REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 recent: UPDATE seconds: 60 name: UDP-PORTSCAN side: source mask: 255.255.255.255 reject-with icmp-port-unreachable
2 0 0 ACCEPT udp -- * * 192.168.1.199 0.0.0.0/0 udp spt:631 dpt:631 state NEW
Using the TCP/UDP chains This is what i did to allow inbound CUPS ports (not working):
iptables -A TCP -p tcp -s 192.168.1.199 --sport 631 -m state --state NEW --dport 631 -j ACCEPT
iptables -A UDP -p udp -s 192.168.1.199 --sport 631 -m state --state NEW --dport 631 -j ACCEPT
But if I open up the tcp/udp ports in INPUT chain the it all works fine (end of input chain):
iptables -A INPUT -p tcp -s 192.168.1.199 --sport 631 -m state --state NEW --dport 631 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.1.199 --sport 631 -m state --state NEW --dport 631 -j ACCEPT
Looking at all the rejected packers in the UDP scan(rule #1 in UDP chain) makes me think that udp scan rule might be blocking the port cups port.
am i right? anyone know solution to this?
edit: wiki suggests the scan reject rule should be top of the TCP/UDP chains, but I am not sure.
Last edited by rehono (2015-07-02 08:02:43)
Offline
iptables -A INPUT -p tcp -s 192.168.1.199 --sport 631 -m state --state NEW --dport 631 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.1.199 --sport 631 -m state --state NEW --dport 631 -j ACCEPT
EDIT: no need for the --sport part. The source port will be randomly assigned by the remote.
Last edited by fukawi2 (2015-07-02 08:18:15)
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
iptables -A INPUT -p tcp -s 192.168.1.199 --sport 631 -m state --state NEW --dport 631 -j ACCEPT iptables -A INPUT -p udp -s 192.168.1.199 --sport 631 -m state --state NEW --dport 631 -j ACCEPT
EDIT: no need for the --sport part. The source port will be randomly assigned by the remote.
Yeah I didn't have sport in the rule I had working in INPUT chain.
I tried no sport iin the TCP/UDP chains but still no luck.
Offline
Post the output of `iptables-save` -- it's easier to visually parse
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
Post the output of `iptables-save` -- it's easier to visually parse
# Generated by iptables-save v1.4.21 on Fri Jul 3 02:14:12 2015
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 30/min --limit-burst 8 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -m recent --set --name UDP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m recent --set --name TCP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with tcp-reset
-A TCP -s 192.168.1.199/32 -p tcp -m tcp --dport 631 -j ACCEPT
-A UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with icmp-port-unreachable
-A UDP -s 192.168.1.199/32 -p udp -m udp --dport 631 -j ACCEPT
COMMIT
# Completed on Fri Jul 3 02:14:12 2015
Last edited by rehono (2015-07-08 21:09:24)
Offline
Reorder the rules in your "TCP" and "UDP" chains -- first match wins, and your REJECT is the first rule. Make it the last.
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
Reorder the rules in your "TCP" and "UDP" chains -- first match wins, and your REJECT is the first rule. Make it the last.
I will try it out and update. Sorry I have been bit busy lately.
Offline
Pages: 1