UNWANTED state
Matteo Croce
rootkit85 at yahoo.it
Fri Dec 31 14:15:53 CET 2004
> In other terms, you would then do something like this :
>
> -A INPUT -m state ESTABLISHED -j ACCEPT
> -A INPUT -m state RELATED -p tcp --dport 113 -j REJECT --reject-with tcp-reset
> -A INPUT -m state RELATED -j ACCEPT
> ... check for new connections here then final drop ...
> -A INPUT -j DROP
>
> A last solution would be the RECENT match. You create an entry when
> establishing the outgoing session, and you match against it in return so that
> only this address has the permission to receive a REJECT.
here is my iptables -L output:
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID,UNTRACKED
DROP icmp -- anywhere anywhere icmp echo-request
REJECT tcp -- anywhere anywhere tcp dpt:auth reject-with icmp-port-unreachable
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/RST,ACK
Add the patch that doesn't respond on closed udp ports with an ICMP, and i have
the system sthealted with only 3 rules.
But I also know that the kernel patch and the rule that drops RST/ACKs are very ugly hacks.
Don't forget that this ugly hack works even for loopback!
> You know, it's enough that you have *one* open port for an attacker to be
> able to do this, be it SMTP, HTTP, SSH, or anything else...
Yes, but in most tipical end-user systems, open ports will be only:
20 for non PASV ftp transfers
some ports for IRC's DCC transfer
some ports for P2P apps
These ports are open only when needed, and (apart for p2p)
the program that opens them accepts only one connection.
So is almost impossible being DOSsed whit traffic on port 20 or so..
> Regards,
> Willy
Regards,
Matteo
--
.""`. Matteo Croce <rootkit85 at yahoo.it>
: :" : proud Debian admin and user
`. `"`
`- Debian - when you have better things to do than fix a system
More information about the netfilter-devel
mailing list