connect only one time!
Brad Chapman
kakadu@earthlink.net
Sun, 22 Jul 2001 18:51:26 -0400
Mr. Parissis,
Don't use the nat table for this; the nat table only sees state NEW
connections. Grab my mangle5hooks patch from the netfilter-devel archive
and use mangle PREROUTING and mangle POSTROUTING to detect portscans and
stuff. That way you'll see all connections and you may get better results.
Brad
Pavlos Parissis wrote:
> Hello all,
> I have noticed a strange behavor in my firewall.
> When my nat table look like this:
> [root ~]# iptables -t nat -L -v
> Chain PREROUTING (policy ACCEPT 11843 packets, 475K bytes)
> pkts bytes target prot opt in out source destination
> 0 0 LOG tcp -- any any anywhere anywhere tcp
> flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG limit: avg 1/sec burst 5 LOG level notice prefix
> `Prerouting scans '
> 0 0 DROP tcp -- any any anywhere anywhere tcp
> flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
> 0 0 LOG tcp -- any any anywhere anywhere tcp
> flags:FIN,SYN,RST,PSH,ACK,URG/FIN limit: avg 1/sec burst 5 LOG level notice prefix `Prerouting scans
> '
> 0 0 DROP tcp -- any any anywhere anywhere tcp
> flags:FIN,SYN,RST,PSH,ACK,URG/FIN
> 0 0 LOG tcp -- any any anywhere anywhere tcp
> flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN limit: avg 1/sec burst 5 LOG level notice prefix `Prerouting
> scans '
> 0 0 DROP tcp -- any any anywhere anywhere tcp
> flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN
> 2 120 LOG tcp -- any any anywhere anywhere tcp
> flags:SYN,RST,ACK/SYN limit: avg 1/sec burst 5 LOG level notice prefix `PREROUTING Syn-flood '
> 2 120 DROP tcp -- any any anywhere anywhere tcp
> flags:SYN,RST,ACK/SYN
> 0 0 LOG all -- ppp0 any anywhere 224.0.0.0/24 limit: avg
> 1/sec burst 5 LOG level notice prefix `Multicasting '
> 0 0 DROP all -- ppp0 any anywhere 224.0.0.0/24
> 0 0 DROP all -- ppp0 any 192.168.0.0/16 anywhere
> 0 0 DROP all -- ppp0 any 10.0.0.0/8 anywhere
> 0 0 DROP all -- ppp0 any 172.16.0.0/12 anywhere
>
> Chain POSTROUTING (policy ACCEPT 173 packets, 11700 bytes)
> pkts bytes target prot opt in out source destination
> 0 0 MASQUERADE all -- any ppp0 anywhere anywhere
>
> Chain OUTPUT (policy ACCEPT 179 packets, 12117 bytes)
> pkts bytes target prot opt in out source destination
> -------------------------------------------------------------------------------
> i can connect using ssh from one my clients pc just ones!
> If i tried and second time i can not connect.
>
> This is my INPUT Chain:
>
> Chain INPUT (policy DROP 0 packets, 0 bytes)
> num pkts bytes target prot opt in out source destination
> 1 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp
> flags:0x3F/0x29 limit: avg 1/sec burst 5 LOG flags 0 level 5 prefix `Xms Scan '
> 2 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp
> flags:0x3F/0x29
> 3 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp
> flags:0x3F/0x01 state INVALID,NEW,RELATED limit: avg 1/sec burst 5 LOG flags 0 level 5 prefix `Fin
> Scans '
> 4 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp
> flags:0x3F/0x01 state INVALID,NEW,RELATED
> 5 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp
> flags:0x3F/0x03 limit: avg 1/sec burst 5 LOG flags 0 level 5 prefix `Open-Close scan '
> 6 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp
> flags:0x3F/0x03
> 7 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state
> INVALID limit: avg 1/sec burst 5 LOG flags 0 level 5 prefix `Invalid INPUT '
> 8 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state
> INVALID
> 9 0 0 LOG all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 state
> NEW limit: avg 1/sec burst 5 LOG flags 0 level 5 prefix `NEW INPUT state '
> 10 0 0 DROP all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 state
> NEW
> 11 0 0 LOG icmp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 icmp
> type 8 limit: avg 1/sec burst 5 LOG flags 0 level 5 prefix `INPUT PoD attack '
> 12 0 0 DROP icmp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 icmp
> type 8
> 13 0 0 ACCEPT all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED
> 14 0 0 ACCEPT all -- !ppp0 * 0.0.0.0/0 0.0.0.0/0 state
> NEW
> 15 0 0 ACCEPT icmp -- eth0 * 192.168.100.0/24 0.0.0.0/0 icmp
> type 8 limit: avg 10/min burst 5
> 16 0 0 ACCEPT icmp -- eth0 * 192.168.100.0/24 0.0.0.0/0 icmp
> type 0 limit: avg 10/min burst 5
> 17 0 0 ACCEPT tcp -- eth0 * 192.168.100.0/24 192.168.100.1 tcp
> dpt:139
> 18 0 0 ACCEPT tcp -- eth0 * 192.168.100.0/24 192.168.100.1 tcp
> dpt:3128
> 19 0 0 ACCEPT tcp -- lo * 0.0.0.0/0 0.0.0.0/0 tcp
> spt:3128
> 20 0 0 ACCEPT tcp -- lo * 0.0.0.0/0 0.0.0.0/0 tcp
> dpt:3128
> 21 0 0 ACCEPT tcp -- eth0 * 192.168.100.0/24 192.168.100.1 tcp
> dpt:22
> ---------------------------------------------------------------------------------
> Now if i change one of my rules in nat table, the nat table look like this and i can connect and
> second,thrird... time
> [root ~]# iptables -t nat -L -v
> Chain PREROUTING (policy ACCEPT 11845 packets, 476K bytes)
> pkts bytes target prot opt in out source destination
> 0 0 LOG tcp -- any any anywhere anywhere tcp
> flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG limit: avg 1/sec burst 5 LOG level notice prefix
> `Prerouting scans '
> 0 0 DROP tcp -- any any anywhere anywhere tcp
> flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
> 0 0 LOG tcp -- any any anywhere anywhere tcp
> flags:FIN,SYN,RST,PSH,ACK,URG/FIN limit: avg 1/sec burst 5 LOG level notice prefix `Prerouting scans
> '
> 0 0 DROP tcp -- any any anywhere anywhere tcp
> flags:FIN,SYN,RST,PSH,ACK,URG/FIN
> 0 0 LOG tcp -- any any anywhere anywhere tcp
> flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN limit: avg 1/sec burst 5 LOG level notice prefix `Prerouting
> scans '
> 0 0 DROP tcp -- any any anywhere anywhere tcp
> flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN
> *1>>>>> 0 0 LOG tcp -- ppp0 any anywhere anywhere tcp
> flags:SYN,RST,ACK/SYN limit: avg 1/sec burst 5 LOG level notice prefix `PREROUTING Syn-flood '
>
>>>>>>>> 0 0 DROP tcp -- ppp0 any anywhere anywhere tcp
>>>>>>>
> flags:SYN,RST,ACK/SYN
> 0 0 LOG all -- ppp0 any anywhere 224.0.0.0/24 limit: avg
> 1/sec burst 5 LOG level notice prefix `Multicasting '
> 0 0 DROP all -- ppp0 any anywhere 224.0.0.0/24
> 0 0 DROP all -- ppp0 any 192.168.0.0/16 anywhere
> 0 0 DROP all -- ppp0 any 10.0.0.0/8 anywhere
> 0 0 DROP all -- ppp0 any 172.16.0.0/12 anywhere
>
> Chain POSTROUTING (policy ACCEPT 173 packets, 11700 bytes)
> pkts bytes target prot opt in out source destination
> 0 0 MASQUERADE all -- any ppp0 anywhere anywhere
>
> Chain OUTPUT (policy ACCEPT 179 packets, 12117 bytes)
> pkts bytes target prot opt in out source destination
> --------------------------------------------------------------------------------
> as you can see the only difference is *1 rule.
> Any ideas why this happens?
>
> Thanks in advance,
> PAvlos
>
>
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> I love having the feeling of being in control
> while i have the sensation of speed
>
> The surfer of life
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>
>
>