[PLUG] ICMP rule, etc., to allow nmap...
Michael C. Robinson
michael at goose.robinson-west.com
Tue Oct 14 13:08:01 UTC 2003
I'm setting up apache on xerxes and am wondering why I can't nmap
it. Maybe there's an icmp packet that's not being accepted, or
something that needs to be. I had log denied packets turned on
in my firewall, but I disabled that, I see no reason to have a
log of denied packets. It's a slow machine where it doesn't
help matters to have 65k lines of denied this or denied that
sent to the system log from attempting to nmap it.
I can connect to the apache server I've installed to it, though
it seems to take a long time when I go to the 209.210.202.171
address for the test page to come up. I'm fairly sure it's
an icmp type packet not being accepted or something of that
nature. I have to explicity accept every type of ICMP packet
needed because of a default DENY policy for the forward, input,
and output chains.
For nmap of EXTERNAL_INTERFACE to work what do I have to change?
Maybe I can put rules in my firewall to only accept nmap
probes from the other gateway. I want to be able to
nmap it to see what ports it has open as this is more
reliable than simply trying to go through all the config
scripts.
# ------------------------------------------------------------------
Here are what the variables are:
# ------------------------------------------------------------------
$EXTERNAL_INTERFACE is my Internet interface on xerxes.
CLASS_A="10.0.0.0/8" # Class A private networks
CLASS_B="172.16.0.0/12" # Class B private networks
CLASS_C="192.168.0.0/16" # Class C private networks
CLASS_D_MULTICAST="224.0.0.0/4" # Class D multicast addresses
CLASS_E_RESERVED_NET="240.0.0.0/5" # Class E reserved addresses
BROADCAST_SRC="0.0.0.0" # Broadcast source address
BROADCAST_DEST="255.255.255.255" # Broadcast destination address
PRIVPORTS="0:1023"
# Well known, privileged port range
UNPRIVPORTS="1024:65535" # Unprivileged port range
# ------------------------------------------------------------------
# ------------------------------------------------------------------
Here's my current ICMP section...
# ------------------------------------------------------------------
ipchains -A icmpi -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type echo-reply \
-d $IPADDR -j ACCEPT
ipchains -A icmpi -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type destination-unreachable \
-d $IPADDR -j ACCEPT
ipchains -A icmpi -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type source-quench \
-d $IPADDR -j ACCEPT
ipchains -A icmpi -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type time-exceeded \
-d $IPADDR -j ACCEPT
ipchains -A icmpi -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type parameter-problem \
-d $IPADDR -j ACCEPT
ipchains -A icmpo -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR fragmentation-needed -j ACCEPT
ipchains -A icmpo -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR source-quench -j ACCEPT
# ------------------------------------------------------------------
ipchains -A icmpo -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR echo-request -j ACCEPT
ipchains -A icmpo -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR parameter-problem -j ACCEPT
# Added because I see nothing wrong with letting
# these out.
ipchains -A icmpo -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type destination-unreachable \
-s $IPADDR -j ACCEPT
# ------------------------------------------------------------------
# ------------------------------------------------------------------
And here's my spoofing section...
# ------------------------------------------------------------------
ipchains -A spoofi -s $CLASS_A -j DENY
ipchains -A spoofi -s $CLASS_B -j DENY
ipchains -A spoofi -s $BROADCAST_DEST -j DENY -l
ipchains -A spoofi -d $BROADCAST_SRC -j DENY -l
ipchains -A spoofi -s $CLASS_D_MULTICAST -j DENY
ipchains -A spoofi -s $CLASS_E_RESERVED_NET -j DENY -l
# I don't want the outside network's dhcp requests...
ipchains -A spoofi -i $EXTERNAL_INTERFACE -p udp -s 0/0 68 -j REJECT
# I don't want RIP packets from outside either...
ipchains -A spoofi -i $EXTERNAL_INTERFACE -p udp -s 0/0 520 -j REJECT
ipchains -A spoofi -s 0.0.0.0/8 -j DENY
ipchains -A spoofi -s 1.0.0.0/8 -j DENY -l
ipchains -A spoofi -s 2.0.0.0/8 -j DENY -l
ipchains -A spoofi -s 5.0.0.0/8 -j DENY -l
ipchains -A spoofi -s 7.0.0.0/8 -j DENY -l
ipchains -A spoofi -s 23.0.0.0/8 -j DENY -l
ipchains -A spoofi -s 27.0.0.0/8 -j DENY -l
ipchains -A spoofi -s 31.0.0.0/8 -j DENY -l
ipchains -A spoofi -s 36.0.0.0/8 -j DENY -l
ipchains -A spoofi -s 37.0.0.0/8 -j DENY -l
ipchains -A spoofi -s 39.0.0.0/8 -j DENY -l
ipchains -A spoofi -s 41.0.0.0/8 -j DENY -l
ipchains -A spoofi -s 42.0.0.0/8 -j DENY -l
ipchains -A spoofi -s 49.0.0.0/8 -j DENY -l
ipchains -A spoofi -s 50.0.0.0/8 -j DENY -l
ipchains -A spoofi -s 58.0.0.0/7 -j DENY -l
ipchains -A spoofi -s 60.0.0.0/8 -j DENY -l
ipchains -A spoofi -s 67.0.0.0/8 -j DENY -l
ipchains -A spoofi -s 68.0.0.0/6 -j DENY -l
ipchains -A spoofi -s 72.0.0.0/5 -j DENY -l
ipchains -A spoofi -s 80.0.0.0/4 -j DENY -l
ipchains -A spoofi -s 96.0.0.0/3 -j DENY -l
ipchains -A spoofi -s 169.254.0.0/16 -j DENY -l
ipchains -A spoofi -s 192.0.2.0/24 -j DENY -l
ipchains -A spoofi -s 197.0.0.0/8 -j DENY -l
ipchains -A spoofi -s 218.0.0.0/7 -j DENY -l
ipchains -A spoofi -s 220.0.0.0/6 -j DENY -l
ipchains -A spoofi -s 224.0.0.0/3 -j DENY -l
# ------------------------------------------------------------------
-- Michael Robinson
More information about the PLUG
mailing list