[PLUG] ICMP rule, etc., to allow nmap...

Michael C. Robinson michael at goose.robinson-west.com
Tue Oct 14 13:08:01 UTC 2003 

I'm setting up apache on xerxes and am wondering why I can't nmap
it.  Maybe there's an icmp packet that's not being accepted, or
something that needs to be.  I had log denied packets turned on
in my firewall, but I disabled that, I see no reason to have a
log of denied packets.  It's a slow machine where it doesn't 
help matters to have 65k lines of denied this or denied that
sent to the system log from attempting to nmap it.

I can connect to the apache server I've installed to it, though 
it seems to take a long time when I go to the 209.210.202.171 
address for the test page to come up.  I'm fairly sure it's
an icmp type packet not being accepted or something of that
nature.  I have to explicity accept every type of ICMP packet
needed because of a default DENY policy for the forward, input, 
and output chains.

For nmap of EXTERNAL_INTERFACE to work what do I have to change?
Maybe I can put rules in my firewall to only accept nmap 
probes from the other gateway.  I want to be able to 
nmap it to see what ports it has open as this is more
reliable than simply trying to go through all the config
scripts.



# ------------------------------------------------------------------
Here are what the variables are:
# ------------------------------------------------------------------
$EXTERNAL_INTERFACE is my Internet interface on xerxes.
CLASS_A="10.0.0.0/8"                    # Class A private networks
CLASS_B="172.16.0.0/12"                 # Class B private networks
CLASS_C="192.168.0.0/16"                # Class C private networks
CLASS_D_MULTICAST="224.0.0.0/4"         # Class D multicast addresses
CLASS_E_RESERVED_NET="240.0.0.0/5"      # Class E reserved addresses
BROADCAST_SRC="0.0.0.0"                 # Broadcast source address
BROADCAST_DEST="255.255.255.255"        # Broadcast destination address
PRIVPORTS="0:1023"                      
# Well known, privileged port range

UNPRIVPORTS="1024:65535"                # Unprivileged port range
# ------------------------------------------------------------------



# ------------------------------------------------------------------
Here's my current ICMP section...
# ------------------------------------------------------------------
   ipchains -A icmpi  -i $EXTERNAL_INTERFACE -p icmp  \
             --icmp-type echo-reply \
             -d $IPADDR -j ACCEPT 

    ipchains -A icmpi  -i $EXTERNAL_INTERFACE -p icmp  \
             --icmp-type destination-unreachable \
             -d $IPADDR -j ACCEPT 

    ipchains -A icmpi  -i $EXTERNAL_INTERFACE -p icmp  \
             --icmp-type source-quench \
             -d $IPADDR -j ACCEPT 

    ipchains -A icmpi  -i $EXTERNAL_INTERFACE -p icmp  \
             --icmp-type time-exceeded \
             -d $IPADDR -j ACCEPT 

    ipchains -A icmpi  -i $EXTERNAL_INTERFACE -p icmp  \
             --icmp-type parameter-problem \
             -d $IPADDR -j ACCEPT 


    ipchains -A icmpo -i $EXTERNAL_INTERFACE -p icmp  \
             -s $IPADDR fragmentation-needed -j ACCEPT 

    ipchains -A icmpo -i $EXTERNAL_INTERFACE -p icmp  \
             -s $IPADDR source-quench -j ACCEPT 
# ------------------------------------------------------------------
    ipchains -A icmpo -i $EXTERNAL_INTERFACE -p icmp  \
             -s $IPADDR echo-request -j ACCEPT 

    ipchains -A icmpo -i $EXTERNAL_INTERFACE -p icmp  \
             -s $IPADDR parameter-problem -j ACCEPT

    # Added because I see nothing wrong with letting
    # these out.

    ipchains -A icmpo  -i $EXTERNAL_INTERFACE -p icmp  \
             --icmp-type destination-unreachable \
             -s $IPADDR -j ACCEPT 
# ------------------------------------------------------------------



# ------------------------------------------------------------------
And here's my spoofing section...
# ------------------------------------------------------------------
 ipchains -A spoofi   -s $CLASS_A -j DENY
 ipchains -A spoofi   -s $CLASS_B -j DENY
 ipchains -A spoofi   -s $BROADCAST_DEST -j DENY -l
 ipchains -A spoofi   -d $BROADCAST_SRC -j DENY -l
 ipchains -A spoofi   -s $CLASS_D_MULTICAST -j DENY
 ipchains -A spoofi   -s $CLASS_E_RESERVED_NET -j DENY -l

 #  I don't want the outside network's dhcp requests...
 ipchains -A spoofi -i $EXTERNAL_INTERFACE -p udp -s 0/0 68 -j REJECT

 #  I don't want RIP packets from outside either...
 ipchains -A spoofi -i $EXTERNAL_INTERFACE -p udp -s 0/0 520 -j REJECT 

    ipchains -A spoofi   -s 0.0.0.0/8 -j DENY
    ipchains -A spoofi   -s 1.0.0.0/8 -j DENY -l
    ipchains -A spoofi   -s 2.0.0.0/8 -j DENY -l
    ipchains -A spoofi   -s 5.0.0.0/8 -j DENY -l
    ipchains -A spoofi   -s 7.0.0.0/8 -j DENY -l
    ipchains -A spoofi   -s 23.0.0.0/8 -j DENY -l
    ipchains -A spoofi   -s 27.0.0.0/8 -j DENY -l
    ipchains -A spoofi   -s 31.0.0.0/8 -j DENY -l
    ipchains -A spoofi   -s 36.0.0.0/8 -j DENY -l
    ipchains -A spoofi   -s 37.0.0.0/8 -j DENY -l
    ipchains -A spoofi   -s 39.0.0.0/8 -j DENY -l
    ipchains -A spoofi   -s 41.0.0.0/8 -j DENY -l
    ipchains -A spoofi   -s 42.0.0.0/8 -j DENY -l
    ipchains -A spoofi   -s 49.0.0.0/8 -j DENY -l
    ipchains -A spoofi   -s 50.0.0.0/8 -j DENY -l
    ipchains -A spoofi   -s 58.0.0.0/7 -j DENY -l
    ipchains -A spoofi   -s 60.0.0.0/8 -j DENY -l
    ipchains -A spoofi   -s 67.0.0.0/8 -j DENY -l
    ipchains -A spoofi   -s 68.0.0.0/6 -j DENY -l
    ipchains -A spoofi   -s 72.0.0.0/5 -j DENY -l
    ipchains -A spoofi   -s 80.0.0.0/4 -j DENY -l
    ipchains -A spoofi   -s 96.0.0.0/3 -j DENY -l
    ipchains -A spoofi   -s 169.254.0.0/16 -j DENY -l
    ipchains -A spoofi   -s 192.0.2.0/24 -j DENY -l
    ipchains -A spoofi   -s 197.0.0.0/8 -j DENY -l
    ipchains -A spoofi   -s 218.0.0.0/7 -j DENY -l
    ipchains -A spoofi   -s 220.0.0.0/6 -j DENY -l
    ipchains -A spoofi   -s 224.0.0.0/3 -j DENY -l
 # ------------------------------------------------------------------

     --  Michael Robinson

More information about the PLUG mailing list