Tony's ramblings on Open Source Software, Life and Photography

iptables

IPTables Trickery

Published August 22, 2009, 2:46 pm | by tony

I've had a bit of a strange situation on my network - Googling never did come up with anything for me.

I have a private network. All my servers sit behind the firewall on the private LAN. A few of those servers provide services to the Internet on specific ports.

Sharing those ports to the outside using iptables is trivial. The problem arises when you are trying to access the internal server using the external DNS / IP from inside the network. What would happen is that iptables would redirect your packets to the correct server, but the return address would be your local internal IP, so the packets return to you as if coming from the private address instead of the public address, and your local computer won't know what to do with them.

There's actually a very simple solution, assuming you have static IP's on the Internet and on the internal server. Using a combination of source and destination masquerading, you can rewrite those IP addresses to match. The downside is you double the traffic on your internal network, but it enables you to provide services that are harder to NAT such as SIP traffic.

Read more for an example fix:


Stop Port Scans In Their Tracks With iptables

Published March 10, 2009, 11:05 am | by tony

Sure, there's a lot of tutorials out there for blocking SYN+FIN, christmas scans, etc.

But did you know that most of those won't help against a default nmap scan? Try it - block all the standard stealth scans, etc using something like the following:

$IPTABLES -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

$IPTABLES -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP

You'll find that a simple nmap scan is still able to list all the ports available on the machine. Not that I'm telling you to not use the above code, in fact it's a good first step.

If someone is trying to find all open ports on your server, think about what's happening. They are randomly going around poking it in various places saying "Hey, who's there?". They poke to the tune of hundreds or even thousands of probes per second.