2

I'm not talking about just blocking ports.

I remember finding a host that when I ran a normal tcp scan nmap hostname, nmap wouldn't return any meaningful results. It was having problems with timeouts. If I set the timeout value to something pretty low and set --max-retries 0 then it would work.

Does anyone know of a iptables rulesets that cause problems for nmap?

Rook
  • 2,615
  • 5
  • 26
  • 34

3 Answers3

4

Yes. I don't remember the exact detail, but go look for a 'question' (actually, a Community Wiki) from me with the title "iptables Tips & Tricks". There, you can find an iptables rule specifically designed to stump nmap.

In addition, I deploy a TARPIT target in the INPUT chain. TARPIT basically 'traps' anyone trying to open a TCP connection by allowing the TCP three-way handshake, but afterwards locking the TCP Window Size to 0 and dropping all states regarding that connection in the firewall. The host that has tried to open a port is now trapped: connection is made, but it can't send anything, and since it never receives a FIN or a RST, it is stuck in TCP-Established state until TCP timeout*. Meanwhile, the firewall just chugs along merrily, since it has dropped all states of that connection, so no resource is being used.

A combination of both successfully stumped all kinds of portscanners. They die when they touch my firewall :)

* TCP timeout is a lot longer than TCP SYN timeout. About three orders of magnitude longer, IIRC. Thus, portscanners will run extremely slowly as its threads get stuck waiting for TCP timeout.

pepoluan
  • 4,918
  • 3
  • 43
  • 71
  • 1
    Here is the community wiki you mentioned: [iptables Tips & Tricks](http://serverfault.com/questions/245711/iptables-tips-tricks) – Handyman5 Jul 13 '11 at 15:14
2

If you want prevent host from syn scan you can use 2 method:

  1. Trap Method:

    iptables -A INPUT -p tcp -m multiport --dports 23,79 --tcp-flags ALL SYN -m limit --limit 3/m --limit-burst 6 -m recent --name blacklist --set -j DROP

    iptables -A INPUT -m recent --rcheck --nam blacklist -j DROP

  2. Normal way:

    iptables -A INPUT -p tcp --syn -m limit --limit 7/s -m recent --name blacklist --set -j DROP

    iptables -A INPUT -m recent --rcheck --nam blacklist -j DROP

if you want prevent your Host from FIN, ACK, Xmas or other scan tell me update my answer.

Amirreza
  • 664
  • 1
  • 7
  • 12
1

you might find this in teresting, it discribes how to detect and block portscans in realtime.

Lucas Kauffman
  • 16,818
  • 9
  • 57
  • 92