IRC Networks
Irc Logs Stats
Start date: 2007-09-27 02:48:27
Last update: 2008-10-24 20:19:38
Channels: 41
Logged Lines: 6230436
Size: 1834.78 MB
Powered by
Channel Info
Network: freenodeChannel: #iptables |
Search in www.irclog.org
Log from #iptables at freenode 2006-05-17
[16:03]<drwygn>simonrvn: sorry...
[16:03]<sydjgzvg>bah, you dont even have a help
[16:04]<sydjgzvg>don't
[16:04]<rrfmmjwg>:p
[16:04]<rrfmmjwg>iptables --rate-limit on her
[16:04]<rrfmmjwg>er burst-limit
[20:17]<rrffnn>is it possible to hit packets for a specific port both tcp AND udp?
[20:17]<rrffnn>i mean OR of course
[20:17]<rrffnn>like iptables --dport 222 -j ACCEPT (matching tcp 222 and udp 222)
[20:18]<dzzyjjfyvnyzz>yes sir
[20:18]<dzzyjjfyvnyzz>and icmp
[20:19]<rrffnn>mariooliveira: and how?
[20:19]<rrffnn>as icmp doesnt need a port that shouldnt be a problem
[20:19]<rrffnn>the above rule has a syntax error
[20:19]<rrffnn>so whats the correct syntax
[20:19]<dzzyjjfyvnyzz>you can ping a port
[20:19]<dzzyjjfyvnyzz>ti think
[20:20]<rrffnn>mariooliveira: no you cant, as icmp is ip protocol such as tcp and udp. icmp is ip level only
[20:22]<dzzyjjfyvnyzz>tmy firewall dont alow any pings because i dont have any icmp allow
[20:23]<rrffnn>mariooliveira: well, thats just stupid, you probably want to restrict only some of icmp but never all, as there are useful icmp messages which you probably need in case you are using nat
[20:24]<rrffnn>redirects/echo-requests etc. can and should be blocked in a non-coprorate network (corporate networks may need it, depending on the setup)
[20:25]<rrffnn>anyway, blocking echo-requests just helps to save very few bandwidth nothing more, dropping it doesnt stealthen you (this is a major superstition many people believe in)
[20:27]<dzzyjjfyvnyzz>an hacker can test witch ports you have open with that
[20:27]<rrffnn>mariooliveira: nope
[20:28]<rrffnn>icmp-echo-request is just good for "hackers" to detect which hosts are up and which not. This applies for both those that block it and those that dont
[20:30]<dzzyjjfyvnyzz>so witch ports do i have open on my server 82.155.202.96?
[20:31]<rrffnn>mariooliveira: scanning is mostly done with udp packets
[20:31]<rrffnn>shall i do it?
[20:32]<dzzyjjfyvnyzz>wait a bit i have to remove some iptables i
[20:33]<rrffnn>ok
[20:33]<rrffnn>tell me when you're ready
[20:47]<dzzyjjfyvnyzz>you are right that icmp uses tcp
[20:51]<dzzyjjfyvnyzz> i tryed to block all icmp and i still can see the open ports i think you are right
[20:55]<dzzyjjfyvnyzz>hum how the hell do i disable from anyone seeing my open ports?
[20:57]<rrffnn>mariooliveira: the thing is you cant
[20:57]<rrffnn>not as long as the ports are open for a reason
[20:57]<dzzyjjfyvnyzz>i see
[20:58]<rrffnn>mariooliveira: there is a good strategy to block portscans
[20:58]<dzzyjjfyvnyzz>how?
[20:58]<rrffnn>at least non-distributed
[20:58]<dzzyjjfyvnyzz>non-distributed??
[20:59]<rrffnn>look at the ipt_recent module. portscans can be detected by multiple requests to closed ports (as well as to open ones, but we dont care about the open ones now) in a short amount of time
[21:00]<rrffnn>distributed portscans are portscans originated from many different ips. lets say you have access to a zombie-farm and scan all ports from different boxes
[21:01]<dzzyjjfyvnyzz>i see
[21:01]<rrffnn>those are hard to detect and yet much harder to counteract (there is not much you can do but close your whole connection)
[21:02]<dzzyjjfyvnyzz>there is a trick too is too limit ip sources so the hacker has to make a port scan fron a short range ips
[21:02]<rrffnn>mariooliveira: ?
[21:03]<dzzyjjfyvnyzz>i mean make an and rule that allows incoming from a short range of ips
[21:04]<rrffnn>mariooliveira: that will restrict access to that port to that range, in many cases this is useless (i.e for webservers)
[21:05]<dzzyjjfyvnyzz>like this iptables -A INPUT -p tcp -s 85.123.0.0/16 --dport 10000 -j ACCEPT
[21:05]<dzzyjjfyvnyzz>tlet me test another trick
[21:06]<rrffnn>yes, but as i said, if you want someone from another range to access that service you've got a problem.
[21:06]<rrffnn>this works sometimes for static vpn connections
[21:06]<dzzyjjfyvnyzz>tyes
[21:07]<rrffnn>however i usually tunnel via openvpn home from various locations (sometimes even through http proxies) so that will not work for me
[21:09]<dzzyjjfyvnyzz>wait a bit i might have a smal solution against port scans
[21:18]<dzzyjjfyvnyzz>testing now
[21:18]<rrffnn>i was not finished, i just forgot that my iptables version doesnt yet support ipv6-stateful-filtering
[21:18]<rrffnn>how much did you recieve?
[21:20]<dzzyjjfyvnyzz>wait im not ready yet
[21:24]<dzzyjjfyvnyzz>forget doent work
[21:24]<drwygn>mariooliveira, I didn't have anything matching doent work
[21:25]<dzzyjjfyvnyzz>i had to reboot my server
[21:25]<rrffnn>mariooliveira: huh?
[21:25]<dzzyjjfyvnyzz>im nuts
[21:25]<dzzyjjfyvnyzz>lol
[22:09]<zdrg`>is there anyway to DNAT and forward a broadcast packet?
[22:10]<-- dvxn|syzzzyus xzs>http://www.bagdadsoftware.de")
[22:11]<vzrllysv>you mean rebroadcast it?
[22:13]<wjjmmwjjmlnacnz>-m pkttype broadcast -j DNAT ...
[22:14]<drvvx_>I don't think the stack will want to route that
[22:15]<drvvx_>I don't have yet the code to point that out
[23:47]<rrffnn>ryan`: look for broadcast relay or bcrelay
[23:48]<rrffnn>however, i never got that thing really working, but it was written to do what you want
[23:48]<rrffnn>http://packages.debian.org/unstable/net/bcrelay
[23:48]<rrffnn>dunno the original site
