Bloquear escaneos de nmap con iptables y packet filter
Requerimientos
- iptables
- packet filter
#!/bin/bash
#=====================
# Habilitamos ip forward
#---------------------
echo 1 > /proc/sys/net/ipv4/ip_forward
#=====================
# hacemos un flush
#---------------------
/sbin/iptables -F
/sbin/iptables -t nat -F
#=====================
# empezamos el bloqueo
#---------------------
/sbin/iptables -t filter -A INPUT -p TCP -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A INPUT -p UDP -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A INPUT -p ICMP -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A INPUT -m state --state INVALID -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j LOG --log-prefix "FIN: "
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j LOG --log-prefix "PSH: "
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ACK,URG URG -j LOG --log-prefix "URG: "
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "XMAS scan: "
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "NULL scan: "
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "pscan: "
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "pscan 2: "
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j LOG --log-prefix "pscan 2: "
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL SYN,FIN -j LOG --log-prefix "SYNFIN-SCAN: "
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL SYN,FIN -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL URG,PSH,FIN -j LOG --log-prefix "NMAP-XMAS-SCAN: "
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL URG,PSH,FIN -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL FIN -j LOG --log-prefix "FIN-SCAN: "
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL FIN -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j LOG --log-prefix "NMAP-ID: "
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "SYN-RST: "
Hola mi amigo, vieras que lo probe, pero siempre me deja que se escaneen los puertos por ejemplo si hago:
ResponderEliminarroot@asterisk1:~# nmap -v -f 192.168.1.105
Starting Nmap 6.00 ( http://nmap.org ) at 2013-11-06 11:37 CST
Initiating ARP Ping Scan at 11:37
Scanning 192.168.1.105 [1 port]
Completed ARP Ping Scan at 11:37, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:37
Completed Parallel DNS resolution of 1 host. at 11:37, 0.05s elapsed
Initiating SYN Stealth Scan at 11:37
Scanning 192.168.1.105 [1000 ports]
Discovered open port 80/tcp on 192.168.1.105
Discovered open port 22/tcp on 192.168.1.105
Discovered open port 111/tcp on 192.168.1.105
Completed SYN Stealth Scan at 11:37, 0.02s elapsed (1000 total ports)
Nmap scan report for 192.168.1.105
Host is up (0.00038s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
MAC Address: 38:60:77:55:A6:2B (Pegatron)
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds
Raw packets sent: 1001 (44.028KB) | Rcvd: 1001 (40.040KB)
He probado varios tipos de reglas pero no me sirven para evitar el escaneo, no he probado aun snort, pero por lo que veo es una posible solución, atento a tus comentarios
Un saludo cordial