Re: ICMP time exceeded DNAT info leak ? (fwd)

Andras Kis-Szabo (kisza@securityaudit.hu)
Wed, 3 Apr 2002 13:42:41 +0200


James Morris ....................................... (2002. április 03.)

Hi!

> iptables -t nat -A PREROUTING -p tcp --dport 666 -j DNAT --to 172.16.3.26:22

> pbi@exchange1:~$ sudo ./nmap -sS -P0 mymachine -p 22,23,666,667 -t 9
> Starting nmap V. 2.54BETA32 ( www.insecure.org/nmap/ )
> Interesting ports on mymachine:
> Port State Service
> 22/tcp open ssh
> 23/tcp filtered telnet
> 666/tcp UNfiltered doom DNAT to 192.168.8.10:22
> 667/tcp UNfiltered unknown DNAT to 192.168.26.10:22

You should try this (as a workaround):
iptables -t nat -A PREROUTING -p tcp --dport 666 -m ttl --ttl-gt 4 -j DNAT --to 172.16.3.26:22
iptables -t nat -A PREROUTING -m ttl --ttl-lt 5 -j LOG --log-prefix "Evil
hax0r "

(So it is not hardcoded as in IPFilter ... )

Regards,

kisza

-- 
    Andras Kis-Szabo       Security Development, Design and Audit
-------------------------/        Zorp, NetFilter and IPv6
 kisza@SecurityAudit.hu /-----Member of the BUTE-MIS-SEARCHlab---------->
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/