James Morris ....................................... (2002. április 03.)
Hi!
> iptables -t nat -A PREROUTING -p tcp --dport 666 -j DNAT --to 172.16.3.26:22
> pbi@exchange1:~$ sudo ./nmap -sS -P0 mymachine -p 22,23,666,667 -t 9
> Starting nmap V. 2.54BETA32 ( www.insecure.org/nmap/ )
> Interesting ports on mymachine:
> Port State Service
> 22/tcp open ssh
> 23/tcp filtered telnet
> 666/tcp UNfiltered doom DNAT to 192.168.8.10:22
> 667/tcp UNfiltered unknown DNAT to 192.168.26.10:22
You should try this (as a workaround):
iptables -t nat -A PREROUTING -p tcp --dport 666 -m ttl --ttl-gt 4 -j DNAT --to 172.16.3.26:22
iptables -t nat -A PREROUTING -m ttl --ttl-lt 5 -j LOG --log-prefix "Evil
hax0r "
(So it is not hardcoded as in IPFilter ... )
Regards,
kisza
--
Andras Kis-Szabo Security Development, Design and Audit
-------------------------/ Zorp, NetFilter and IPv6
kisza@SecurityAudit.hu /-----Member of the BUTE-MIS-SEARCHlab---------->
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sun Apr 07 2002 - 22:00:10 EST