2002-04-03 11:43:58

by Andras Kis-Szabo

[permalink] [raw]
Subject: Re: ICMP time exceeded DNAT info leak ? (fwd)

James Morris ....................................... (2002. ?prilis 03.)

Hi!

> iptables -t nat -A PREROUTING -p tcp --dport 666 -j DNAT --to 172.16.3.26:22

> pbi@exchange1:~$ sudo ./nmap -sS -P0 mymachine -p 22,23,666,667 -t 9
> Starting nmap V. 2.54BETA32 ( http://www.insecure.org/nmap/ )
> Interesting ports on mymachine:
> Port State Service
> 22/tcp open ssh
> 23/tcp filtered telnet
> 666/tcp UNfiltered doom DNAT to 192.168.8.10:22
> 667/tcp UNfiltered unknown DNAT to 192.168.26.10:22

You should try this (as a workaround):
iptables -t nat -A PREROUTING -p tcp --dport 666 -m ttl --ttl-gt 4 -j DNAT --to 172.16.3.26:22
iptables -t nat -A PREROUTING -m ttl --ttl-lt 5 -j LOG --log-prefix "Evil
hax0r "

(So it is not hardcoded as in IPFilter ... )

Regards,

kisza

--
Andras Kis-Szabo Security Development, Design and Audit
-------------------------/ Zorp, NetFilter and IPv6
[email protected] /-----Member of the BUTE-MIS-SEARCHlab---------->