Fedora Linux Support Community & Resources Center
  #1  
Old 17th May 2006, 10:45 PM
pparks1 Offline
Registered User
 
Join Date: Mar 2004
Location: Westland, Michigan
Age: 40
Posts: 2,317
nmap and iptables

I'm missing something easy here, i'm sure somebody can point me in the right direction.

I'm trying to scan my FC5 box from another Linux machine on my network. I am using nmap -sT fedoracore5 and it just sits there forever. On the FC5 box, if I issue service iptables stop and then try nmap -sT fedoracore5 it comes back with an answer in less than 1 second. However, as soon as the firewall starts again, nmap no longer works.


So, it's clearly something in iptables stopping this from working. My iptables config is plain vanilla from the FC5 load.

Code:
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
__________________
RHCE and MCSE systems administrator
Registered Linux User #375155 For More Info or to register yourself

My Linux box is:
Ubuntu 8.04, Antec Sonata II case with 450-watt PS, AMD 64 X2 4600+ (65 watt), 4GB DDR2 800 RAM, 18X Lite-On DVD burner, Asus M2NPV-VM, Nvidia GeForce 7600GT (256MB), 320GB Western Digital SATA 3.0Gbps, Logitech MX-310, Dell 18" ultrasharp LCD, Microsoft Natural Ergonomic Keyboard 4000 and 2.1 Boston Acoustics sound system..
Reply With Quote
  #2  
Old 18th May 2006, 01:03 AM
Tashiro Offline
Retired Community Manager
 
Join Date: May 2004
Posts: 1,149
hello pparks1,

Nmap does work, press "t" to see the progress made so far.

Appearantly the send delay is increased cause all but one of the
probes send are getting dropped by iptables. See this by pressing
"v". Try adding one firewall rule at a time to see what rule causes
the probes to get dropped.

I hope this helps a bit.

Tashiro
__________________
Respect the FedoraForum.org guidelines
Reply With Quote
  #3  
Old 18th May 2006, 01:55 AM
pparks1 Offline
Registered User
 
Join Date: Mar 2004
Location: Westland, Michigan
Age: 40
Posts: 2,317
Wow, it finished, but it took 1667 seconds to complete. That's nearly 28 minutes.

Guess I just wasn't anticipating a delay of nearly 30 minutes. When I turn off iptables, the same command finishes in less than 1 second.
__________________
RHCE and MCSE systems administrator
Registered Linux User #375155 For More Info or to register yourself

My Linux box is:
Ubuntu 8.04, Antec Sonata II case with 450-watt PS, AMD 64 X2 4600+ (65 watt), 4GB DDR2 800 RAM, 18X Lite-On DVD burner, Asus M2NPV-VM, Nvidia GeForce 7600GT (256MB), 320GB Western Digital SATA 3.0Gbps, Logitech MX-310, Dell 18" ultrasharp LCD, Microsoft Natural Ergonomic Keyboard 4000 and 2.1 Boston Acoustics sound system..
Reply With Quote
  #4  
Old 18th May 2006, 04:14 AM
Zigzagcom Offline
Registered User
 
Join Date: Feb 2005
Location: CALIFORNIA, yeah
Age: 87
Posts: 1,657
Once explanation might be the last rule:
Code:
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
So for every probe, there is a return reply which will slow down nmap.
You could try to fire up ethereal and follow the traffic in real time.
__________________
Ziggy
Reply With Quote
  #5  
Old 18th May 2006, 06:06 AM
pparks1 Offline
Registered User
 
Join Date: Mar 2004
Location: Westland, Michigan
Age: 40
Posts: 2,317
Zigzagcom,

You were right, it was this rule.
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

I eliminated that from /etc/syconfig/iptables and restarted iptables and was able to run the nmap query against the server in .328 seconds

I wanted to understand exactly what was happening. I need to do some more reading on this particular rule, but at least I know what is happening. Thanks for your help.
__________________
RHCE and MCSE systems administrator
Registered Linux User #375155 For More Info or to register yourself

My Linux box is:
Ubuntu 8.04, Antec Sonata II case with 450-watt PS, AMD 64 X2 4600+ (65 watt), 4GB DDR2 800 RAM, 18X Lite-On DVD burner, Asus M2NPV-VM, Nvidia GeForce 7600GT (256MB), 320GB Western Digital SATA 3.0Gbps, Logitech MX-310, Dell 18" ultrasharp LCD, Microsoft Natural Ergonomic Keyboard 4000 and 2.1 Boston Acoustics sound system..
Reply With Quote
  #6  
Old 18th May 2006, 06:52 AM
Zigzagcom Offline
Registered User
 
Join Date: Feb 2005
Location: CALIFORNIA, yeah
Age: 87
Posts: 1,657
Here are some possible links of interest. There are pro's and con's, but so far I haven't had problems with the reject rule.

http://isc.sans.org/diary.php?storyid=966
http://www.derkeiler.com/Newsgroups/...2-01/0768.html
http://cs.uccs.edu/~cs691/qa/index.html
__________________
Ziggy
Reply With Quote
  #7  
Old 18th May 2006, 11:15 PM
pparks1 Offline
Registered User
 
Join Date: Mar 2004
Location: Westland, Michigan
Age: 40
Posts: 2,317
From what I found today, you certainly don't want to ELIMINATE that rule completely. Otherwise, it pretty much allows anything inbound (which explains why nmap was working).

In a nutshell, that rule turns into the implicit deny. If it's not specifically allowed in a prior rule, that rule is going to stop it.

Just wanted to follow up so that somebody else doesn't mistakenly remove that rule for ever and wonder why everything can access their box.
__________________
RHCE and MCSE systems administrator
Registered Linux User #375155 For More Info or to register yourself

My Linux box is:
Ubuntu 8.04, Antec Sonata II case with 450-watt PS, AMD 64 X2 4600+ (65 watt), 4GB DDR2 800 RAM, 18X Lite-On DVD burner, Asus M2NPV-VM, Nvidia GeForce 7600GT (256MB), 320GB Western Digital SATA 3.0Gbps, Logitech MX-310, Dell 18" ultrasharp LCD, Microsoft Natural Ergonomic Keyboard 4000 and 2.1 Boston Acoustics sound system..
Reply With Quote
  #8  
Old 18th May 2006, 11:27 PM
Tashiro Offline
Retired Community Manager
 
Join Date: May 2004
Posts: 1,149
I would very much like to read about it, where did you find the info?

Thanks.

Tashiro
__________________
Respect the FedoraForum.org guidelines
Reply With Quote
  #9  
Old 19th May 2006, 05:31 AM
Zigzagcom Offline
Registered User
 
Join Date: Feb 2005
Location: CALIFORNIA, yeah
Age: 87
Posts: 1,657
Tashiro, it is pretty much standard iptables syntax. There are several tables, which each contain chains. The filter table has the default INPUT chain, and with RedHat and Fedora there are no rules defined in it, but rather that the target of the INPUT chain jumps to the "user defined chain":
RH-Firewall-1-INPUT
What is a bit confusing, is that the default policy of the default INPUT chain is to ACCEPT all traffic, but its target is the user defined chain, which then has as the last rule the "REJECT" target. It could just as well have been "DROP". REJECT provides some message to the connecting client, that allows it to gracefully close a connection attempt, i.e., a SYN packet that otherwise would just hang, waiting for the ACK packet, for example. This follows RFC practices, but is the subject of some debate.
__________________
Ziggy
Reply With Quote
Reply

Tags
iptables, nmap

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
nmap help keatonvictor Using Fedora 2 7th August 2008 09:51 AM
Nmap front end v4.20 Staffy Servers & Networking 1 30th August 2007 04:41 PM
nmap 4.11 KDN Security and Privacy 5 19th July 2006 12:08 PM
nmap beny Servers & Networking 5 27th June 2006 11:27 AM
nmap rikuume Security and Privacy 5 6th December 2004 08:35 AM


Current GMT-time: 02:17 (Friday, 19-12-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat
Creek Side - Stockholm-Arlanda Airport (ARN) Travel Photos on Instagram - Marina of Koper Travel Photos - Te Whiti Park Instagram Photos - Texas State Fair Photos on Instagram