On Fri, Dec 27, 2002 at 08:04:08AM -0200, William da Rocha Lima wrote: > Rules for blocking nmap the scan.. There's no way to completely block such a scan if you NEED to have some ports open, say for email server (smtp, port 25) or web server (port 80). It looks like you can, at least, block an nmap 'NULL' scan though, by using the 'unclean' match support in netfilter. Make sure you have CONFIG_IP_NF_MATCH_UNCLEAN set to Y or M in the kernel config, and then simply use a couple of rules: iptables -A INPUT -i eth1 --match unclean -j LOG --log-level info --log-prefix "fwd-unclean " iptables -A INPUT -i eth1 --match unclean -j DROP Be sure to replace eth1 with your external interface. This fooled nmap -sN scan into thinking all ports were open, and it failed miserably to guess the OS type with -O option. Note that a normal SYN scan (-sS) still works, as I said, if you have a few ports open. Be aware that the 'unclean' match could possibly match on some valid packets and block legitimate traffic. I've only just started using it now and will be keeping an eye on things. HTH, -Ath -- - Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/ Finger athan(at)fysh.org for PGP key "And it's me who is my enemy. Me who beats me up. Me who makes the monsters. Me who strips my confidence." Paula Cole - ME
Attachment:
pgp00232.pgp
Description: PGP signature