Re: Prevent traceroutes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 5/20/05, Taylor, Grant <gtaylor@xxxxxxxxxxxxxxxxx> wrote:
> > looking at that response--there's a situation screaming for a custom
> > chain:
> >
> >   iptables -N DROP_TRACE
> >   iptables -A DROP_TRACE -p udp --dport 33434:33523 -j DROP
> >   iptables -A DROP_TRACE -p icmp --icmp-type 8 -m ttl --ttl-lt 5 -j DROP
> >
> >   iptables -A INPUT -j DROP_TRACE
> >   iptables -A FORWARD -j DROP_TRACE
> 
> I don't think that I could agree more about the need for a new chain.  I think I'd be tempted to do my match a bit differently though.
> 
> iptables -t filter -A DROP_TRACE -o eth0 -p udp -m recent --name Drop_Traceroute --update --seconds 200 --rdest -j DROP
> iptables -t filter -A DROP_TRACE -o eth0 -p udp -m recent --name Drop_Traceroute --set --rdest -m ttl --ttl-eq 1 -j DROP
> iptables -t filter -A DROP_TRACE -o eth0 -p icmp -m recent --name Drop_Traceroute --update --seconds 200 --rdest -j DROP
> iptables -t filter -A DROP_TRACE -o eth0 -p icmp -m recent --name Drop_Traceroute --set --rdest -m ttl --ttl-eq 1 -j DROP
> 
> This should match any traffic (UDP or ICMP) that is leaving your network with a TTL of 1 which *should* be first packet in a traceroute that your firewall / router would see.  Seeing as how this should match any traceroute traffic you should be able to change the DROP target to be any thing else that you would want to redirect the traffic out some other interface be it via the ROUTE target or the MARK target in conjunction with ip routes.
> 
> The only thing that I have not figured out as of yet how to do is DROP the first packet that the firewall sees as every attempt that I made, even a DROP policy on the FORWARD and OUTPUT chain, did not block the first "TTL Time Exceeded" response.

Thanks Taylor, I followed Jayson's example and it worked for Windows.
It blocked the first three or for hops in most my tests. I'll try your
rules as well but I first want to read up on the recent match. I don't
like using something I don't understand properly.

Regards

> 
> 
> 
> Grant. . . .
> 
> 


-- 

Kenneth Kalmer
kenneth.kalmer@xxxxxxxxx
http://opensourcery.blogspot.com
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux