Kronos
03-05-2004, 02:40
Hi to all i have a litle problem how can i filter this icmp without compromising ISP ping to scan dhcp, and other ISP stuf to keep up my conection.
192.168.1.1
Hostname: my.router
UDP ports (83) 7,9,11,53,67,68,111,123,135,137,... and so on ...
______________________________________________
Total live hosts discovered 1
Total open TCP ports 0
Total open UDP ports 83
i have used superscan4 from http://www.foundstone.com
with tcp port scan syn and udp port scan data + icmp
another question is how can i change the router host ... ? nvram /tmp/boot...="echo 192.168.1.1 kronos > hosts" ? i have put that in hosts but when i http://kronos ... error ...
my iptables conf:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT tcp -- anywhere anywhere tcp dpt:22 flags:SYN,RST,ACK/SYN
DROP tcp -- anywhere anywhere tcp dpt:80
DROP tcp -- anywhere anywhere tcp dpt:23
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 1/sec burst 5
ACCEPT tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
LOG tcp -- anywhere anywhere tcp dpt:515 LOG level warning prefix `DROP'
DROP tcp -- anywhere anywhere tcp dpt:515
LOG tcp -- anywhere 192.168.1.1 tcp dpt:80 LOG level warning prefix `DROP'
DROP tcp -- anywhere 192.168.1.1 tcp dpt:80
LOG tcp -- anywhere 127.0.0.1 tcp dpt:80 LOG level warning prefix `DROP'
DROP tcp -- anywhere 127.0.0.1 tcp dpt:80
LOG tcp -- anywhere 192.168.1.1 tcp dpts:20:23 LOG level warning prefix `DROP'
DROP tcp -- anywhere 192.168.1.1 tcp dpts:20:23
LOG tcp -- anywhere 127.0.0.1 tcp dpts:20:23 LOG level warning prefix `DROP'
DROP tcp -- anywhere 127.0.0.1 tcp dpts:20:23
LOG tcp -- anywhere 192.168.1.1 tcp dpts:9100:9110 LOG level warning prefix `DROP'
DROP tcp -- anywhere 192.168.1.1 tcp dpts:9100:9110
LOG tcp -- anywhere 127.0.0.1 tcp dpts:9100:9110 LOG level warning prefix `DROP'
DROP tcp -- anywhere 127.0.0.1 tcp dpts:9100:9110
LOG tcp -- anywhere 127.0.0.1 tcp dpts:9100:9110 LOG level warning prefix `DROP'
DROP tcp -- anywhere 127.0.0.1 tcp dpts:9100:9110
LOG icmp -- anywhere anywhere icmp echo-reply LOG level warning prefix `DROP'
DROP icmp -- anywhere anywhere icmp echo-reply
LOG icmp -- anywhere anywhere icmp echo-request LOG level warning prefix `DROP'
DROP icmp -- anywhere anywhere icmp echo-request
ACCEPT all -- anywhere anywhere
LOG tcp -- 192.168.1.1 anywhere tcp dpt:515 LOG level warning prefix `DROP'
DROP tcp -- 192.168.1.1 anywhere tcp dpt:515
LOG tcp -- 127.0.0.1 anywhere tcp spts:20:23 LOG level warning prefix `DROP'
DROP tcp -- 127.0.0.1 anywhere tcp spts:20:23
LOG tcp -- 192.168.1.1 anywhere tcp spts:20:23 LOG level warning prefix `DROP'
DROP tcp -- 192.168.1.1 anywhere tcp spts:20:23
LOG tcp -- 192.168.1.1 anywhere tcp spts:9100:9110 LOG level warning prefix `DROP'
DROP tcp -- 192.168.1.1 anywhere tcp spts:9100:9110
LOG tcp -- 127.0.0.1 anywhere tcp spts:9100:9110 LOG level warning prefix `DROP'
DROP tcp -- 127.0.0.1 anywhere tcp spts:9100:9110
LOG icmp -- anywhere anywhere icmp echo-reply LOG level warning prefix `DROP'
DROP icmp -- anywhere anywhere icmp echo-reply
LOG icmp -- anywhere anywhere icmp redirect LOG level warning prefix `DROP'
DROP icmp -- anywhere anywhere icmp redirect
ACCEPT icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
LOG icmp -- anywhere anywhere icmp echo-reply LOG level warning prefix `DROP'
DROP icmp -- anywhere anywhere icmp echo-reply
LOG icmp -- anywhere anywhere icmp echo-request LOG level warning prefix `DROP'
DROP icmp -- anywhere anywhere icmp echo-request
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp spt:515
DROP tcp -- anywhere anywhere tcp spts:9100:9110
DROP tcp -- anywhere anywhere tcp spts:2600:2610
DROP tcp -- anywhere anywhere tcp spt:80
DROP tcp -- anywhere anywhere tcp spt:23
{{}}
Sérgio Machado
192.168.1.1
Hostname: my.router
UDP ports (83) 7,9,11,53,67,68,111,123,135,137,... and so on ...
______________________________________________
Total live hosts discovered 1
Total open TCP ports 0
Total open UDP ports 83
i have used superscan4 from http://www.foundstone.com
with tcp port scan syn and udp port scan data + icmp
another question is how can i change the router host ... ? nvram /tmp/boot...="echo 192.168.1.1 kronos > hosts" ? i have put that in hosts but when i http://kronos ... error ...
my iptables conf:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT tcp -- anywhere anywhere tcp dpt:22 flags:SYN,RST,ACK/SYN
DROP tcp -- anywhere anywhere tcp dpt:80
DROP tcp -- anywhere anywhere tcp dpt:23
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 1/sec burst 5
ACCEPT tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
LOG tcp -- anywhere anywhere tcp dpt:515 LOG level warning prefix `DROP'
DROP tcp -- anywhere anywhere tcp dpt:515
LOG tcp -- anywhere 192.168.1.1 tcp dpt:80 LOG level warning prefix `DROP'
DROP tcp -- anywhere 192.168.1.1 tcp dpt:80
LOG tcp -- anywhere 127.0.0.1 tcp dpt:80 LOG level warning prefix `DROP'
DROP tcp -- anywhere 127.0.0.1 tcp dpt:80
LOG tcp -- anywhere 192.168.1.1 tcp dpts:20:23 LOG level warning prefix `DROP'
DROP tcp -- anywhere 192.168.1.1 tcp dpts:20:23
LOG tcp -- anywhere 127.0.0.1 tcp dpts:20:23 LOG level warning prefix `DROP'
DROP tcp -- anywhere 127.0.0.1 tcp dpts:20:23
LOG tcp -- anywhere 192.168.1.1 tcp dpts:9100:9110 LOG level warning prefix `DROP'
DROP tcp -- anywhere 192.168.1.1 tcp dpts:9100:9110
LOG tcp -- anywhere 127.0.0.1 tcp dpts:9100:9110 LOG level warning prefix `DROP'
DROP tcp -- anywhere 127.0.0.1 tcp dpts:9100:9110
LOG tcp -- anywhere 127.0.0.1 tcp dpts:9100:9110 LOG level warning prefix `DROP'
DROP tcp -- anywhere 127.0.0.1 tcp dpts:9100:9110
LOG icmp -- anywhere anywhere icmp echo-reply LOG level warning prefix `DROP'
DROP icmp -- anywhere anywhere icmp echo-reply
LOG icmp -- anywhere anywhere icmp echo-request LOG level warning prefix `DROP'
DROP icmp -- anywhere anywhere icmp echo-request
ACCEPT all -- anywhere anywhere
LOG tcp -- 192.168.1.1 anywhere tcp dpt:515 LOG level warning prefix `DROP'
DROP tcp -- 192.168.1.1 anywhere tcp dpt:515
LOG tcp -- 127.0.0.1 anywhere tcp spts:20:23 LOG level warning prefix `DROP'
DROP tcp -- 127.0.0.1 anywhere tcp spts:20:23
LOG tcp -- 192.168.1.1 anywhere tcp spts:20:23 LOG level warning prefix `DROP'
DROP tcp -- 192.168.1.1 anywhere tcp spts:20:23
LOG tcp -- 192.168.1.1 anywhere tcp spts:9100:9110 LOG level warning prefix `DROP'
DROP tcp -- 192.168.1.1 anywhere tcp spts:9100:9110
LOG tcp -- 127.0.0.1 anywhere tcp spts:9100:9110 LOG level warning prefix `DROP'
DROP tcp -- 127.0.0.1 anywhere tcp spts:9100:9110
LOG icmp -- anywhere anywhere icmp echo-reply LOG level warning prefix `DROP'
DROP icmp -- anywhere anywhere icmp echo-reply
LOG icmp -- anywhere anywhere icmp redirect LOG level warning prefix `DROP'
DROP icmp -- anywhere anywhere icmp redirect
ACCEPT icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
LOG icmp -- anywhere anywhere icmp echo-reply LOG level warning prefix `DROP'
DROP icmp -- anywhere anywhere icmp echo-reply
LOG icmp -- anywhere anywhere icmp echo-request LOG level warning prefix `DROP'
DROP icmp -- anywhere anywhere icmp echo-request
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp spt:515
DROP tcp -- anywhere anywhere tcp spts:9100:9110
DROP tcp -- anywhere anywhere tcp spts:2600:2610
DROP tcp -- anywhere anywhere tcp spt:80
DROP tcp -- anywhere anywhere tcp spt:23
{{}}
Sérgio Machado