Eu tenho uma configuração de regra iptables que marca endereços como suspeitos se eles se conectam em certas portas ou portas não abertas. Se mais de três conexões consecutivas forem feitas sem autenticação, o endereço será listado em preto. Após a inclusão da lista negra, o host remoto é impedido de acessar todas as portas. No entanto, apesar de descartar pacotes quando um endereço é listado em preto, o nmap ainda é capaz de detectar que o host está ativo. O que é o nmap usando para determinar isso? Como posso fazer o host desaparecer completamente, como no estilo da bobina de Tesla?
root@yellowtail:~# nmap -Pn 10.42.0.48
Starting Nmap 6.00 ( http://nmap.org ) at 2014-02-12 21:56 GMT
Nmap scan report for 10.42.0.48
Host is up (0.00022s latency).
All 1000 scanned ports on 10.42.0.48 are filtered
MAC Address: EC:43:F6:C0:B1:E8 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 22.11 seconds
Atualização: o caminho da regra para DROP
Primeiro, manipule o tráfego de conexão externa estabelecido e relacionado, antes de manipular o novo tráfego externo de entrada (o que estou testando) ...
-N ERIN
-A ERIN -m state --state INVALID -j DROPINVALID
-A ERIN -m state ! --state RELATED,ESTABLISHED -j RETURN
#-A ERIN -j LOG --log-prefix "RELATED,ESTABLISHED ACCEPT" --log-tcp-options --log-ip-options --log-level 7
-A ERIN -j ACCEPT
-N BLACKLIST
-A BLACKLIST -m recent --name whitelist --rcheck -m limit --limit 1/minute -j LOG --log-prefix "!BLACKLIST: WHITELISTED" --log-level 7
-A BLACKLIST -m recent --name whitelist --rcheck -j RETURN
-A BLACKLIST -s 4.79.142.206 -j LOG --log-prefix "!BLACKLIST: SHIELDS-UP" --log-level 7
-A BLACKLIST -s 4.79.142.206 -j RETURN
-A BLACKLIST -m recent --name blacklist ! --rcheck -j LOG --log-prefix "BLACKLIST" --log-tcp-options --log-ip-options --log-level 7
-A BLACKLIST -m recent --name blacklist --set
-A BLACKLIST -j DROP
-N BLACKLIST_IN
-A BLACKLIST_IN -m recent --name blacklist --rcheck --reap --seconds 172800
-A BLACKLIST_IN -m recent --name blacklist --rcheck -j LOG --log-prefix "BLACKLIST_IN RCHECK" --log-level 7
-A BLACKLIST_IN -m recent --name blacklist --rcheck -j BLACKLIST
-N WAN_IN
-A WAN_IN -j BLACKLIST_IN
...
-A INPUT -j ERIN
-A INPUT -i {EXT_IFACE} -j WAN_IN
...
Este é apenas o caminho relevante no iptables. Eu confirmei o caminho através das mensagens LOG que eu coloquei em todo o conjunto de regras.
Atualização: após o TRACE ativado
Este é o caminho através do conjunto de regras para o primeiro pacote nmap namp -F 10.42.0.48
:
[ 7021.149480] TRACE: raw:PREROUTING:policy:2 IN=eth0 OUT= MAC=xx SRC=...
[ 7021.173615] TRACE: mangle:PREROUTING:rule:2 IN=eth0 OUT= MAC=xx SRC...
[ 7021.197771] TRACE: mangle:HANDHELDS:rule:1 IN=eth0 OUT= MAC=xx SRC=...
[ 7021.221820] TRACE: mangle:PREROUTING:policy:3 IN=eth0 OUT= MAC=xx S...
[ 7021.246159] TRACE: nat:PREROUTING:rule:1 IN=eth0 OUT= MAC=xx SRC=10...
[ 7021.270094] TRACE: nat:UPNPD_PREROUTING:return:1 IN=eth0 OUT= MAC=x...
[ 7021.294688] TRACE: nat:PREROUTING:policy:6 IN=eth0 OUT= MAC=xx SRC=...
[ 7021.318757] TRACE: mangle:INPUT:policy:1 IN=eth0 OUT= MAC=xx SRC=10...
[ 7021.342657] TRACE: filter:INPUT:rule:2 IN=eth0 OUT= MAC=xx SRC=10.4...
[ 7021.366373] TRACE: filter:ERIN:rule:2 IN=eth0 OUT= MAC=xx SRC=10.42...
[ 7021.390054] TRACE: filter:INPUT:rule:3 IN=eth0 OUT= MAC=xx SRC=10.4...
[ 7021.413772] TRACE: filter:WAN_IN:rule:1 IN=eth0 OUT= MAC=xx SRC=10....
[ 7021.437591] TRACE: filter:BLACKLIST_IN:rule:1 IN=eth0 OUT= MAC=xx S...
[ 7021.461906] TRACE: filter:BLACKLIST_IN:rule:2 IN=eth0 OUT= MAC=xx S...
[ 7021.486269] BLACKLIST_IN RCHECKIN=eth0 OUT= MAC=xx SRC=10.42.0.1 DS...
[ 7021.506133] TRACE: filter:BLACKLIST_IN:rule:3 IN=eth0 OUT= MAC=xx S...
[ 7021.530447] TRACE: filter:BLACKLIST:rule:4 IN=eth0 OUT= MAC=xx SRC=...
[ 7021.554554] TRACE: filter:BLACKLIST:return:5 IN=eth0 OUT= MAC=xx SR...
Atualização 3
Se eu apenas portar uma única porta, ela ainda poderá identificar se o host está ativo.
root@yellowtail:~# nmap -Pn -p80 10.42.0.48
Starting Nmap 6.00 ( http://nmap.org ) at 2014-02-12 23:25 GMT
Nmap scan report for 10.42.0.48
Host is up (0.00022s latency).
PORT STATE SERVICE
80/tcp filtered http
MAC Address: EC:43:F6:C0:B1:E8 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds
Aqui está toda a saída TRACE dessa varredura:
[ 8565.051960] TRACE: raw:PREROUTING:policy:2 IN=eth0 OUT= M
[ 8565.075775] TRACE: mangle:PREROUTING:rule:2 IN=eth0 OUT=
[ 8565.099686] TRACE: mangle:HANDHELDS:rule:1 IN=eth0 OUT= M
[ 8565.123557] TRACE: mangle:PREROUTING:policy:3 IN=eth0 OUT
[ 8565.147626] TRACE: nat:PREROUTING:rule:1 IN=eth0 OUT= MAC
[ 8565.171236] TRACE: nat:UPNPD_PREROUTING:return:1 IN=eth0
[ 8565.195551] TRACE: nat:PREROUTING:policy:6 IN=eth0 OUT= M
[ 8565.219400] TRACE: mangle:INPUT:policy:1 IN=eth0 OUT= MAC
[ 8565.243045] TRACE: filter:INPUT:rule:2 IN=eth0 OUT= MAC=
[ 8565.266520] TRACE: filter:ERIN:rule:2 IN=eth0 OUT= MAC= S
[ 8565.289870] TRACE: filter:INPUT:rule:3 IN=eth0 OUT= MAC=
[ 8565.313348] TRACE: filter:WAN_IN:rule:1 IN=eth0 OUT= MAC=
[ 8565.336940] TRACE: filter:BLACKLIST_IN:rule:1 IN=eth0 OUT
[ 8565.361017] TRACE: filter:BLACKLIST_IN:rule:2 IN=eth0 OUT
[ 8565.385057] BLACKLIST_IN RCHECKIN=eth0 OUT= MAC= SRC=10.4
[ 8565.404774] TRACE: filter:BLACKLIST_IN:rule:3 IN=eth0 OUT
[ 8565.428915] TRACE: filter:BLACKLIST:rule:4 IN=eth0 OUT= M
[ 8565.452702] TRACE: filter:BLACKLIST:return:5 IN=eth0 OUT=
[ 8565.476707] TRACE: raw:PREROUTING:policy:2 IN=eth0 OUT= M
[ 8565.500509] TRACE: mangle:PREROUTING:rule:2 IN=eth0 OUT=
[ 8565.524408] TRACE: mangle:HANDHELDS:rule:1 IN=eth0 OUT= M
[ 8565.548252] TRACE: mangle:PREROUTING:policy:3 IN=eth0 OUT
[ 8565.572322] TRACE: nat:PREROUTING:rule:1 IN=eth0 OUT= MAC
[ 8565.595933] TRACE: nat:UPNPD_PREROUTING:return:1 IN=eth0
[ 8565.620263] TRACE: nat:PREROUTING:policy:6 IN=eth0 OUT= M
[ 8565.644118] TRACE: mangle:INPUT:policy:1 IN=eth0 OUT= MAC
[ 8565.667760] TRACE: filter:INPUT:rule:2 IN=eth0 OUT= MAC=
[ 8565.691207] TRACE: filter:ERIN:rule:2 IN=eth0 OUT= MAC= S
[ 8565.714579] TRACE: filter:INPUT:rule:3 IN=eth0 OUT= MAC=
[ 8565.738085] TRACE: filter:WAN_IN:rule:1 IN=eth0 OUT= MAC=
[ 8565.761640] TRACE: filter:BLACKLIST_IN:rule:1 IN=eth0 OUT
[ 8565.785705] TRACE: filter:BLACKLIST_IN:rule:2 IN=eth0 OUT
[ 8565.809747] BLACKLIST_IN RCHECKIN=eth0 OUT= MAC= SRC=10.4
[ 8565.829463] TRACE: filter:BLACKLIST_IN:rule:3 IN=eth0 OUT
[ 8565.853577] TRACE: filter:BLACKLIST:rule:4 IN=eth0 OUT= M
[ 8565.877387] TRACE: filter:BLACKLIST:return:5 IN=eth0 OUT=