On Thu, 14 Mar 2002, Maciej Soltysiak wrote: > Hi, > > Please look at this experiment. > 1.Flush all tables with ACCEPT Policies > 2.Do this: > host1# iptables -A INPUT -p tcp --tcp-flags ALL URG,PSH,FIN -j REJECT > --reject-with tcp-reset > > host2# nmap -p 25 -sX host1 > nmap answer: port 25 closed > > 3.Do this: > host1# iptables -A OUTPUT -t mangle -p tcp -j FTOS --set-ftos 0xc0 > > host2# nmap -p 25 -sX host1 > nmap answer: port 25 closed > > 4.Do this: > host1# iptables -A PREROUTING -t mangle -p tcp -j FTOS --set-ftos 0xc0
Mmmm - OK this should set TOS 0xc0 on all Incoming TCP packets (I think) so would that not tell Nmap that something has changed maybe (I am not sure how Nmap deals with TOS settings)? > host2# nmap -p 25 -sX host1 > nmap answer: port 25 open. > > And any port for that matter. > I found out, that if you nmap any port, and change TOS both at prerouting > and output nmap says open. > Here's the tcpdump output: > > tcpdump: listening on eth0 > 16:30:43.330595 bsd1.ae.poznan.pl > dns.toxicfilms.tv: icmp: echo request > 16:30:43.330804 dns.toxicfilms.tv > bsd1.ae.poznan.pl: icmp: echo reply > 16:30:43.331317 bsd1.ae.poznan.pl.44930 > dns.toxicfilms.tv.www: . ack 2644064441 >win 1024 [tos 0xc0] > 16:30:43.331587 dns.toxicfilms.tv.www > bsd1.ae.poznan.pl.44930: R >2644064441:2644064441(0) win 0 (DF) [tos 0xc0] > 16:30:43.658534 bsd1.ae.poznan.pl.44910 > dns.toxicfilms.tv.29: FP 0:0(0) win 1024 >urg 0 [tos 0xc0] > 16:30:43.658749 dns.toxicfilms.tv.29 > bsd1.ae.poznan.pl.44910: R 0:0(0) ack 1 win 0 >(DF) [tos 0xc0] > 16:30:43.960455 bsd1.ae.poznan.pl.44911 > dns.toxicfilms.tv.29: FP 0:0(0) win 1024 >urg 0 [tos 0xc0] > 16:30:43.960665 dns.toxicfilms.tv.29 > bsd1.ae.poznan.pl.44911: R 0:0(0) ack 1 win 0 >(DF) [tos 0xc0] > > I do not know why, but if both of these rules are up, we get 2 XMAS/RESET > exchanges, whereas with one or none TOS rules we get one exchange. What happens with only the PREROUTING FTOS setting ? With both the OUTPUT and the PREROUTING I suspect that is the same as forcibly resetting the TOS bits both ways regardless of the actual data. The way I am reading the rule sets above is that OUTPUT sets TOS for all system initiated packets (eg. the NMAP scan) while PREROUTING sets TOS for _all_ incoming packets regardless of destination. > Any ideas? > I am not sure if it is a bug, or something normal. My suspicion is that the PREROUTING setting the TOS on inbound packets causes Nmap to "think" something about the packets. After all Nmap is expecting to receive the actual communications from the victim. > Maciej Soltysiak Thanks for the interesting report - I am curious what the Nmap is thinking in this case... -------------------------------------------------- Matthew G. Marsh, President Paktronix Systems LLC 1506 North 59th Street Omaha NE 68104 Phone: (402) 932-7250 x101 Email: [EMAIL PROTECTED] WWW: http://www.paktronix.com --------------------------------------------------
