On Mon, 2 May 2005 12:03:10 -0300
Marlon Jabbur <msjabbur_at_uol.com.br> wrote:
> > Now It works but can I not allow INVALID on OUTPUT chain ?
> My iptables rules are the following:
>
> iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED,INVALID -
> j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j
> ACCEPT
>
> The first one allows me to send the nmap packets and the last allows
> me to receive the answer. I don´t see any risk in allowing INVALID
> packets on the OUTPUT chain. I can see problems if you allow it on
> the INPUT chain.
> > Now It works but can I not allow INVALID on OUTPUT chain ?
Sorry, it was a mistake, I wanted to write INPUT instood of OUTPUT.
Now my iptables rules are:
IPTAB=/usr/sbin/
iptables echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
$IPTAB --flush
$IPTAB -F INPUT
$IPTAB -P INPUT DROP
$IPTAB -F OUTPUT
$IPTAB -P OUTPUT DROP
$IPTAB -F FORWARD
$IPTAB -P FORWARD DROP
$IPTAB -t nat -F
$IPTAB -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTAB -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED,INVALID -j
ACCEPT
--
Przemysław Ciemniewski
mailto:przemek_at_skyline.ltd.pl
GG:155998 JID: tommy_at_chrome.pl
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Received on May 02 2005
Intro
