mailing list archives
Tweaking Linux NAT gateways to better route Nmap scans
From: Fyodor <fyodor () insecure org>
Date: Sun, 8 Jan 2006 18:47:55 -0800
This informative message from the pen-test list describes how to tweak
Linux NAT gateways so that the ip_conntrack (connection tracking)
module of Netfilter does not barf when a fast Nmap scan is performed
through the gateway. This message focuses on cheap consumer devices
running embedded Linux, though it should apply to general computers as
Date: Sun, 8 Jan 2006 09:08:57 +1100
From: Lyal Collins <lyal.collins () key2it com au>
To: kataka () hush com, pen-test () securityfocus com
Subject: RE: Discovery Scanning Issues
My experience is:
Many DSL modems run a embedded linux OS that performs the routing, NATing
Generally, iptables are used, with the ip_conntrack modules used for NATing.
Due to memory constraints, many DSL devices only have a limited ip_conntrack
pool size by default, somewhere between 512 and 1024 connections, afaik.
Also many DSL modems use a long timeout for established contrack routes,
often 2-5 days.
These factors combine to affect many things, such as bittorrents and some
other P2P traffic as well, not just nmap.
Googling on DSl ip_conntrack, and bit torrents is usually a good pointer
ideas, issues for your modem make/model.
I've found 2 workarounds that complement each other:
Use the -T Polite setting in nmap. This slows down the number of new
routes/sec (source IP:port, dest IP:port) created by nmap, and allows some
ip_conntracks to expire and thus be reused
Access the modem's command line e.g. via telnet, and tune the ip_conntrack
E.g on a D-Link 604T, these commands raise the ip_conntrack limit to 2048,
and reduces various timeouts significantly from the default firmware
settings. Depending on the amout of free RAM, you may be limited to 1024,
or more than 2048 - experiment and see if the modem still works, if not,
reboot/power cycle, and try different settings. Your milaeage may vary
echo 2048 > /proc/sys/net/ipv4/netfilter/ip_conntrack_max
echo 50 > /proc/sys/net/ipv4/netfilter/ip_conntrack_generic_timeout
echo 5 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close
echo 120 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close_wait
echo 1200 >
echo 120 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_fin_wait
echo 60 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_time_wait
echo 10 > /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 180 > /proc/sys/net/ipv4/tcp_keepalive_intvl
Of course, some DSL modems allow you to upload a custom firmware on Linux OS
distro, which would then allow you to tune the default parameters for your
purposes. I've not done this due to the time and learning curve involved,
but reportedly, some have had success with building and installing their own
On other option, that often more disruption to your internal network, is to
use a 'dumber' USB-based DSL modem, and have your test box mangage all the
DSL network connectivity, ip_conntrack pools etc. This works, as long as
your test box is running a good firewall itself against external attacks.
The test box then becomes 'misison critical' in terms of your internet
access for other machies on the internal network.
From: kataka () hush com [mailto:kataka () hush com]
Sent: Sunday, 8 January 2006 2:48 AM
To: pen-test () securityfocus com
Subject: DSL: Discovery Scanning Issues
DSL was finally brought to where I live, and I have started
experimenting with discovery scans using Nmap.
The problem is, if I try and scan for more than 1024 ports on a
single host, my cheep-o Zoom DSL router/modem/switch/thingy starts
to flake out, in the sense I can't ping my DSL router any more and
I loose connectivity to the Internet until I reset the router.
I believe this is because Nmap is filling up my router's NAT pool
or something. I've looked at the config of the router and it's only
got a 1024 connection NAPT port limit that cannot be adjusted and
timeouts measured in seconds as opposed to ms.
What should I do? Are other people with low-end DSL routers able to
overcome this problem? Should I look at getting a better router, if
so, what kind? Or, is it best to not scan through NAT and assign my
Internet Routable IP to my scanning box directly? If so, how would
this work under DSL, would I need to buy some kind of an Ethernet
to RJ-11 adapter card, configure routing, install PPP encapsulation
software on the box itself?
Sent through the nmap-dev mailing list
- Tweaking Linux NAT gateways to better route Nmap scans Fyodor (Jan 09)