我有一个iptables规则设置,将地址标记为可疑,如果他们连接在某些端口或任何未打开的端口。 如果超过三个连续的连接没有身份validation,那么地址是黑名单。 发生黑名单后,远程主机将被阻止访问所有端口。 但是,尽pipe地址是黑名单时丢包,nmap仍然能够检测到主机已启动。 nmap使用什么来确定这个? 如何使主机完全消失,如在特斯拉线圈样式?
root@yellowtail:~# nmap -Pn 10.42.0.48 Starting Nmap 6.00 ( http://nmap.org ) at 2014-02-12 21:56 GMT Nmap scan report for 10.42.0.48 Host is up (0.00022s latency). All 1000 scanned ports on 10.42.0.48 are filtered MAC Address: EC:43:F6:C0:B1:E8 (Unknown) Nmap done: 1 IP address (1 host up) scanned in 22.11 seconds 更新:DROP的规则path
首先,处理build立和相关的外部连接stream量,在处理传入的新的外部stream量(我正在testing)…
-N ERIN -A ERIN -m state --state INVALID -j DROPINVALID -A ERIN -m state ! --state RELATED,ESTABLISHED -j RETURN #-A ERIN -j LOG --log-prefix "RELATED,ESTABLISHED ACCEPT" --log-tcp-options --log-ip-options --log-level 7 -A ERIN -j ACCEPT -N BLACKLIST -A BLACKLIST -m recent --name whitelist --rcheck -m limit --limit 1/minute -j LOG --log-prefix "!BLACKLIST: WHITELISTED" --log-level 7 -A BLACKLIST -m recent --name whitelist --rcheck -j RETURN -A BLACKLIST -s 4.79.142.206 -j LOG --log-prefix "!BLACKLIST: SHIELDS-UP" --log-level 7 -A BLACKLIST -s 4.79.142.206 -j RETURN -A BLACKLIST -m recent --name blacklist ! --rcheck -j LOG --log-prefix "BLACKLIST" --log-tcp-options --log-ip-options --log-level 7 -A BLACKLIST -m recent --name blacklist --set -A BLACKLIST -j DROP -N BLACKLIST_IN -A BLACKLIST_IN -m recent --name blacklist --rcheck --reap --seconds 172800 -A BLACKLIST_IN -m recent --name blacklist --rcheck -j LOG --log-prefix "BLACKLIST_IN RCHECK" --log-level 7 -A BLACKLIST_IN -m recent --name blacklist --rcheck -j BLACKLIST -N WAN_IN -A WAN_IN -j BLACKLIST_IN ... -A INPUT -j ERIN -A INPUT -i {EXT_IFACE} -j WAN_IN ...
这只是iptables的相关path。 我已经确认了通过规则集散布的LOG消息的path。
更新:启用TRACE后
这是通过第一个nmap数据包namp -F 10.42.0.48的规则集的pathnamp -F 10.42.0.48 :
[ 7021.149480] TRACE: raw:PREROUTING:policy:2 IN=eth0 OUT= MAC=xx SRC=... [ 7021.173615] TRACE: mangle:PREROUTING:rule:2 IN=eth0 OUT= MAC=xx SRC... [ 7021.197771] TRACE: mangle:HANDHELDS:rule:1 IN=eth0 OUT= MAC=xx SRC=... [ 7021.221820] TRACE: mangle:PREROUTING:policy:3 IN=eth0 OUT= MAC=xx S... [ 7021.246159] TRACE: nat:PREROUTING:rule:1 IN=eth0 OUT= MAC=xx SRC=10... [ 7021.270094] TRACE: nat:UPNPD_PREROUTING:return:1 IN=eth0 OUT= MAC=x... [ 7021.294688] TRACE: nat:PREROUTING:policy:6 IN=eth0 OUT= MAC=xx SRC=... [ 7021.318757] TRACE: mangle:INPUT:policy:1 IN=eth0 OUT= MAC=xx SRC=10... [ 7021.342657] TRACE: filter:INPUT:rule:2 IN=eth0 OUT= MAC=xx SRC=10.4... [ 7021.366373] TRACE: filter:ERIN:rule:2 IN=eth0 OUT= MAC=xx SRC=10.42... [ 7021.390054] TRACE: filter:INPUT:rule:3 IN=eth0 OUT= MAC=xx SRC=10.4... [ 7021.413772] TRACE: filter:WAN_IN:rule:1 IN=eth0 OUT= MAC=xx SRC=10.... [ 7021.437591] TRACE: filter:BLACKLIST_IN:rule:1 IN=eth0 OUT= MAC=xx S... [ 7021.461906] TRACE: filter:BLACKLIST_IN:rule:2 IN=eth0 OUT= MAC=xx S... [ 7021.486269] BLACKLIST_IN RCHECKIN=eth0 OUT= MAC=xx SRC=10.42.0.1 DS... [ 7021.506133] TRACE: filter:BLACKLIST_IN:rule:3 IN=eth0 OUT= MAC=xx S... [ 7021.530447] TRACE: filter:BLACKLIST:rule:4 IN=eth0 OUT= MAC=xx SRC=... [ 7021.554554] TRACE: filter:BLACKLIST:return:5 IN=eth0 OUT= MAC=xx SR...
更新3
如果我只端口扫描一个端口,它仍然能够识别出主机已经启动。
root@yellowtail:~# nmap -Pn -p80 10.42.0.48 Starting Nmap 6.00 ( http://nmap.org ) at 2014-02-12 23:25 GMT Nmap scan report for 10.42.0.48 Host is up (0.00022s latency). PORT STATE SERVICE 80/tcp filtered http MAC Address: EC:43:F6:C0:B1:E8 (Unknown) Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds
这是来自该扫描的整个TRACE输出:
[ 8565.051960] TRACE: raw:PREROUTING:policy:2 IN=eth0 OUT= M [ 8565.075775] TRACE: mangle:PREROUTING:rule:2 IN=eth0 OUT= [ 8565.099686] TRACE: mangle:HANDHELDS:rule:1 IN=eth0 OUT= M [ 8565.123557] TRACE: mangle:PREROUTING:policy:3 IN=eth0 OUT [ 8565.147626] TRACE: nat:PREROUTING:rule:1 IN=eth0 OUT= MAC [ 8565.171236] TRACE: nat:UPNPD_PREROUTING:return:1 IN=eth0 [ 8565.195551] TRACE: nat:PREROUTING:policy:6 IN=eth0 OUT= M [ 8565.219400] TRACE: mangle:INPUT:policy:1 IN=eth0 OUT= MAC [ 8565.243045] TRACE: filter:INPUT:rule:2 IN=eth0 OUT= MAC= [ 8565.266520] TRACE: filter:ERIN:rule:2 IN=eth0 OUT= MAC= S [ 8565.289870] TRACE: filter:INPUT:rule:3 IN=eth0 OUT= MAC= [ 8565.313348] TRACE: filter:WAN_IN:rule:1 IN=eth0 OUT= MAC= [ 8565.336940] TRACE: filter:BLACKLIST_IN:rule:1 IN=eth0 OUT [ 8565.361017] TRACE: filter:BLACKLIST_IN:rule:2 IN=eth0 OUT [ 8565.385057] BLACKLIST_IN RCHECKIN=eth0 OUT= MAC= SRC=10.4 [ 8565.404774] TRACE: filter:BLACKLIST_IN:rule:3 IN=eth0 OUT [ 8565.428915] TRACE: filter:BLACKLIST:rule:4 IN=eth0 OUT= M [ 8565.452702] TRACE: filter:BLACKLIST:return:5 IN=eth0 OUT= [ 8565.476707] TRACE: raw:PREROUTING:policy:2 IN=eth0 OUT= M [ 8565.500509] TRACE: mangle:PREROUTING:rule:2 IN=eth0 OUT= [ 8565.524408] TRACE: mangle:HANDHELDS:rule:1 IN=eth0 OUT= M [ 8565.548252] TRACE: mangle:PREROUTING:policy:3 IN=eth0 OUT [ 8565.572322] TRACE: nat:PREROUTING:rule:1 IN=eth0 OUT= MAC [ 8565.595933] TRACE: nat:UPNPD_PREROUTING:return:1 IN=eth0 [ 8565.620263] TRACE: nat:PREROUTING:policy:6 IN=eth0 OUT= M [ 8565.644118] TRACE: mangle:INPUT:policy:1 IN=eth0 OUT= MAC [ 8565.667760] TRACE: filter:INPUT:rule:2 IN=eth0 OUT= MAC= [ 8565.691207] TRACE: filter:ERIN:rule:2 IN=eth0 OUT= MAC= S [ 8565.714579] TRACE: filter:INPUT:rule:3 IN=eth0 OUT= MAC= [ 8565.738085] TRACE: filter:WAN_IN:rule:1 IN=eth0 OUT= MAC= [ 8565.761640] TRACE: filter:BLACKLIST_IN:rule:1 IN=eth0 OUT [ 8565.785705] TRACE: filter:BLACKLIST_IN:rule:2 IN=eth0 OUT [ 8565.809747] BLACKLIST_IN RCHECKIN=eth0 OUT= MAC= SRC=10.4 [ 8565.829463] TRACE: filter:BLACKLIST_IN:rule:3 IN=eth0 OUT [ 8565.853577] TRACE: filter:BLACKLIST:rule:4 IN=eth0 OUT= M [ 8565.877387] TRACE: filter:BLACKLIST:return:5 IN=eth0 OUT=
它显示为“up”,因为您告诉Nmap跳过主机发现阶段并假定它已启动。 这是-Pn选项的含义。 即使没有这个选项,你可能会发现Nmap可以检测到你的系统。
Nmap的主机发现使用许多不同的探测器来确定主机是否启动。 当从与目标相同的链路层(第2层)上的地址扫描时,它发送ARP请求以确定目标的第2层地址(MAC地址)。 目标响应包含其IP地址和MAC地址的ARP响应。 这就是MAC地址如何在上面的输出结束。
你不能用iptables阻止这个响应,因为它不是一个三层协议。 为此,你可以使用ebtables 。 但是,意识到这不是一个真正的威胁:如果你不能相信你自己局域网上的主机知道你已经启动了,那么你就有更大的问题。
诊断“Nmap为什么说X?”的问题 您可以使用--reason选项,这将显示为什么 Nmapselect了主机或端口的特定状态:
$ sudo ./nmap -p 443 192.168.1.1 --reason Starting Nmap 6.41SVN ( http://nmap.org ) at 2014-02-13 06:53 CST Nmap scan report for 192.168.1.1 Host is up, received arp-response (0.0049s latency). PORT STATE SERVICE REASON 443/tcp open https syn-ack MAC Address: 00:21:29:xx:xx:xx (Cisco-Linksys) Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds $ sudo ./nmap -p 12345 -Pn google.com --reason Starting Nmap 6.41SVN ( http://nmap.org ) at 2014-02-13 06:54 CST Nmap scan report for google.com (74.125.227.231) Host is up, received user-set. Other addresses for google.com (not scanned): 74.125.227.232 74.125.227.233 74.125.227.238 74.125.227.224 74.125.227.225 74.125.227.226 74.125.227.227 74.125.227.228 74.125.227.229 74.125.227.230 rDNS record for 74.125.227.231: dfw06s38-in-f7.1e100.net PORT STATE SERVICE REASON 12345/tcp filtered netbus no-response Nmap done: 1 IP address (1 host up) scanned in 2.12 seconds
最后一个注意事项:你应该总是尝试使用最新版本的Nmap 。 版本6.40在2013年7月取代了6.00。