On Saturday 29 June 2002 9:56 pm, ganesh kumar godavari wrote: > hello group, > � i have attached my shell code to limit the �ping-icmp and > tcp-syn and tcp-portscan protection. i need some help in this > matter. > > i am not able to limit the incoming tcp-syn packet and port scan > packets done using nmap. > > i used nmap -sS -O -P0 -p1-15 <host name> for port scanning, nmap > -sS -O -P0 <host name> for syn flooding.
> $IPTABLES -N PORTSCANLIMIT > $IPTABLES -A PORTSCANLIMIT -p tcp --tcp-flags SYN,ACK,FIN,RST RST � > -m limit --limit $TCPSYNLIMIT --limit-burst $TCPSYNLIMITBURST -j > ACCEPT > $IPTABLES -A PORTSCANLIMIT -p tcp --tcp-flags SYN,ACK,FIN,RST RST > -j DROP > $IPTABLES -A PORTSCANLIMIT -j RETURN You're using -sS with nmap, which sends SYN packets, but your portscanlimit rule is looking for packets with the RST flag set. The option "--tcp-flags SYN,ACK,FIN,RST RST" means "look at the flags SYN, ACK, FIN and RST, and match if the RST flag (only) is set". If you want to match on only the SYN flag being set, then the option should read "--tcp-flags SYN,ACK,FIN,RST SYN" (this will ignore the PSH and URG flags). If you want to match on the SYN flag being set no matter what other flags may be set as well, use "--tcp-flags SYN SYN". Remember that this is not the only way of doing a port scan with nmap, however :-) Antony.
