traceroute!!! help!!! como bloquear
:help:
Queria bloquear o traceroute dos clientes!!!
estou usando no meu firewall essa regra!
iptables -A INPUT -p udp -s 0/0 -i eth+ --dport 33435:33525 -j DROP
iptables -A FORWARD -p udp -s 0/0 -i eth+ --dport 33435:33525 -j DROP
iptables -A INPUT -p udp -s 0/0 -i ppp0 --dport 33435:33525 -j DROP
iptables -A FORWARD -p udp -s 0/0 -i ppp0 --dport 33435:33525 -j DROP
mas ainda estou dando traceroute!!!
Help
:help:
traceroute!!! help!!! como bloquear
nao necessariamente usa essas portas, basicamente traceroute pode usar icmp/udp/tcp sao varias tecnicas, bom podemos pegar algumas, do man traceroute do freebsd:
Citação:
DESCRIPTION
The Internet is a large and complex aggregation of network hardware,
connected together by gateways. Tracking the route one's packets fol-
low (or finding the miscreant gateway that's discarding your packets)
can be difficult. Traceroute utilizes the IP protocol `time to live'
field and attempts to elicit an ICMP TIME_EXCEEDED response from each
gateway along the path to some host.
Citação:
-I Use ICMP ECHO instead of UDP datagrams. (A synonym for "-P
icmp").
Citação:
-P Send packets of specified IP protocol. The currently supported
protocols are: UDP, TCP, GRE and ICMP. Other protocols may also
be specified (either by name or by number), though traceroute
does not implement any special knowledge of their packet for-
mats. This option is useful for determining which router along a
path may be blocking packets based on IP protocol number. But
see BUGS below.
-p Protocol specific. For UDP and TCP, sets the base port number
used in probes (default is 33434). Traceroute hopes that noth-
ing is listening on UDP ports base to base + nhops - 1 at the
destination host (so an ICMP PORT_UNREACHABLE message will be
returned to terminate the route tracing). If something is lis-
tening on a port in the default range, this option can be used
to pick an unused port range.
Citação:
-v Verbose output. Received ICMP packets other than TIME_EXCEEDED
and UNREACHABLEs are listed.
Citação:
This program attempts to trace the route an IP packet would follow to
some internet host by launching UDP probe packets with a small ttl
(time to live) then listening for an ICMP "time exceeded" reply from a
gateway. We start our probes with a ttl of one and increase by one
until we get an ICMP "port unreachable" (which means we got to "host")
or hit a max (which defaults to net.inet.ip.ttl hops & can be changed
with the -m flag). Three probes (change with -q flag) are sent at each
ttl setting and a line is printed showing the ttl, address of the gate-
way and round trip time of each probe. If the probe answers come from
different gateways, the address of each responding system will be
printed. If there is no response within a 5 sec. timeout interval
(changed with the -w flag), a "*" is printed for that probe.
We don't want the destination host to process the UDP probe packets so
the destination port is set to an unlikely value (if some clod on the
destination is using that value, it can be changed with the -p flag).
acho que isso é basicamente o que voce precisa saber sobre o traceroute e que nao vai ser somente uma linha no iptables que vai bloquear todos os "smart users" que podem dar traceroute, entretanto o ponto vital é mais o primeiro ate o terceiro paragrafo., mas acredito que seja interessante voce ler todos os meus quotes.
traceroute!!! help!!! como bloquear
Vc tem em comando isso,
vc pode colocar aqui as linhas!???
Irei adicionar no meu firewall.
Citação:
Postado originalmente por mistymst
nao necessariamente usa essas portas, basicamente traceroute pode usar icmp/udp/tcp sao varias tecnicas, bom podemos pegar algumas, do man traceroute do freebsd:
Citação:
DESCRIPTION
The Internet is a large and complex aggregation of network hardware,
connected together by gateways. Tracking the route one's packets fol-
low (or finding the miscreant gateway that's discarding your packets)
can be difficult. Traceroute utilizes the IP protocol `time to live'
field and attempts to elicit an ICMP TIME_EXCEEDED response from each
gateway along the path to some host.
Citação:
-I Use ICMP ECHO instead of UDP datagrams. (A synonym for "-P
icmp").
Citação:
-P Send packets of specified IP protocol. The currently supported
protocols are: UDP, TCP, GRE and ICMP. Other protocols may also
be specified (either by name or by number), though traceroute
does not implement any special knowledge of their packet for-
mats. This option is useful for determining which router along a
path may be blocking packets based on IP protocol number. But
see BUGS below.
-p Protocol specific. For UDP and TCP, sets the base port number
used in probes (default is 33434). Traceroute hopes that noth-
ing is listening on UDP ports base to base + nhops - 1 at the
destination host (so an ICMP PORT_UNREACHABLE message will be
returned to terminate the route tracing). If something is lis-
tening on a port in the default range, this option can be used
to pick an unused port range.
Citação:
-v Verbose output. Received ICMP packets other than TIME_EXCEEDED
and UNREACHABLEs are listed.
Citação:
This program attempts to trace the route an IP packet would follow to
some internet host by launching UDP probe packets with a small ttl
(time to live) then listening for an ICMP "time exceeded" reply from a
gateway. We start our probes with a ttl of one and increase by one
until we get an ICMP "port unreachable" (which means we got to "host")
or hit a max (which defaults to net.inet.ip.ttl hops & can be changed
with the -m flag). Three probes (change with -q flag) are sent at each
ttl setting and a line is printed showing the ttl, address of the gate-
way and round trip time of each probe. If the probe answers come from
different gateways, the address of each responding system will be
printed. If there is no response within a 5 sec. timeout interval
(changed with the -w flag), a "*" is printed for that probe.
We don't want the destination host to process the UDP probe packets so
the destination port is set to an unlikely value (if some clod on the
destination is using that value, it can be changed with the -p flag).
acho que isso é basicamente o que voce precisa saber sobre o traceroute e que nao vai ser somente uma linha no iptables que vai bloquear todos os "smart users" que podem dar traceroute, entretanto o ponto vital é mais o primeiro ate o terceiro paragrafo., mas acredito que seja interessante voce ler todos os meus quotes.
traceroute!!! help!!! como bloquear
Cara setei esta configuração e desta forma eu bloquei os pings, e os tracerts (minha rede interna é M$) para fora.
Código :
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
Tenta ai veja se resolve o seu caso.
Há sim, aqui é Debian Sarge, então pode haver diferenças.
traceroute!!! help!!! como bloquear
Um método interessante de bloquear traceroutes é bloquenado pacotes que tenham um TTL baixo. Isso pode ser feito na tabela mangle do iptables.
Faz o seguinte:
iptables -t mangle -I INPUT -m ttl --ttl-lt 20 -j DROP
iptables -t mangle -I FORWARD -m ttl --ttl-lt 20 -j DROP
Isso vai bloquear pacotes com TTL menores que 20 destinados ao seu firewall ou roteados por ele.
traceroute!!! help!!! como bloquear
Desculpe a pergunta imbecil...
mas... por que bloquear o traceroute ???
traceroute!!! help!!! como bloquear
Citação:
Postado originalmente por Marcio68Almeida
Desculpe a pergunta imbecil...
mas... por que bloquear o traceroute ???
Boa.