Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Operation not permitted

From: Przemek <przemek () skyline ltd pl>
Date: Mon, 2 May 2005 17:18:27 +0200
On Mon, 2 May 2005 12:03:10 -0300
Marlon Jabbur <msjabbur () uol com br> wrote:

Now It works but can I not allow INVALID on OUTPUT chain ?

My iptables rules are the following:

iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED,INVALID -
j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j
ACCEPT

The first one allows me to send the nmap packets and the last allows
me to receive the answer. I don´t see any risk in allowing INVALID
packets on the OUTPUT chain. I can see problems if you allow it on
the INPUT chain.



Now It works but can I not allow INVALID on OUTPUT chain ?

Sorry, it was a mistake, I wanted to write INPUT instood of OUTPUT.

Now my iptables rules are: 
IPTAB=/usr/sbin/
iptables echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
$IPTAB --flush                  
$IPTAB -F INPUT                 
$IPTAB -P INPUT DROP            
$IPTAB -F OUTPUT                
$IPTAB -P OUTPUT DROP           
$IPTAB -F FORWARD               
$IPTAB -P FORWARD DROP          
$IPTAB -t nat -F                
$IPTAB -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTAB -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED,INVALID -j
ACCEPT



-- 
Przemysław Ciemniewski 
mailto:przemek () skyline ltd pl
GG:155998 JID: tommy () chrome pl


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Previous By Date Next
Previous By Thread Next

Current thread: