NYGiantsFan
asked on
Does IPTables do port randomization?
Simple question, does IPTables do port randomization? If so, does it do this by default?
Thanks.
Thanks.
probably need to clarify what your doing
in other words I can set a rule in IPTables to accept ALL SOURCE traffic using and Ipaddress or port 1024:65535
going to DEST location x
or I could be discussing NAT
and I only have a few IP addresses so I am going to use ports in addition to this one...or these few address so I can have a large address range
and those ports can be assigned randomly
plus some ALGs use random ports
so simple answer YES - IPTables can work with ports
in other words I can set a rule in IPTables to accept ALL SOURCE traffic using and Ipaddress or port 1024:65535
going to DEST location x
or I could be discussing NAT
and I only have a few IP addresses so I am going to use ports in addition to this one...or these few address so I can have a large address range
and those ports can be assigned randomly
plus some ALGs use random ports
so simple answer YES - IPTables can work with ports
ASKER
Thanks for your follow up!!!!!
I ask, because it appears people are punching holes through the IPTables firewall using UDP packets.
I can find no information how this was fixed in IP tables. All the articles are years old and each of them say it cannot be solved, except through port randomization.
Your thoughts?
I ask, because it appears people are punching holes through the IPTables firewall using UDP packets.
I can find no information how this was fixed in IP tables. All the articles are years old and each of them say it cannot be solved, except through port randomization.
Your thoughts?
Are there no originating udp packets to which these are responses?
You do not have an open udp port? Are the destination the same port?
You do not have an open udp port? Are the destination the same port?
ASKER
The originating IP address is an unknown external. The UDP packet (which IDS is detecting as a form of attack) is hitting a server interal to the network with a private IP address (10.16.0.55)
The source IP address port was 25033 and the destination IP address is 2877.
The source IP address port was 25033 and the destination IP address is 2877.
What does the UDP packet contains?
Do you have UDP port redirect or is the System with IP 10.16.0.55 setup in a DMZ or has a rule that directs all traffic to WAN IP to this LAN IP? I.e. you have a NAT rule x.x.x.x -> 10.16.0.55?
Do you have UDP port redirect or is the System with IP 10.16.0.55 setup in a DMZ or has a rule that directs all traffic to WAN IP to this LAN IP? I.e. you have a NAT rule x.x.x.x -> 10.16.0.55?
same line of thinking
NAT often redirects and uses random ports
depending on how it was setup
some firewalls allow NAT with and without Ports
depending on the IP address pool
NAT often redirects and uses random ports
depending on how it was setup
some firewalls allow NAT with and without Ports
depending on the IP address pool
ASKER
It appears to be some type of SQL server attack. The server is not in the DMZ.
According to the IDS, the packet attempts to execute an old SQL vulnerability.
What I think is happening is that the attacker knows the location of the boxes (or IP ranges) and is using a UDP Pentration technique and punching a hole in the Firewall. From what I have read, this type of attack was a vulnerability in IPTables Firewall solution (and many others).
The
According to the IDS, the packet attempts to execute an old SQL vulnerability.
What I think is happening is that the attacker knows the location of the boxes (or IP ranges) and is using a UDP Pentration technique and punching a hole in the Firewall. From what I have read, this type of attack was a vulnerability in IPTables Firewall solution (and many others).
The
ASKER
Is it true that the only way to prevent this type of attack is using IP port randomization? I think if the IP port is constantly assigned to a different server or device, a UDP packet cannot be sent in the exhaust port (sorry, firewall).
Thanks.
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This question was too vague on my part.
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables#.UOEiZKzNnTo
https://www.experts-exchange.com/questions/26775594/How-to-randomize-outgoing-IP-in-iptables-using-SNAT.html