|
今天在做nmap实验的时候,发现iptables一开起来,所有的探测都成了filtered:
[iyunv@CentOS.1 23:00 ~]
#nmap -sA -p 53,80,3306 192.168.10.129
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2011-10-04 23:01 PDT
Interesting ports on CentOS.2 (192.168.10.129):
PORT STATE SERVICE
53/tcp filtered domain
80/tcp filtered http
3306/tcp filtered mysql
MAC Address: 00:0C:29:42:99:CF (VMware)
Nmap finished: 1 IP address (1 host up) scanned in 0.094 seconds
查看iptables后发现默认的规则里有这么一条:
[iyunv@CentOS.2 23:06 ~]
#iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
就是“REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited ‘这句,屏蔽了nmap探测的icmp回应。
我们需要修改/etc/sysconfig/iptables的参数,默认的如下:
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
我们只需要把”-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited“这条用”#“号注释掉。就可以打开icmp的相关功能了。
测试如下:
[iyunv@CentOS.1 23:00 ~]
#nmap -sA -p 53,80,3306 192.168.10.129
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2011-10-04 23:00 PDT
Interesting ports on CentOS.2 (192.168.10.129):
PORT STATE SERVICE
53/tcp UNfiltered domain
80/tcp UNfiltered http
3306/tcp UNfiltered mysql
MAC Address: 00:0C:29:42:99:CF (VMware)
Nmap finished: 1 IP address (1 host up) scanned in 0.084 seconds
----------------------------------------------------全文完-----------------------------------------------
|
|
|