[Techtalk] question around port filtering, etc.

Brian Sweeney bsweeney at physics.ucsb.edu
Thu Aug 23 11:50:15 EST 2001


If they're going to filter you, filter them.  If you think they're going 
to filter out ports to your machine if they figure out your running a 
mailserver on it, and you know their ip address b/c they're portscanning 
you, firewall them out of your webserver with iptables or ipchains 
depending on what kernel you're running.   If you've got the standard 
INPUT OUTPUT FORWARD chains setup, and you're running iptables, 
something like:

iptables -A INPUT -s <evil ISP scanner address> -p tcp --dport 123 -j DENY

or, if you're feeling really saucy,

iptables -A INPUT -s <evil ISP scanner address>  -j DENY

and they'll never see anything on your machine (or at least it'll come 
up "filtered").  If they're being particularly clever, you could even do 
some port redirection, so that if they do hit the port your webserver is 
running on, it redirects them to something harmless.  I'm not sure if 
this will actually help at all though.

My guess is, however, that they're only going to make a habit of filter 
out "well-known" server ports.  But that, as I said, is just a guess ;-).


Michelle Murrain wrote:

> Howdy folks,
> I've got high-speed internet access through a cable modem provider. 
> For a while, I was able to run a web server w/o any problem (using 
> Dynamic DNS). It is against their rules, but...
> Anyway, I had noticed they'd been portscanning me for a while (I was 
> using snort). I didn't think much of it, until yesterday I found out 
> that they are now filtering specific ports, including port 80, so 
> people can't get at my web sites. (The wierd thing is that they have 
> open and/or are filtering ports that I don't have open - i.e. the 
> localhost nmap and external nmap do not match.). I have now decided to 
> move to getting business DSL, because I really want the ability to 
> host my own web sites, but that might take months. In the meantime, 
> I've changed the port that httpd is listening to - and it's working, 
> for now. I'm sure that they'll start filtering that port too at some 
> point.
> So this is my question: Is there any way to fool them about what port 
> httpd is running on? There is nothing essential right now on the web 
> site, but I've got a fair number of web programming projects that 
> people are beta testing, or using for minor projects, and telling them 
> what port to go to every other day is a pain, to say the least.  Also, 
> I've got some mailman lists I was going to resurrect, but then folks 
> wouldn't have access to the web interface easily. It would be nice if 
> I could just set a port, and that port would work for the duration 
> until I got new service.
> Additional info - right now, the cable modem is plugged into a Netopia 
> Router, which does NAT, and acts as a firewall. It can do some fairly 
> sophisticated stuff.
> .Michelle
> ------------------------
> Michelle Murrain
> michelle at murrain.net
> AIM:pearlbear0
> _______________________________________________
> Techtalk mailing list
> Techtalk at linuxchix.simegen.com
> http://linuxchix.simegen.com/mailman/listinfo/techtalk

More information about the Techtalk mailing list