[gentoo-security] RE: port knocking

public inbox for gentoo-security@lists.gentoo.org
 help / color / mirror / Atom feed

* [gentoo-security] RE: port knocking
@ 2005-10-04 20:12 morgan allen
  2005-10-04 20:25 ` boger
  2005-10-04 20:31 ` Dan Gregory
  0 siblings, 2 replies; 6+ messages in thread
From: morgan allen @ 2005-10-04 20:12 UTC (permalink / raw
  To: gentoo-security

Here is a method I use to frustrate people trying to
nab my wifi connection using iptables (wireless router
-> linux router -> dsl -> net). The wireless router in
setup with a basic NAT for my desktops and wireless
but the wireless comes in on its own nic. with
prerouting set to drop, I have
[1:56] -A PREROUTING -m ttl --ttl-eq 202 -j ACCEPT

echo 204 > /proc/sys/net/ipv4/ip_default_ttl
on my laptop init

-- 
gentoo-security@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [gentoo-security] RE: port knocking
  2005-10-04 20:12 [gentoo-security] RE: port knocking morgan allen
@ 2005-10-04 20:25 ` boger
  2005-10-04 20:31 ` Dan Gregory
  1 sibling, 0 replies; 6+ messages in thread
From: boger @ 2005-10-04 20:25 UTC (permalink / raw
  To: morgan allen

Hello morgan,

Wednesday, October 5, 2005, 12:12:53 AM, you wrote:

ma> Here is a method I use to frustrate people trying to
ma> nab my wifi connection using iptables (wireless router
->> linux router -> dsl -> net). The wireless router in
ma> setup with a basic NAT for my desktops and wireless
ma> but the wireless comes in on its own nic. with
ma> prerouting set to drop, I have
ma> [1:56] -A PREROUTING -m ttl --ttl-eq 202 -j ACCEPT

echo 204 >> /proc/sys/net/ipv4/ip_default_ttl
ma> on my laptop init

Correct me if I wrong, but it works only from lan, because ttl decreases when routed.
 
Also it needs root or special user to change /proc/sys/...
 

-- 
Best regards,
 boger                            mailto:boger@ttk.ru

-- 
gentoo-security@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [gentoo-security] RE: port knocking
  2005-10-04 20:12 [gentoo-security] RE: port knocking morgan allen
  2005-10-04 20:25 ` boger
@ 2005-10-04 20:31 ` Dan Gregory
  2005-10-04 21:57   ` Willie Wong
  1 sibling, 1 reply; 6+ messages in thread
From: Dan Gregory @ 2005-10-04 20:31 UTC (permalink / raw
  To: gentoo-security


morgan allen wrote:

>  -A PREROUTING -m ttl --ttl-eq 202 -j ACCEPT
> 
> echo 204 > /proc/sys/net/ipv4/ip_default_ttl

202 != 204?

Is this a typo?

Dan
-- 
gentoo-security@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 6+ messages in thread

* [gentoo-security] RE: port knocking
@ 2005-10-04 20:45 morgan allen
  0 siblings, 0 replies; 6+ messages in thread
From: morgan allen @ 2005-10-04 20:45 UTC (permalink / raw
  To: gentoo-security

Yes I have it setup to work only from lan side, but i
can work from the net side by tracerouting first, then
setting the ittl accordingly. And yes, unfortunatly it
does require special privleges.
-- 
gentoo-security@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 6+ messages in thread

* [gentoo-security] RE: port knocking
@ 2005-10-04 20:51 morgan allen
  0 siblings, 0 replies; 6+ messages in thread
From: morgan allen @ 2005-10-04 20:51 UTC (permalink / raw
  To: gentoo-security

nope, laptop -> wifi router -> iptable
-- 
gentoo-security@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [gentoo-security] RE: port knocking
  2005-10-04 20:31 ` Dan Gregory
@ 2005-10-04 21:57   ` Willie Wong
  0 siblings, 0 replies; 6+ messages in thread
From: Willie Wong @ 2005-10-04 21:57 UTC (permalink / raw
  To: gentoo-security

On Tue, Oct 04, 2005 at 04:31:38PM -0400, Dan Gregory wrote:
> >  -A PREROUTING -m ttl --ttl-eq 202 -j ACCEPT
> > 
> > echo 204 > /proc/sys/net/ipv4/ip_default_ttl
> 
> 202 != 204?
> 
> Is this a typo?
> 
Thought so first, but remember that each time a router touches it the
ttl gets decreased. So if the linux routing box it two hops away from
the laptop (which is likely if he has a separate wireless router
dedicated to such use) the difference of two would be the right
solution. :)

W
-- 
"What the hell, he thought, you're only young once, and 
threw himself out of the window. That would at least keep 
the element of surprise on his side." 

- Ford outwitting a Vogon with a rocket launcher by going 
into another certain death situation. 
Sortir en Pantoufles: up 54 days, 58 min
-- 
gentoo-security@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2005-10-04 22:01 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-10-04 20:12 [gentoo-security] RE: port knocking morgan allen
2005-10-04 20:25 ` boger
2005-10-04 20:31 ` Dan Gregory
2005-10-04 21:57   ` Willie Wong
  -- strict thread matches above, loose matches on Subject: below --
2005-10-04 20:45 morgan allen
2005-10-04 20:51 morgan allen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox