如何停止發送ICMP時間戳回覆和請求?

tag-icon tag-icon networking debian iptables icmp nftables
如何停止發送ICMP時間戳回覆和請求?

嗚嗚嗚,進步了!下面更新了!我一直在網路上尋找這個問題的答案。我使用的是運行 Raspbian Debian 11 的 Raspberry Pi。我努力了:

  • 使用 ipchains,但現在已經過時了,所以我尋找如何使用 iptables 來實現。我發現本教程建議使用iptables -I INPUT -p icmp --icmp-type timestamp-request -j DROP,但這給了錯誤iptables v1.8.7 (nf_tables): unknown option "--icmp-type"
  • 顯然 nftables 是 iptables 的更新版本,所以我嘗試了以下操作並使用:
nft add table ip filter # create table. I would have needed to enter this, but the table was already created so I didn't have to. 
nft add chain ip filter INPUT { type filter hook input priority 0 \; } # create chain
nft insert rule ip filter INPUT icmp type timestamp-request counter drop
nft insert rule ip filter INPUT icmp type timestamp-reply counter drop
sudo systemctl start nftables
sudo systemctl enable nftables
#backup your old /etc/nftables.conf file first before continuing
sudo nft list ruleset > /etc/nftables.conf
  • 我嘗試將行添加net.ipv4.tcp_timestamps = 0到 /etc/sysctl.conf 中,正如我所見這裡

我的完整 /etc/nftables.conf 如下圖所示:

#!/usr/sbin/nft -f
flush ruleset

table ip nat {
        chain POSTROUTING {
                type nat hook postrouting priority srcnat; policy accept;
                ip saddr 10.0.0.0/24 ip daddr != 10.0.0.0/24 counter packets 0 bytes 0 masquerade
                oifname "wlan0" counter packets 0 bytes 0 masquerade
        }
}
table ip filter {
        chain FORWARD {
                type filter hook forward priority filter; policy accept;
                iifname "wlan0" oifname "uap0" ct state related,established counter packets 0 bytes 0 accept
                iifname "uap0" oifname "wlan0" counter packets 0 bytes 0 accept
        }

        chain INPUT {
                type filter hook input priority filter; policy accept;
                icmp type timestamp-reply counter packets 0 bytes 0 drop
                icmp type timestamp-request counter packets 0 bytes 0 drop
        }
}

還是沒有運氣。如何阻止或停用我的系統回覆時間戳記?

編輯:為了測試 Pi 是否會響應時間戳請求,我運行nmap -v -v -v -PP 10.6.74.84,其中 10.6.74.84 是 Pi 的 IP,然後查找“主機已啟動,收到時間戳回复 ttl 63(0.0057 秒延遲)”。在結果中。

並且突破! /etc/nftables.conf 如上,但運行sudo nft list ruleset列印:

table ip nat {
        chain POSTROUTING {
                type nat hook postrouting priority srcnat; policy accept;
                ip saddr 10.0.0.0/24 ip daddr != 10.0.0.0/24 counter packets 0 bytes 0 masquerade
                oifname "wlan0" counter packets 0 bytes 0 masquerade
        }
}
table ip filter {
        chain FORWARD {
                type filter hook forward priority filter; policy accept;
                iifname "wlan0" oifname "uap0" ct state related,established counter packets 0 bytes 0 accept
                iifname "uap0" oifname "wlan0" counter packets 0 bytes 0 accept
        }

        chain INPUT {
                type filter hook input priority filter; policy accept;
        }
}

這不一樣!少了幾行!那麼規則集沒有更新以匹配 .conf 檔案中的最新內容,或者其他什麼?打算做一些研究。

相關內容