prevent clients from port scanning

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
shakibamoshiri
Posts: 285
Joined: Wed Dec 28, 2022 9:10 pm

prevent clients from port scanning

Post by shakibamoshiri » Wed Jan 11, 2023 8:15 am

Is is possible either via
- Virtual Hub Access list
- Iptables
- etc
block protocols or filter packets in order to prevent users from malicious activities when have connected to a SE server?

For example in Hub Access List Deny ICMP v4 / v6 is useful but I do not think it is enough.
What other ways can we use? specially prevent them from net/port scanning
Regards

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: prevent clients from port scanning

Post by solo » Wed Jan 11, 2023 11:52 am

Apply VPN Gate's packet filtering rules.

Code: Select all

The Virtual Hub "VPNGATE" has the following access lists (packet filtering rules).

1
Action: Discard, Status: Enable, Priority: 1, Memo: Outbound Port 25 Blocking, Contents: (ipv4) Protocol=TCP, DstPort=25
2
Action: Discard, Status: Enable, Priority: 2, Memo: Outbound MS-SMB Blocking #1, Contents: (ipv4) Protocol=TCP, DstPort=135-139
3
Action: Discard, Status: Enable, Priority: 3, Memo: Outbound MS-SMB Blocking #2, Contents: (ipv4) Protocol=TCP, DstPort=445
4
Action: Discard, Status: Enable, Priority: 4, Memo: Outbound MS-SMB Blocking #3, Contents: (ipv4) Protocol=UDP, DstPort=135-139
5
Action: Discard, Status: Enable, Priority: 5, Memo: Outbound MS-SMB Blocking #4, Contents: (ipv4) Protocol=UDP, DstPort=445
6
Action: Discard, Status: Enable, Priority: 6, Memo: Keep-alive Blocking for Saving Bandwidth, Contents: (ipv4) DstIPv4=130.158.6.56/32
7
Action: Pass, Status: Enable, Priority: 7, Memo: Permit DNS Packets (UDP), Contents: (ipv4) Protocol=UDP, DstPort=53
8
Action: Pass, Status: Enable, Priority: 8, Memo: Permit DNS Packets (TCP), Contents: (ipv4) Protocol=TCP, DstPort=53
9
Action: Pass, Status: Enable, Priority: 9, Memo: Permit DHCP Packets #1, Contents: (ipv4) Protocol=UDP, DstPort=67-68
10
Action: Pass, Status: Enable, Priority: 10, Memo: Permit DHCP Packets #2, Contents: (ipv4) Protocol=UDP, SrcPort=67-68
11
Action: Pass, Status: Enable, Priority: 11, Memo: Permit Packets to Private Gateway / DNS Server, Contents: (ipv4) DstIPv4=10.211.254.0/24
12
Action: Pass, Status: Enable, Priority: 12, Memo: Permit Packets from Private Gateway / DNS Server, Contents: (ipv4) SrcIPv4=10.211.254.0/24
13
Action: Discard, Status: Enable, Priority: 13, Memo: Deny Packets to Neighbor VPN Clients, Contents: (ipv4) SrcIPv4=10.211.0.0/16, DstIPv4=10.211.0.0/16
14
Action: Pass, Status: Enable, Priority: 14, Memo: Permit Any Packets to VPN Segment, Contents: (ipv4) DstIPv4=10.211.0.0/16
15
Action: Discard, Status: Enable, Priority: 15, Memo: Block Any Packets to LAN (192.168.0.0/16), Contents: (ipv4) DstIPv4=192.168.0.0/16
16
Action: Discard, Status: Enable, Priority: 16, Memo: Block Any Packets to LAN (172.16.0.0/12), Contents: (ipv4) DstIPv4=172.16.0.0/12
17
Action: Discard, Status: Enable, Priority: 17, Memo: Block Any Packets to LAN (10.0.0.0/8), Contents: (ipv4) DstIPv4=10.0.0.0/8
18
Action: Discard, Status: Enable, Priority: 18, Memo: Block Any Packets to APIPA (169.254.0.0/16), Contents: (ipv4) DstIPv4=169.254.0.0/16
19
Action: Discard, Status: Enable, Priority: 19, Memo: Block Any Packets to Multicast (224.0.0.0/4), Contents: (ipv4) DstIPv4=224.0.0.0/4
20
Action: Discard, Status: Enable, Priority: 20, Memo: Block Any Packets to CGN Shared Address Space (100.64.0.0/10), Contents: (ipv4) DstIPv4=100.64.0.0/10

Note: 
IP packets that did not match any access list items can pass.
Items with higher priority appear higher in the list.

shakibamoshiri
Posts: 285
Joined: Wed Dec 28, 2022 9:10 pm

Re: prevent clients from port scanning

Post by shakibamoshiri » Wed Jan 11, 2023 4:20 pm

solo wrote:
Wed Jan 11, 2023 11:52 am
Apply VPN Gate's packet filtering rules.

Code: Select all

The Virtual Hub "VPNGATE" has the following access lists (packet filtering rules).

1
Action: Discard, Status: Enable, Priority: 1, Memo: Outbound Port 25 Blocking, Contents: (ipv4) Protocol=TCP, DstPort=25
2
Action: Discard, Status: Enable, Priority: 2, Memo: Outbound MS-SMB Blocking #1, Contents: (ipv4) Protocol=TCP, DstPort=135-139
3
Action: Discard, Status: Enable, Priority: 3, Memo: Outbound MS-SMB Blocking #2, Contents: (ipv4) Protocol=TCP, DstPort=445
4
Action: Discard, Status: Enable, Priority: 4, Memo: Outbound MS-SMB Blocking #3, Contents: (ipv4) Protocol=UDP, DstPort=135-139
5
Action: Discard, Status: Enable, Priority: 5, Memo: Outbound MS-SMB Blocking #4, Contents: (ipv4) Protocol=UDP, DstPort=445
6
Action: Discard, Status: Enable, Priority: 6, Memo: Keep-alive Blocking for Saving Bandwidth, Contents: (ipv4) DstIPv4=130.158.6.56/32
7
Action: Pass, Status: Enable, Priority: 7, Memo: Permit DNS Packets (UDP), Contents: (ipv4) Protocol=UDP, DstPort=53
8
Action: Pass, Status: Enable, Priority: 8, Memo: Permit DNS Packets (TCP), Contents: (ipv4) Protocol=TCP, DstPort=53
9
Action: Pass, Status: Enable, Priority: 9, Memo: Permit DHCP Packets #1, Contents: (ipv4) Protocol=UDP, DstPort=67-68
10
Action: Pass, Status: Enable, Priority: 10, Memo: Permit DHCP Packets #2, Contents: (ipv4) Protocol=UDP, SrcPort=67-68
11
Action: Pass, Status: Enable, Priority: 11, Memo: Permit Packets to Private Gateway / DNS Server, Contents: (ipv4) DstIPv4=10.211.254.0/24
12
Action: Pass, Status: Enable, Priority: 12, Memo: Permit Packets from Private Gateway / DNS Server, Contents: (ipv4) SrcIPv4=10.211.254.0/24
13
Action: Discard, Status: Enable, Priority: 13, Memo: Deny Packets to Neighbor VPN Clients, Contents: (ipv4) SrcIPv4=10.211.0.0/16, DstIPv4=10.211.0.0/16
14
Action: Pass, Status: Enable, Priority: 14, Memo: Permit Any Packets to VPN Segment, Contents: (ipv4) DstIPv4=10.211.0.0/16
15
Action: Discard, Status: Enable, Priority: 15, Memo: Block Any Packets to LAN (192.168.0.0/16), Contents: (ipv4) DstIPv4=192.168.0.0/16
16
Action: Discard, Status: Enable, Priority: 16, Memo: Block Any Packets to LAN (172.16.0.0/12), Contents: (ipv4) DstIPv4=172.16.0.0/12
17
Action: Discard, Status: Enable, Priority: 17, Memo: Block Any Packets to LAN (10.0.0.0/8), Contents: (ipv4) DstIPv4=10.0.0.0/8
18
Action: Discard, Status: Enable, Priority: 18, Memo: Block Any Packets to APIPA (169.254.0.0/16), Contents: (ipv4) DstIPv4=169.254.0.0/16
19
Action: Discard, Status: Enable, Priority: 19, Memo: Block Any Packets to Multicast (224.0.0.0/4), Contents: (ipv4) DstIPv4=224.0.0.0/4
20
Action: Discard, Status: Enable, Priority: 20, Memo: Block Any Packets to CGN Shared Address Space (100.64.0.0/10), Contents: (ipv4) DstIPv4=100.64.0.0/10

Note: 
IP packets that did not match any access list items can pass.
Items with higher priority appear higher in the list.

Sounds good, I will test the share the result here
Just if you do not mind give me a reference link for this rule. I would like to read documents if there is any.
Thank you

shakibamoshiri
Posts: 285
Joined: Wed Dec 28, 2022 9:10 pm

Re: prevent clients from port scanning

Post by shakibamoshiri » Thu Jan 12, 2023 9:10 am

solo wrote:
Wed Jan 11, 2023 11:52 am
Apply VPN Gate's packet filtering rules.

Code: Select all

The Virtual Hub "VPNGATE" has the following access lists (packet filtering rules).

1
Action: Discard, Status: Enable, Priority: 1, Memo: Outbound Port 25 Blocking, Contents: (ipv4) Protocol=TCP, DstPort=25
2
Action: Discard, Status: Enable, Priority: 2, Memo: Outbound MS-SMB Blocking #1, Contents: (ipv4) Protocol=TCP, DstPort=135-139
3
Action: Discard, Status: Enable, Priority: 3, Memo: Outbound MS-SMB Blocking #2, Contents: (ipv4) Protocol=TCP, DstPort=445
4
Action: Discard, Status: Enable, Priority: 4, Memo: Outbound MS-SMB Blocking #3, Contents: (ipv4) Protocol=UDP, DstPort=135-139
5
Action: Discard, Status: Enable, Priority: 5, Memo: Outbound MS-SMB Blocking #4, Contents: (ipv4) Protocol=UDP, DstPort=445
6
Action: Discard, Status: Enable, Priority: 6, Memo: Keep-alive Blocking for Saving Bandwidth, Contents: (ipv4) DstIPv4=130.158.6.56/32
7
Action: Pass, Status: Enable, Priority: 7, Memo: Permit DNS Packets (UDP), Contents: (ipv4) Protocol=UDP, DstPort=53
8
Action: Pass, Status: Enable, Priority: 8, Memo: Permit DNS Packets (TCP), Contents: (ipv4) Protocol=TCP, DstPort=53
9
Action: Pass, Status: Enable, Priority: 9, Memo: Permit DHCP Packets #1, Contents: (ipv4) Protocol=UDP, DstPort=67-68
10
Action: Pass, Status: Enable, Priority: 10, Memo: Permit DHCP Packets #2, Contents: (ipv4) Protocol=UDP, SrcPort=67-68
11
Action: Pass, Status: Enable, Priority: 11, Memo: Permit Packets to Private Gateway / DNS Server, Contents: (ipv4) DstIPv4=10.211.254.0/24
12
Action: Pass, Status: Enable, Priority: 12, Memo: Permit Packets from Private Gateway / DNS Server, Contents: (ipv4) SrcIPv4=10.211.254.0/24
13
Action: Discard, Status: Enable, Priority: 13, Memo: Deny Packets to Neighbor VPN Clients, Contents: (ipv4) SrcIPv4=10.211.0.0/16, DstIPv4=10.211.0.0/16
14
Action: Pass, Status: Enable, Priority: 14, Memo: Permit Any Packets to VPN Segment, Contents: (ipv4) DstIPv4=10.211.0.0/16
15
Action: Discard, Status: Enable, Priority: 15, Memo: Block Any Packets to LAN (192.168.0.0/16), Contents: (ipv4) DstIPv4=192.168.0.0/16
16
Action: Discard, Status: Enable, Priority: 16, Memo: Block Any Packets to LAN (172.16.0.0/12), Contents: (ipv4) DstIPv4=172.16.0.0/12
17
Action: Discard, Status: Enable, Priority: 17, Memo: Block Any Packets to LAN (10.0.0.0/8), Contents: (ipv4) DstIPv4=10.0.0.0/8
18
Action: Discard, Status: Enable, Priority: 18, Memo: Block Any Packets to APIPA (169.254.0.0/16), Contents: (ipv4) DstIPv4=169.254.0.0/16
19
Action: Discard, Status: Enable, Priority: 19, Memo: Block Any Packets to Multicast (224.0.0.0/4), Contents: (ipv4) DstIPv4=224.0.0.0/4
20
Action: Discard, Status: Enable, Priority: 20, Memo: Block Any Packets to CGN Shared Address Space (100.64.0.0/10), Contents: (ipv4) DstIPv4=100.64.0.0/10

Note: 
IP packets that did not match any access list items can pass.
Items with higher priority appear higher in the list.


I wanted to block everything except DHCP, DNS, HTTP, HTTPS

Dear @solo, here is what a came up with
- DHCP 67-78 from/to SE servers from/to SE clients (TCP/UDP)
- DNS,HTTP,HTTPS 53,80,443 to Any server from SE clients (TCP/UDP)
- DNS,HTTP,HTTPS 53,80,443 from Any server to SE clients (TCP/UDP)
But I am not sure is this fully correct or not.

Here is a shot of rules
Image

Some questions
1. is there any bugs/flaws with this setting ?
2. can Access List slows down (or effects) clients' speed ?
like what we have with Secure NAT and local bridge, which local bridge a better choice for performance.

shakibamoshiri
Posts: 285
Joined: Wed Dec 28, 2022 9:10 pm

Re: prevent clients from port scanning

Post by shakibamoshiri » Thu Jan 12, 2023 10:47 am

And iptables I came up with

Code: Select all

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 10.11.12.0/24 -p icmp -j DROP
-A INPUT -s 10.11.12.0/24 -d 10.11.12.0/24 -p tcp -m multiport --dports 67,68 -j ACCEPT
-A INPUT -s 10.11.12.0/24 -d 10.11.12.0/24 -p udp -m multiport --dports 67,68 -j ACCEPT
-A INPUT -s 10.11.12.0/24 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -s 10.11.12.0/24 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 10.11.12.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -s 10.11.12.0/24 -p udp -m udp --dport 80 -j ACCEPT
-A INPUT -s 10.11.12.0/24 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -s 10.11.12.0/24 -p udp -m udp --dport 443 -j ACCEPT
-A FORWARD -s 10.11.12.0/24 -p icmp -j DROP
-A OUTPUT -s 10.11.12.0/24 -p icmp -j DROP
-A OUTPUT -s 10.11.12.0/24 -d 10.11.12.0/24 -p tcp -m multiport --dports 67,68 -j ACCEPT
-A OUTPUT -s 10.11.12.0/24 -d 10.11.12.0/24 -p udp -m multiport --dports 67,68 -j ACCEPT
-A OUTPUT -d 10.11.12.0/24 -p tcp -m tcp --sport 53 -j ACCEPT
-A OUTPUT -d 10.11.12.0/24 -p udp -m udp --sport 53 -j ACCEPT
-A OUTPUT -d 10.11.12.0/24 -p tcp -m tcp --sport 80 -j ACCEPT
-A OUTPUT -d 10.11.12.0/24 -p udp -m udp --sport 80 -j ACCEPT
-A OUTPUT -d 10.11.12.0/24 -p tcp -m tcp --sport 443 -j ACCEPT
-A OUTPUT -d 10.11.12.0/24 -p udp -m udp --sport 443 -j ACCEPT
-A OUTPUT -d 224.0.0.0/4 -j DROP
-A OUTPUT -d 100.64.0.0/10 -j DROP
-A OUTPUT -d 169.254.0.0/16 -j DROP
-A OUTPUT -d 192.168.0.0/16 -j DROP
-A OUTPUT -d 172.16.0.0/12 -j DROP
-A OUTPUT -d 10.0.0.0/8 -j DROP

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: prevent clients from port scanning

Post by solo » Thu Jan 12, 2023 11:37 am

Hi shakibamoshiri, to "prevent clients from port scanning", the VPN Gate rules are perfect. As you move the goalpost, these rules need to be re-written and re-grouped.

shakibamoshiri
Posts: 285
Joined: Wed Dec 28, 2022 9:10 pm

Re: prevent clients from port scanning

Post by shakibamoshiri » Thu Jan 12, 2023 12:38 pm

solo wrote:
Thu Jan 12, 2023 11:37 am
Hi shakibamoshiri, to "prevent clients from port scanning", the VPN Gate rules are perfect. As you move the goalpost, these rules need to be re-written and re-grouped.
Yes, I think I should have asked/created a new post "how to limit SE clients to just web browsing (port: 53,80,443)"
The SE Access List is great, but after testing VPN Gate rules (worded) I thought why not
- applying it system wide. so using iptables
- more limitation so limit clients access to 53,80 and 443 and DROP the rest
That is the reason I posted Access list / iptables with new rules since I tested VPN Gate.

Post Reply