I'm trying to redirect all scans coming from nmap to another destination.
I'm trying IPTABLES, but I have no idea on how to tell apart the nmap scanning from the legitimate traffic.
Is it something achievable through IPTABLES or should I look somewhere else?
Best Answer
iptables is the user-level interface (utility) to the kernel network packet filtering framework, the Netfilter.
Netfilter is simply a packet filter, it filters what you set it to filter. It looks into packet bytes, checks which ports, addresses, other options are set and decides what to do with the packet. It does that simply packet by packet, making almost no reference to previously seen packets. With the help of connection tracker it can sometimes tell if the packet is a follow-up or otherwise related to some other packet, designating all of them as connection, this is already quite the sophistication. Also it may modify packets using predefined rules (including a network address translation). But this is almost all the Netfilter alone is designed to perform.
What you are talking about, detecting port scans, it a very different kind of task of detecting certain traffic patterns. It is not sufficient to look packet by packet or into just connections. You have to consider a substantial snapshot of a traffic to see a pattern. And this is the job of completely different kind of software, an Intrusion Detection System (IDS) and traffic analyzer in general. There are some open source, like Snort, and there are plenty of commercial systems of that kind.
And, as you may have guessed, those are very sophisticated and... inexact detectors. You can't be exact in this area. The probability that those 5000 computers are querying the 65000 different ports on the machine in some short period of time is very low, but not zero; there is always some uncertainty if that's a legitimate traffic or a scan. And this traffic scan detection is one of, I suppose, easiest kind of patterns to notice; there are many other cases which are even harder to tell and easier to hide and sneak around the IDS. This is the field where they all compete with each other, who does detection better, with more properly detected anomalities and less false positives, so detection algorithms are often their most valuable intellectual property.
Finally, IDS may become an Intrusion Prevention System (IPS) when combined with packet filtering. For example, you may set it up so it installs a rule in the Netfilter when it thinks it detects a scan, that will prevent further actions from these IP addresses. But Netfilter alone is not an IPS, it does no detection, so it is not surprising you are failed to achieve your goal.
Some antivirus software think they're smart and assume the role of "IPS for the poor". They usually do this quite bad and in my opinion this introduces more problems than solves.
The main question is: why you need that? What is bad in those scans for you? I put it other way: let's assume someone scans port on your machine. Very likely they will find out that almost no ports are replying, or most replies are "port unreachable". And what's wrong with this?