Circumventing inbound traffic rule by faking reply traffic

My question is about security groups/firewalls and protecting a virtual private cloud from the external world. Here is a description of VPC default policy for inbound/outbound traffic (on AWS):

Each security group by default contains an outbound rule that allows access to any IP address. It’s important to note that when an instance sends traffic out, the security group will allow reply traffic to reach the instance, regardless of what inbound rules are configured.

I was wondering if there exists an attack vector where a malicious user tries to circumvent the VPC’s inbound policy (i.e. block all traffic) by tricking it into thinking that the incoming traffic is a “reply” traffic? Does such attack have a name in the literature?

I can also think of a scenario where a target machine T (within a VPC) sends a request to some valid server V, but the malicious user M sends a malicious response to T (tricking it into believing that it comes from V) before T receives the actual response from V, thence circumventing T‘s inbound traffic policy.

PCI DSS 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment

A strict interpretation of that rule would seem to prohibit web browsing by PCs on the same LAN as a card processing PC. However, it appears that rule is interpreted in practice as though it says “Restrict inbound and outbound traffic to that which is necessary for the business environment.” Can anyone provide confirmation or clarification?

How to block all inbound traffic from a specific Internet address or subnet using TomatoUSB router software (LINUX based)

I’m not trained in Linux, but I think I found the solution to my problem documented, but it is not working as expected. I am NOT an iptables guru, I’m learning as I go.

A Russian IP is trying to hack my network, especially an email server I have running on my network. So I have a port forward of port 25 to the mail server machine. My router is running TomatoUSB – a Linux based router I have root ssh access to.

I’ve tried this command:

 iptables -I INPUT -s 45.142.195.5 -j DROP 

And

 iptables -L -nv  

returns a lot of stuff, and now at the very beginning looks like this:

 Chain INPUT (policy DROP 9 packets, 504 bytes)   pkts bytes target     prot opt in     out     source               destination      0     0 DROP       all  --  *      *       45.142.195.5         0.0.0.0/0 

This did not stop the traffic, though, as my email server is still reporting connection attempts from this IP address, so the rule is not dropping anything.

Perhaps the INPUT chain is not where I need to add this? I’m not yet educated on the different chains yet. INPUT intuitively seemed like the right place, but because this is a NAT router, should I really have some sort of rule in the FORWARD chain that can say not to forward to anyone if this is the source address?

Seems like what I want to do should not be difficult, but I’m struggling to figure this one out so far.

What Are Inbound Links?

What are inbound links?

Web Design & Development Company in Bangalore | Website Designing Company in Bangalore | Website Designing Companies in Bangalore | Web Designing Companies in Bangalore | Website Design Companies in Bangalore | Web Design Company in…

What Are Inbound Links?

Configure Windows Firewall Inbound Rule for Program Not Installed on Server

How can I configure an inbound rule on a Windows Server 2016 firewall to allow access from a program which is not installed on the server? When searching for a program browse is only offered for locations on the server. Is the path specified for the rule applied to the machine accessing the server? Is it possible to create a rule based only the executable program file name, irrespective of where it is installed on the machine accessing the server?

Can a Bitcoin node create an outgoing connection to a inbound node?

I’m trying to figure out if we can create an outgoing connection to a inbound node (a node which we are already connected to, but the remote peer has initiated the connection). I know that this does not make much sense since we exchange information to inbound and outbound nodes. However, I have looked at the source code and did not find the code that prevents a node from doing that. Is anyone out there more successful?

Windows Server 2016 – Defender Firewall is not blockling inbound UDP packets to application?

Good evening!

The problem: I have a Windows Server 2016 machine with Windows Defender Firewall enabled, I am trying to block inbound UDP packets to a custom network application.

What I’ve tried: I deleted every single rule under Inbound Rules tab tab in Advanced Security but yet the inbound packets (from external network) are still able to reach the application? enter image description here

iptables rule to nat inbound only ports

This would be a very long post if I had to explain all the reasons behind this

  1. I have to have an application listening on port 8080
  2. This application also needs to listen on port 8181 — but the application doesn’t allow a second port.
  3. The rules defined have to be automatically rolled out to many different systems all of which have different networking requirements.

So what I have are these rules:

iptables -t nat -A PREROUTING -p tcp --dport 8080 -i any -j REDIRECT --to-port 8181 iptables -t nat -A OUTPUT -p tcp --dport 8080 -j REDIRECT --to-port 8181 

This does work. Inbound requests are mapped to from 8181 to 8080 — however, if this system has to perform a rest call to another system on port 8181 — it translates the outbound to 8080. Is there a way to specify inbound 8181 without defining the destination IP? I mean if that’s what I have to do I’ll write a more complex script to do it, but I was hoping there might be an easier way…