Richard Cochinos <[EMAIL PROTECTED]> writes: > What I did first was to drop all defaults installed: > iptables -P INPUT DROP > > Then I edited to allow ports I want open: > iptables -A INPUT -p tcp --dport 22 -j ACCEPT
Sounds like a good plan. > I followed the same guideline for OUTPUT, so my tables look something > like: > iptables -L INPUT > Chain INPUT (policy ACCEPT) This is the problem, if you set policy to DROP, why does it report default of ACCEPT? That is why you see all those ports open on NMAP. Go ahead, try to telnet into those ports, you'll see them open. My strategy is somewhat different, I do something like this at home: iptables -A INPUT -p tcp --syn --destination-port 22 -j ACCEPT iptables -A INPUT -p tcp --syn -j DROP Dropping all the SYNs other than 22 means no connections except to ssh. A third method you may wish to consider, is if you don't want people connecting to your ntp or discard port or whatever, consider some strategic editing of inetd.conf and run some dpkg --purge to get rid of those services. As a totally unrelated note, this is my first attempt at posting via the GMANE server, this will be interesting...
