On Sat, 3 Aug 2002, Alex wrote: > Does anyone here use IPtables and have a cable modem? (or simliar > connection). What ports do you filter and not filter? I'm tempted to > block almost everything but I started wondering that if there were some > ports that were essential to leave open...
I block everything and only allow what I want to let through. Actually if you use stateful inspection you could probably block everything coming in and IPTables would handle all the outgoing traffic. I do some port forwarding so I allow port 21 in, but only from certain addresses. You'll probably want to allow ssh in from either your local lan or the internet. > > I guess for those of us that get our ip address dynamically, should we > allow dhcp packets? You shouldn't need to allow dhcp. That will get done with the forward rules. when a machine from your local lan request an address the forward rule will let it out and the stateful will let it back in. here's the stateful setup for my iptables: $IPTABLES -A FORWARD -p all -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT > Whenever I test my configuration using nmap or the "Shields Up" on > www.grc.com, it lists the ports I am blocking as "Stealth" or "Filtered". > > Is there a way to make iptables reject packets the exact same way that the > kernel would normally do? Or is it better for the system to not even > ackknowledge that there is listening on a given port... > if you make the defaults for your tables: $IPTABLES -P INPUT DROP then this should be ok. There is a specific "reject" but to me it really doesn't matter if it's dropped or rejected. I don't know this will work $IPTABLES -P INPUT REJECT the examples on : http://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/index.html should be able to get you started. this is where the forwarding examples are: http://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/firewall-examples.html > Thanks > > -Alex > Good Luck! Brad B
