On Sat, 3 Aug 2002, Brad Bendily wrote: > On Sat, 3 Aug 2002, Alex wrote: > > > Does anyone here use IPtables and have a cable modem? (or simliar > > connection). What ports do you filter and not filter? I'm tempted to > > block almost everything but I started wondering that if there were some > > ports that were essential to leave open... > > I block everything and only allow what I want to let through. Actually if you > use stateful inspection you could probably block everything coming in > and IPTables would handle all the outgoing traffic. I do some port forwarding > so I allow port 21 in, but only from certain addresses.
Great advice... block everything! Nothing is essential to leave open. Actually for a home setup, i say allow everything outgoing, but block everything incoming. Obviously some traffic will have to come back in, and that's where stateful inspection helps. The only incoming packets allowed back in are ones that are part of, or related to, outgoing connections that you initiated. The key is to not allow anyone to initiate connections to your box. Also when testing iptables rules, tcpdump is your best friend. Learn how to listen on different interfaces and for different hosts/ports and such. It'll let you know what's going on. > You shouldn't need to allow dhcp. That will get done with the forward rules. > when a machine from your local lan request an address the forward rule will > let it out and the stateful will let it back in. Well if the linux box is doing the DHCP request, it would be handled by the OUTPUT chain. So you have to allow it outgoing, and the reply will be handled by the stateful rule. > > Is there a way to make iptables reject packets the exact same way that the > > kernel would normally do? Or is it better for the system to not even > > ackknowledge that there is listening on a given port... Yes, you can REJECT the packets like Brad said, but why give them the satisfaction of a definitive reply from your machine saying "this port is closed". Why not just silently ignore/drop the packet, and keep them wondering. Also if you reject all packets, portscanning your machine would happen very quickly since you reply to each request immediately. But if you just drop the packet, the scanner will have to wait until the timeout expires (10-60 seconds) for every probed port.... which makes scanning VERY SLOW. Chances are he'll move on to an easier target. :) -Ray -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Ray DeJean http://www.r-a-y.org Systems Engineer Southeastern Louisiana University IBM Certified Specialist AIX Administration, AIX Support =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
