/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Pankaj Arora wrote:
> I have a question,
>
> Correct me if I'm wrong.
>
> Normally, when you try to connect to a computer on a port that is not open
> you will get a "port unreachable" reply from the target computer. That is,
> if you try to connect to a computer--let's say--on port 21 for FTP and that
> computer is not running an FTP server on that port it will send a reply
> informing nothing is running.
>
> I know with IP CHAINS you can REJECT requests (sending an "unreachable"
> message) or DENY requests completely (sending nothing).
>
> Is there a way I can have my Linux box, by default, DENY requests to any and
> all ports that are not open as opposed to the current default of sending a
> port unreachable message (which would be the same as REJECT) to computers
> attempting to connect to non-open ports?
>
> I figure this should be pretty simple to do -- and if done on a MASQ box
> should not effect the computers being MASQ'd.
>
> Thanks for your help -- really appreciate it.
>
> Pankaj Arora
i don't think you can change this behaviour.
however, you can create a perfect simulation :)
ipchains -P input DENY
this will DENY anything that hasn't been permitted by other ipchains
commands. note that you'll have to have ipchains commands to accept
packets for your open ports. just having a server running on a
particular port isn't enough.
masqueraded computers won't be visible at all to the outside without
port forwarding so this isn't an issue. if you meant that it shouldn't
affect masqueraded computers communicating with the masquerading computer,
then you'd need a rule like:
ipchains -A input -i eth0 -j ACCEPT
where eth0 is the masquerading computer's interface that connects it to
the masqueraded computers (i.e. internal interface).
then, the internal computers can talk to the masquerading computer but
the external net can only talk to the masquerading computer on the ports
that you have accepted with ipchains. attempts to connect to all other
ports will result in no reponse.
raf
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
