[plug] iptables rules

[Ben Jensz]

If there are no open ports on the machine and all ports are set to drop 
traffic, nmap won't even know if there is a machine unless it responds 
in some way to new connections coming into that specific interface. 

If your machine has some open ports but you don't want them accessible 
by anyone on the interface they are running on, to hide the fact that 
those ports are actually running services, but are being firewalled, 
drop all ports and not just those ports that are open and firewalled.  
Otherwise its easy to figure out that if say someone probes say a closed 
port 35 and gets a response that the port is closed, i.e. they can see 
there is a machine there as they got essentially a "connection refused" 
on that port, but if they also probe say port 53 (DNS) and you've got it 
open, but put a rule as DROP, nmap sees that suddenly instead of finding 
a port that was just closed, it found a port that all packets to got 
dropped, so it will come up as being "filtered" and basically thats a 
sign that there IS indeed a service running on that port, but that it 
has been specifically firewalled.

But on the other hand, if you do want to have at least one open port 
accessible to anyone, it will show up all of the other ports as being 
firewalled.  But if you drop every other port including ones that aren't 
even open, someone probing won't know which ports have something open 
but firewalled and which ones are closed and are firewalled anyway.

Hope that helps. :)


/ Ben


Jon Miller wrote:

>I want to stop the following ports from being listed when doing nmap -sS domain
>111, 2500,911,139, 12345, 12346 and 31337
>Would I use the following:
>$ipt -A INPUT -p tcp --dport 111 -j DROP
>.
>.
>.
> or do I need to use another rule?
>
>Thanks
>
>Jon L. Miller, MCNE, CNS
>Director/Sr Systems Consultant
>MMT Networks Pty Ltd
>http://www.mmtnetworks.com.au
>
>"I don't know the key to success, but the key to failure
> is trying to please everybody." -Bill Cosby
>
>
>
>
>
>  
>