[plug] iptables rules

[Jon Miller]

I do not use REJECT but instead use DROP as I understand there is no reply whereas with REJECT there is. What I have is several ports that states filtered and this I do not want to see when a port scan takes place.

Thanks

Jon L. Miller, MCNE, CNS
Director/Sr Systems Consultant
MMT Networks Pty Ltd
http://www.mmtnetworks.com.au

"I don't know the key to success, but the key to failure
 is trying to please everybody." -Bill Cosby



>>> jensz at wn.com.au 3:07:35 PM 20/05/2003 >>>
James Devenish wrote:

>I don't know about nmap, but dropping all traffic is NOT the same as
>'not even being there'. If there is no machine there, ICMP responses
>will be sent (to the tune of 'host unreachable'). If a machine drops
>all packets and no ICMP is sent, then that says 'either my ISP can't
>talk to the Internet properly or I have a precious machine that I am
>trying to hide'.
>  
>
Well that is debatable.  If the last router/machine the data went 
through is on the same network subnet, then it generally just times out 
and doesn't give a destination host unreachable.  Its irrelevant anyway, 
as Jon was asking how to specifically hide ports from nmap.  There are 
of course other ways of finding out whether a machine exists or not, but 
this is purely based on nmap discovery.

>
>(a) If you are running public services on an unfirewalled machine but
>    don't want them to the public: reconfigure your daemons to stop
>    making their services public.
>  
>
I'm assuming that Jon probably wants to be able to access certain 
services remotely, so hence the need to firewall them.

>(b) If you are running public services but wish to restrict them
>    to only "friendly" hosts: configure your packet filter
>    to issue 'connection refused' to any non-friendly hosts
>    (solves Ben's problem).
>  
>
Well actually if you say reject with iptables, last time I checked, nmap 
still saw it as a firewalled port that was open and not in fact a closed 
port.


/ Ben