[H-GEN] An iptables question ...

Tony Nugent tony at linuxworks.com.au
Thu Sep 19 04:14:14 EDT 2002 

[ Humbug *General* list - semi-serious discussions about Humbug and     ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]

On Thu Sep 19 2002 at 15:02, Bradley Marshall wrote:

> On Thu, 19 Sep 2002, Ewan Edwards wrote:

> > Since I'm normally a very helpful and cooperative person, I'd like to do
> > something to help ease their concerns.  The best solution I've thought of so
> > far, is for my server to simply drop all packets destined for port 80, if
> > those packets come from an address outside that one subnet in the Brisbane
> > office.

>   $IPTABLES -I INPUT -p tcp -s ! x.y.z.0/24 --dport 80 -j DROP

I realise that this is being very "picky", but I would personally
not -j DROP these packets, but -j REJECT them instead.

By default REJECT results in an ICMP port unreachable packet being
generated (although with netfilter it is possible to specify what
type of icmp reply is generated).

DROP simply ignores the packet altogether (no icmp packets are
generated).

Dropping packets outright in many (most?) circumstances usually
isn't very helpful or useful.  Why?  Because to a network scanner it
signals two things... that the host is being firewalled ("hey
everyone - I've got something to hide!"), and that port 80 (a web
service) is involved.  It's a bit like working out what's there by
looking at what's not there (sort of like "looking at a shadow").

Generating icmp port unreachable with a REJECT rule will show that
that particular host is there, but it will not reveal anything
special about the port(s) being protected.

> You'd need to invert the sense of the source if you do the right
> thing and set the default policy to DROP.

Doing that would be a good thing only if what you want to achieve is
to hide the existence of the host altogether (except for "exposed"
ports).

Small point, but something to think about.

Cheers
Tony

--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.  See http://www.humbug.org.au/

More information about the General mailing list