Security Basics mailing list archives
Re: Iptables Clues and Advices.
From: Vic Ricker <vic () sheetz com>
Date: Thu, 10 Apr 2003 14:35:08 -0400
While I personally use DROP, I can see instances where it might not be desirable. In the case where you are trying to connect to remote services that use ident (ftpd, xinetd, postgres, etc.), the use of DROP on port 113 will cause those services to wait for the timeout before allowing your connection. To be fair, my solution has always been to disable ident checks on the remote server since they are pretty much useless. :-)
-Vic Anduine Crow wrote:
I'd like to back up the claim that "a legitimate user shall know which services are provided, and hence, make connects to normaly open ports"I've been using -j DROP since the old days of ipfwadm without having a single "Legitimate" user complain. In addition, I add these rules at the very end of my iptables script just to confuse scanners (using -I makes these the very first rules the kernel evalutes):$IPTABLES -I INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags $IPTABLES -I INPUT -p tcp --tcp-flags ALL ALL -j badflags $IPTABLES -I INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags $IPTABLES -I INPUT -p tcp --tcp-flags ALL NONE -j badflags $IPTABLES -I INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags $IPTABLES -I INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags $IPTABLES -I FORWARD -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags $IPTABLES -I FORWARD -p tcp --tcp-flags ALL ALL -j badflags$IPTABLES -I FORWARD -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags$IPTABLES -I FORWARD -p tcp --tcp-flags ALL NONE -j badflags $IPTABLES -I FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j badflags $IPTABLES -I FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags Where "badflags" is: $IPTABLES -N badflags$IPTABLES -A badflags -m limit --limit 15/minute -j LOG --log-prefix "Badflags: "$IPTABLES -A badflags -j DROP my $.02 _________________________________________________________________Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963------------------------------------------------------------------- Is SPAM over-loading your e-mail server, disk space or bandwidth? SurfControl E-Mail Filter is flexible, intelligent and policy-driven protection. http://www.securityfocus.com/SurfControl-security-basics2Download your free fully functional trial, complete with 30-days of free technical support.Stop SPAM before it stops you. -------------------------------------------------------------------
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Re: Iptables Clues and Advices., (continued)
- Re: Iptables Clues and Advices. Bryan S. Sampsel (Apr 09)
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Re: Iptables Clues and Advices. Bryan S. Sampsel (Apr 10)
- Re: RE: Iptables Clues and Advices. Christian Friedl (Apr 09)
- Re: Iptables Clues and Advices. Julien Royère (Apr 09)
- Re: Iptables Clues and Advices. Jeff Harris (Apr 10)
- DROP vs REJECT Re: Iptables Clues and Advices. Chris Travers (Apr 10)
- VMware & WinXP Firegoblin Postmaster (Apr 12)
- Re: Iptables Clues and Advices. Vic Ricker (Apr 10)