On 30/03/11 19:38, Thomas Bächler wrote:
You cannot "hide" yourself on the internet. If you were offline, the next router would reply that your machine is unreachable. By not answering, you not only tell the "attacker" that you are online, you also tell him that you don't know shit about networking.
Google it.
Thank you for clearing that up :-) I always believed that remaining stealth, my machine was hidden on the internet from prying eyes. I was so mistaken !:-[
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
This properly rejects packets to your IP that are neither ICMP nor TCP nor UDP.
Sorry I confused packets with protocols. It basically tells that no http,pop3,ftp or imap services is running on my machine and politely closes the connection instead silently dropping the connection, right ?
And how does that harm you? It is rejected, and the sender now knows that he is sending to the wrong destination (instead of continuously retrying, which he would probably if you DROPped it).
It seems you were right. With my previous iptables configuration, i was getting thousands of unwanted packets from same sources multiple times. After using your configuration, there is a very sharp decrease of unwanted packets.