Am 30.03.2011 15:00, schrieb Partha Chowdhury:
According to the source from where i got the iptables configuration , the approach is "Block all incoming connections except for established connections, then open only specific ports which you want outside world to connect to".
Exactly my philosophy.
About blocking icmp ping, i quote one website as-is:
Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation
is what they say is true ?
You cannot "hide" yourself on the internet. If you were offline, the next router would reply that your machine is unreachable. By not answering, you not only tell the "attacker" that you are online, you also tell him that you don't know shit about networking.
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
isn't this seem redundant ? I mean icmp is allowed, then except for established and related connections, a tcp rst packet is sent for all unwanted tcp traffic and icmp-port-unreachable message is sent for every unwanted udp packets, right ? Then what packets that rule match ?
This properly rejects packets to your IP that are neither ICMP nor TCP nor UDP.
What is a "malicious port scanner" and how can you stay "secure" from it?
I meant to avoid random packets coming from random machines at random times:
for example: one random packet from sys.log
IN=eth0 OUT= MAC=20:cf:30:5a:ea:aa:00:00:cd:27:e5:03:08:00 SRC=220.127.116.11 DST=172.16.37.164 LEN=48 TOS=0x00 PREC=0x00 TTL=103 ID=32623 DF PROTO=TCP SPT=17511 DPT=39384 WINDOW=8192 RES=0x00 SYN URGP=0
And how does that harm you? It is rejected, and the sender now knows that he is sending to the wrong destination (instead of continuously retrying, which he would probably if you DROPped it).