[clue-talk] iptables question
Charles Oriez
coriez at oriez.org
Mon Dec 27 10:23:07 MST 2004
At 08:40 AM 12/27/2004, Crawford Rainwater wrote:
>Been playing around with iptables recently (and yes, it has been a
>while) and noticed that there is no longer a DENY policy, just ACCEPT
>and DROP. I am guessing DROP = DENY these days, but when I run nmap, I
>see for various ports "open|filtered" by them vs. "closed". What am I
>missing here? Yes I know
I use DROP rather than REJECT, but REJECT is available as an
alternative. DROP sends no reply to any attempt to communicate. As far as
the attacker knows, there is no server on that IPA accepting the type of
packet he's trying to get through to me. REJECT sends back a message to go
away because I am not accepting his packets. An attacker might be
motivated to try again from another IPA in that case.
I use IPTABLES to refuse packets most often to cut down on dnsbl queries
during high volume spam runs (I had one spammer try to connect multiple
thousands of times over a multi week period, and MCI refused to terminate
them) or block repeated attempts to signin to my server, usually by someone
in Asia.
The guys who wrote IPTABLES put together a string of FAQs at
http://www.netfilter.org. Included in the series is a list on differences
between IPTABLES and IPCHAINS found at
http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-10.html
Item #5 there is fairly specific as an answer to your question: "The DENY
target is now DROP, finally."
--
Charles Oriez coriez at oriez.org 39 34' 34.4"N / 105 00' 06.3"W AIM
ID caoriez
"The right to be heard does not automatically include the right to be taken
seriously." -- Hubert Horatio Humphrey
More information about the clue-talk
mailing list