[lug] IP Tables

karl horlen horlenkarl at yahoo.com
Sat Sep 22 13:52:35 MDT 2007

> True, but I took that to fall under the last
> requirement... 

that was correct :-)

> > >> (probably covers sendmail above?)
> >
> > Yes, for sending.
> Right. 


> > > iptables -A INPUT -i lo -j ACCEPT
> > 
> > This allows local connections, which wasn't
> specified.
> True. I could have left it out... 

But really necessary so glad you put it in :-).

> iptables -A INPUT -j REJECT
> > > --reject-with icmp-host-prohibited
> > 
> > Harlan said "drop" but Kevin has used reject. 
> Same or not?
> Good point. Not the same at all. 
> DROP will silently drop the packets, making the
> remote machine think it
> should just keep retrying. 
> REJECT will send back a 'NO, go away' so the remote
> site will see the
> machine is up, but rejecting it's packets. 

That this was brought up i feel is a good thing.  From
what i've read, i was assuming that DROPping might be
better than REJECTING.  But there's probably a
philosophical debate about that one.

Since I GLOBALLY am denying a whole lot of stuff
(everything that doesn't fall into any of the
relatively small list i've specified), i have to
choose either DROP OR REJECT.  Can't have both unless
I start defining a bunch of rules which specify
specifically for one or the other.

My thought (and tell me if i was wrong) was that
DROPping just nipped the whole thing in the bud
quickly.  No extra queries or processing (performance
requirements) from my server.  If you're not allowed
to come here you shouldn't be so i'll drop you, end of

I also thought that was better from a security
perspective.  An external request to my server for a
request it shouldn't handle should probably receive no
reply.  No reply "hides" the server and might prevent
further attempts.  A reject actually notifies the
request that "i'm alive" which gives the requestor
"hope" to try more ports.  If someone is trying ports
that i haven't opened then they really don't require
or deserve a reply.

Now I don't know if any of my logic is completely
correct and it probably is going to fall under the
category of "it depends" but I like that the thread
took a turn and it can be explored.  It helps me
understand this better and create a better firewall.

One requirement i did leave out was a rule for icmp
requests.   i've seen it in some examples and left off
in others in a variety of different flavors.  Is ping
essential?  This is probably an "it depends".  Unless
disabling it is going to prevent something it
shouldn't, i just assume DROP it.  But maybe it should
be REJECTed instead. Or maybe i should be allowing

There is also the possibly that i've failed to account
for some other port or service that I SHOULD have.  Is
there another NON-obvious rule that SHOULD PROBABLY be
in there?

Be a better Globetrotter. Get better travel answers from someone who knows. Yahoo! Answers - Check it out.

More information about the LUG mailing list