Re: [opensuse] Sending RST packages instead of discarding them

22 Apr 2009


      In <200904222024.25103.bartoschek@or.uni-bonn.de>, Christoph Bartoschek 
wrote:
...
is there an easy way to get the firewall to send RST packages to
connection attempts to closed ports instead of just discarding the
requests?
-j REJECT --reject-with tcp-reset

I don't think it undermines my security, and most of this could be 
discovered with a simple nmap, so here's my setup that uses RST packets:
# Generated by iptables-save v1.4.2 on Wed Apr 22 18:44:23 2009
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:accept-existing-connections - [0:0]
:accept-from-lo - [0:0]
:accept-known-services - [0:0]
:accept-new-connections - [0:0]
:accept-to-lo - [0:0]
:filter-new-connections - [0:0]
:packet-rejected - [0:0]
-A INPUT -j accept-existing-connections
-A INPUT -j accept-from-lo
-A INPUT -j filter-new-connections
-A INPUT -j packet-rejected
-A OUTPUT -j accept-existing-connections
-A OUTPUT -j accept-to-lo
-A OUTPUT -j accept-new-connections
-A OUTPUT -j packet-rejected
-A accept-existing-connections -m conntrack --ctstate RELATED,ESTABLISHED -j 
ACCEPT
-A accept-from-lo -i lo -j ACCEPT
-A accept-known-services -p tcp -m tcp --dport 22 -j ACCEPT
-A accept-known-services -p tcp -m tcp --dport 25 -j ACCEPT
-A accept-known-services -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A accept-known-services -p tcp -m tcp --dport 587 -j ACCEPT
-A accept-known-services -p tcp -m tcp --dport 993 -j ACCEPT
-A accept-known-services -p tcp -m tcp --dport 465 -j ACCEPT
-A accept-known-services -p tcp -m tcp --dport 143 -j ACCEPT
-A accept-known-services -p tcp -m tcp --dport 2000 -j ACCEPT
-A accept-known-services -p tcp -m tcp --dport 4691 -j ACCEPT
-A accept-known-services -p tcp -m tcp --dport 9418 -j ACCEPT
-A accept-new-connections -m conntrack --ctstate NEW -j ACCEPT
-A accept-to-lo -o lo -j ACCEPT
-A filter-new-connections -m conntrack --ctstate NEW -j accept-known-
services
-A packet-rejected -p tcp -j REJECT --reject-with tcp-reset
-A packet-rejected -p udp -j REJECT --reject-with icmp-port-unreachable
-A packet-rejected -j REJECT --reject-with icmp-admin-prohibited
-A packet-rejected -j DROP
COMMIT
# Completed on Wed Apr 22 18:44:23 2009
-- 
Boyd Stephen Smith Jr.           	 ,= ,-_-. =.
bss@iguanasuicide.net            	((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy 	 `-'(. .)`-'
http://iguanasuicide.net/        	     \_/