> I'm using iptables on RedHat 8 with the rules listed
> below. When scanned from outside the TCP port appear
> as filtered; however, the UDP port is still open.
>
> $ip0 is my external IP address.
>
> Am I doing something wrong?
>
> -------------
> /sbin/iptables -A INPUT -i lo -p all -j ACCEPT
> /sbin/iptables -A INPUT -p tcp -d $ip0 --dport 53 -j
> DROP
Scanners see this:
- the machine pings back
- some ports (eg. 80) are open and respond properly
- some other ports (eg. 53) do respond at all (DROP), normally the should
responds TCP RESET (normal operation, or -j REJECT --reject-with tcp-reset)
= so, the port is filtered.
> /sbin/iptables -A INPUT -p udp -d $ip0 --dport 53 -j DROP
Scanners see this:
- the machine pings back,
- i do net get a "icmp dest. unreach / port unreachable), so the port is
open.
Solution #1
- forget about what the scanner says: and leave it so it dropps the
packets.
For: The scans take much more time and may iritate the scanner;
The scanner gets much less information that can be used with OS
fingerprinting.
Solution #2
If you want the scanners to get (closed) for everything.
- reject with tcp-resets to tcp
- reject with icmp-unreach to udp
Against: The scans are quicker, you actually send packets thus disclose
information interesting to os fingerprinting.
Regards,
Maciej Soltysiak
