Rodolfo J. Paiz wrote:
On Wed, 2004-10-27 at 13:00 -0400, James Kosin wrote:Sorry, maybe I didn't make myself clear. #1 included all 3 iptable entries not just the first.
I took a simpler approach.
Well yes, that is *simpler* but it is in no way better. It's also very basic... in fact, that's the basic procedure for *any* firewall (close everything then open up what you need), and that's how my firewall is setup too. No news here.
The Portsentry setup is to block those people who are going to attack services I *do* run, since they will normally try to attack others as well. So the guy who is going to test SSH for exploits, and try all sorts of stuff on my Apache server, and see if he can get to Sendmail... is also likely to trigger a hostile port and get deep-sixed for 48 hours.
No iptables ruleset on Earth can protect you from attacks to an open port on which you have a service listening. That job is up to the process listening on the port. But you can attempt to find a way to block those people before or during their probes... my Portsentry mechanism is one such attempt, and has been highly successful for me as an additional layer of defense over the last two years or so.
1. Setup iptables with the following
iptables -A INPUT -i lo -j ACCEPT # this allows local loop interface to always work.
Most clients, #1 above is enough to block all attacks.
No way. #1 above has nothing to do with any external attacks. And indeed closing all ports by default is just a precaution, since there should be nothing listening on those ports *anyway* and thus there should be nothing to crack except the services you do run. So in the end, your primary risk comes from the services you offer being cracked or rooted.
Again, no iptables ruleset on Earth can protect you from that.
Cheers,
If you want to really cripple your machine, just do the first and third iptable entries and you will not be able to browse the web or anything. The second one opens up the return path for connections established by the client machine.
You don't give iptables a chance. It is a very powerful feature. With proper setup you can allow unfeathered access to your server on your network alone and deny access (or restrict) everyone else.
James Kosin