Re: Iptables DROP packets but Nmap show the ports opened !!
Robin-Vinet Mathieu wrote:
> > >
> > > Brian and Henk, i think you make the point.
> > > Even with iptables loading the inactive ruleset, i've got all ports
> > > opened.
> > >
> > > I don't understand why you are speaking of "inetd" ?
> > > Cause i've got inetd running on the machine...
> > Well, check /etc/inetd.conf and make sure that things are not not
> > accidently serviced by inetd. Otherwise when you flush the rules or
> > when you haven't got a default DROP policy, certain ports will still be
> > reported as open.
> So if i understand well, you suggest me to put those line at the top of
> my Iptable script cause it seems to be safer, by default it DROP packets
> except when i have defined specific rules wich is my case :
> IPTABLES -P INPUT DROP
> IPTABLES -P FORWARD DROP
> IPTABLES -P OUTPUT DROP
Yes, after that you could open upen up what you need to accept in and
out on the box's interfaces (don't forget localhost) and what traffic
you need to forward and append a final DROP as a catch-all to the input,
output and forward chains. You'll have a pretty tight setup.
> I've read that with a default DROP policy, i must specifically define
> ACCEPT rules when flushing with -F, this, not to be locked out of my
Correct, but that's easy to script.
> > > Did i miss something somewhere ?
> > Don't know, better check to be sure. Just do a 'grep -v ^# /etc/inetd.conf'
> > to see what's enabled.
> It's ok, i Just have ssh, smtp and ftp like i did the setup !
Henk Roose <Henk.Roose@cwi.nl>
CWI - Centrum voor Wiskunde en Informatica
Centre for Mathematics and Computer Science