Educause Security Discussion mailing list archives
Re: IPtables versus Tcp_wrapper
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Thu, 4 Mar 2010 12:30:58 -0500
On Wed, 03 Mar 2010 17:01:11 CST, Josh Richard said:
In any case, are we in agreement that given the choice of one or the other, the preferred method would be iptables as it drops packets?
Important nit - iptables *optionally* drops packets. ;) Sometimes, it's nice to send back a notice "Yo dood, you're lost". So to make life easy for various authorized scanners and similar on campus, I often do something like this: -A input -p tcp -s 128.173.0.0/16 --syn -j REJECT --reject-with tcp-reset -A input -p tcp -s 198.82.0.0/16 --syn -j REJECT --reject-with tcp-reset -A input -p udp -s 198.82.0.0/16 -j REJECT --reject-with icmp-port-unreachable -A input -p udp -s 128.173.0.0/16 -j REJECT --reject-with icmp-port-unreachable -A input -j DROP Basically, if it's from one of our two on-campus /16s, and it's TCP, we RST back, and for UDP we ICMP back, so the other end gets the "no such port" clue in a few milliseconds rather than having to time out. If you're from off campus, you're probably not one of my users, so I don't feel any responsibility to make your life easy - you can sit there till you time out. ;) (Yes, this *is* a slight information leakage to an on-campus attacker, but the "play nice with campus" mostly outweighs it in my opinion. )
Attachment:
_bin
Description:
Current thread:
- IPtables versus Tcp_wrapper Griese, Steven A. (Mar 03)
- <Possible follow-ups>
- Re: IPtables versus Tcp_wrapper Adam Garside (Mar 03)
- Re: IPtables versus Tcp_wrapper Josh Richard (Mar 03)
- Re: IPtables versus Tcp_wrapper Kevin Wilcox (Mar 03)
- Re: IPtables versus Tcp_wrapper Josh Richard (Mar 03)
- Re: IPtables versus Tcp_wrapper Adam Garside (Mar 03)
- Re: IPtables versus Tcp_wrapper Kevin Wilcox (Mar 04)
- Re: IPtables versus Tcp_wrapper Valdis Kletnieks (Mar 04)
- Re: IPtables versus Tcp_wrapper Josh Richard (Mar 04)
- Re: IPtables versus Tcp_wrapper Valdis Kletnieks (Mar 04)
- Re: IPtables versus Tcp_wrapper Josh Richard (Mar 04)