Re: IPtables versus Tcp_wrapper

[Valdis Kletnieks <Valdis.Kletnieks () VT EDU>]

On Wed, 03 Mar 2010 17:01:11 CST, Josh Richard said:
> In any case, are we in agreement that given the choice of one or the
> other, the preferred method would be iptables as it drops packets?

Important nit - iptables *optionally* drops packets. ;)

Sometimes, it's nice to send back a notice "Yo dood, you're lost".

So to make life easy for various authorized scanners and similar on campus,
I often do something like this:

-A input -p tcp -s 128.173.0.0/16 --syn -j REJECT --reject-with tcp-reset
-A input -p tcp -s 198.82.0.0/16 --syn -j REJECT --reject-with tcp-reset
-A input -p udp -s 198.82.0.0/16 -j REJECT --reject-with icmp-port-unreachable
-A input -p udp -s 128.173.0.0/16 -j REJECT --reject-with icmp-port-unreachable
-A input -j DROP

Basically, if it's from one of our two on-campus /16s, and it's TCP, we RST
back, and for UDP we ICMP back, so the other end gets the "no such port" clue
in a few milliseconds rather than having to time out.  If you're from off
campus, you're probably not one of my users, so I don't feel any responsibility
to make your life easy - you can sit there till you time out. ;)

(Yes, this *is* a slight information leakage to an on-campus attacker, but
the "play nice with campus" mostly outweighs it in my opinion. )

Attachment: _bin
Description: