[tlug] Re: iptable blocking IP addresses

[Tobias Diedrich <ranma@example.com>]

Stephen J. Turnbull wrote:

> Whether to use the "reject" option depends on your preferences, the
> source, and the port.  The practical implications of using REJECT
> rather than DROP are (1) you'd like to tell honest people that they've
> made an error, and your machine is not unplugged, and (2) for some
> services (eg, mail) a firm "go away" may actually make some bad guys
> go away (eg, spammers would prefer not to waste many milliseconds
> trying to connect to a machine that is never going to accept mail from
> them).

AFAIK DROP does not really 'hide' your host.  If there were no host on
an IP address, you should get a "Network is unreachable" or "Destination
Host Unreachable" error. (ICMP Message from the router).  You can't
emulate that by using DROP, so if an IP is just a packet sink, then you
know there's something at the other end.

For tcp "-j REJECT --reject-with tcp-reset" has the advantage of
answering with RST on the first SYN, so the offending host should
not send any further SYNs (Default for REJECT is icmp-port-unreachable,
which is suitable for UDP).

I use the following at the end of my iptables setup:

# log everything left
iptables -A "$IF-i" -j LOG --log-prefix "$IF-i " \
	 -m limit --limit 10/second

# reject packets until limit reached
iptables -A "$IF-i" -p tcp -j REJECT --reject-with tcp-reset \
	-m limit --limit-burst 30 --limit 60/second
iptables -A "$IF-i" -p udp -j REJECT \
	-m limit --limit-burst 30 --limit 60/second

# drop everything else
iptables -A "$IF-i" -j DROP

-- 
Tobias						PGP: http://9ac7e0bc.2ya.com
Be vigilant!

Attachment: signature.asc
Description: Digital signature