another newbie question...

Looking at hardening an already fairly hardened firewall, and trying to see if I can block port 113, or at least stop it from responding to outside ping requests... Whether this is successfull (or wise) - well at least I can reverse it if I have to.

I have the following script in my iprules file:

# allow ident
iptables -t nat -A PREROUTING -p tcp --dport 113 -i eth0 -j ACCEPT

I could change ACCEPT to DROP I suppose, but another way would be to send this request of to the wild blue yonder (and upset the server in question) by forwarding the request to another non-existant IP address.

What I need to know is how to do the script - any offers?

TIA

cheers...pix

You can try to change ACCEPT with REJECT.

Assuming that eth0 is your external interface that you don't want people to be able to access 113 on you want something like.This isn't a NAT issue as its incomming requests that might be a problem, these will only ever go to the router as you can't get to the IPs behind it. Make sure you do REJECT the packets and not DROP them otherwise you'll experience very long waits when you want to ssh/ftp into the box yourself from outside.

cheers

Jamie...

1 members found this post helpful.

Thanks, guys. This appears to be the easy way to do it.

cheers...pix

Just changed my iptables script to that of the above (and also used DROP), and port 113 is still responding to a ping request (ICMP Echo). So that one is not working, for some reason. Any ideas???

cheers...pix

You must block at least ICMP protocol type 8. Some servers (like pop3 and imap) are checking for your ident service. If you drop ident traffic you wil have a timeout when you try to conect these servers. For these reason you must reject ident traffic, not droping it.

I had thought about this and wondered if I would have a problem with the POP3 server on my ISP. I guess I will haev to settle for a reject, rather than drop. Thanks for your help

cheers...pix