É melhor definir -j REJECT ou -j DROP em iptables?

29

Há um exemplo de regras do iptables no wiki do archlinux:

# Generated by iptables-save v1.4.18 on Sun Mar 17 14:21:12 2013
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
COMMIT
# Completed on Sun Mar 17 14:21:12 2013

Há alguns dias meu amigo me perguntou por que há REJECT nas três últimas regras. Ele me disse que deveria haver DROP , e ele mencionou algo sobre melhor segurança no caso de DROP .

Então, eu tenho duas perguntas:

  1. O que as três regras fazem?

  2. Faz alguma diferença quando eu coloco lá DROP no lugar REJECT --reject-with ? Se sim, qual a diferença?

por Mikhail Morfikov 15.01.2014 / 16:06

1 resposta

31

What do the three rules do?

Essas 3 regras parecem bastante autoexplicativas:

  1. Rejeitar pacotes UDP recebidos com uma mensagem ICMP "porta inacessível"
  2. Rejeitar pacotes TCP recebidos com "tcp reset"
  3. Rejeitar pacotes recebidos (de qualquer outro protocolo) com a mensagem ICMP "protocol unreachable"

Se você estiver procurando por mais detalhes (sobre pacotes UDP / TCP, ICMP), precisará pesquisar os documentos de rede e talvez o man iptables também.

Does it make any difference when I put there DROP in place REJECT --reject-with ? If yes, could someone explain the difference to me, I'll really appreciate it.

Faz diferença. E, ao contrário da crença popular, DROP não oferece melhor segurança do que REJECT . Isso incomoda os usuários legítimos e, efetivamente, não protege dos maliciosos. Este post explica o raciocínio em detalhes:

link

A common reason for using DROP rather than REJECT is to avoid giving away information about which ports are open, however, discarding packets gives away exactly as much information as the rejection.

With REJECT, you do your scan and categorise the results into "connection established" and "connection rejected".

With DROP, you categorise the results into "connection established" and "connection timed out".

The most trivial scanner will use the operating system "connect" call and will wait until one connection attempt is completed before starting on the next. This type of scanner will be slowed down considerably by dropping packets. However, if the attack sets a timeout of 5 seconds per connection attempt, it is possible to scan every reserved port (1..1023) on a machine in just 1.5 hours. Scans are always automated, and an attacker doesn't care that the result isn't immediate.

A more sophisticated scanner will send packets itself rather than relying on the operating system's TCP implementation. Such scanners are fast, efficient and indifferent to the choice of REJECT or DROP.

CONCLUSION

DROP offers no effective barrier to hostile forces but can dramatically slow down applications run by legitimate users. DROP should not normally be used.

    
por 15.01.2014 / 16:25