What do the three rules do?
Essas 3 regras parecem bastante autoexplicativas:
- Rejeitar pacotes UDP recebidos com uma mensagem ICMP "porta inacessível"
- Rejeitar pacotes TCP recebidos com "tcp reset"
- Rejeitar pacotes recebidos (de qualquer outro protocolo) com a mensagem ICMP "protocol unreachable"
Se você estiver procurando por mais detalhes (sobre pacotes UDP / TCP, ICMP), precisará pesquisar os documentos de rede e talvez o man iptables
também.
Does it make any difference when I put there DROP in place REJECT --reject-with ? If yes, could someone explain the difference to me, I'll really appreciate it.
Faz diferença. E, ao contrário da crença popular, DROP
não oferece melhor segurança do que REJECT
. Isso incomoda os usuários legítimos e, efetivamente, não protege dos maliciosos. Este post explica o raciocínio em detalhes:
A common reason for using DROP rather than REJECT is to avoid giving away information about which ports are open, however, discarding packets gives away exactly as much information as the rejection.
With REJECT, you do your scan and categorise the results into "connection established" and "connection rejected".
With DROP, you categorise the results into "connection established" and "connection timed out".
The most trivial scanner will use the operating system "connect" call and will wait until one connection attempt is completed before starting on the next. This type of scanner will be slowed down considerably by dropping packets. However, if the attack sets a timeout of 5 seconds per connection attempt, it is possible to scan every reserved port (1..1023) on a machine in just 1.5 hours. Scans are always automated, and an attacker doesn't care that the result isn't immediate.
A more sophisticated scanner will send packets itself rather than relying on the operating system's TCP implementation. Such scanners are fast, efficient and indifferent to the choice of REJECT or DROP.
CONCLUSION
DROP offers no effective barrier to hostile forces but can dramatically slow down applications run by legitimate users. DROP should not normally be used.