Iptables and TruStealth

I saw a thread in ubuntuforums.org yesterday, its been there since a week now, but somehow I missed it earlier. Anyways, its about the Shields UP test in Gibson Research Corporation's website.

Testing for all service ports, got me nowhere near true stealth. This is what I got after the first test,

Solicited TCP Packets: RECEIVED (FAILED) — As detailed in the port report below, one or more of your system's ports actively responded to our deliberate attempts to establish a connection. It is generally possible to increase your system's security by hiding it from the probes of potentially hostile hackers. Please see the details presented by the specific port links below, as well as the various resources on this site, and in our extremely helpful and active user community

Unsolicited Packets: PASSED — No Internet packets of any sort were received from your system as a side-effect of our attempts to elicit some response from any of the ports listed above. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system remained wisely silent. (Except for the fact that not all of its ports are completely stealthed as shown below.)

Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation.

It was only after that, did I realise that I had no active firewall running! Iptables was not running at all. So I scoured the internet for some iptables guide. An hour and half later of reading tutorials and man-pages, it seemed quite interesting. Hence, instead of going for some already-available scripts, I set up my own rules.

# Generated by iptables-save v1.4.0 on Mon Aug 11 21:32:50 2008
*mangle
:PREROUTING ACCEPT [8311:783078]
:INPUT ACCEPT [8311:783078]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4155:229785]
:POSTROUTING ACCEPT [4167:230625]
COMMIT
# Completed on Mon Aug 11 21:32:50 2008
# Generated by iptables-save v1.4.0 on Mon Aug 11 21:32:50 2008
*nat
:PREROUTING ACCEPT [4219:185647]
:POSTROUTING ACCEPT [1808:81444]
:OUTPUT ACCEPT [1808:81444]
COMMIT
# Completed on Mon Aug 11 21:32:50 2008
# Generated by iptables-save v1.4.0 on Mon Aug 11 21:32:50 2008
*filter
:INPUT DROP [6:336]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [19:1289]
:OPEN - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j OPEN
-A INPUT -i lo -j ACCEPT
-A OPEN -s 192.168.1.0/24 -i eth0 -p tcp -m multiport --dports 21,22,23,3306 -j ACCEPT
-A OPEN -s 192.168.1.0/24 -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OPEN -p tcp -m tcp --dport 65000:65010 -j ACCEPT
-A OPEN -p udp -m udp --dport 65000:65010 -j ACCEPT
COMMIT
# Completed on Mon Aug 11 21:32:50 2008

I opened the ports for ping, ftp, ssh, telnet and mysql server only for my local network and that 65000:65010 port range is for torrents. Other than that everything else is blocked unless its already established or related to an established connection, or if the interface in question is the loopback. And as I wished for, this time around I got a perfect "TruStealth" rating. Here is the complete summary,

Your system has achieved a perfect "TruStealth" rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system wisely remained silent in every way. Very nice.