I am trying to block all incoming traffic to ports 517,518 (udp) to anywhere except localhost. I am also trying to block port 68 (udp) from everywhere. The rules I am using are as follows:

#Filter talk
/sbin/ipchains -A input -p udp -j DENY -s 0.0.0.0/0 -i eth0 -d 0.0.0.0/0 517
/sbin/ipchains -A input -p udp -j ACCEPT -s 127.0.0.1 -i eth0 -d 127.0.0.1 517
#Filter ntalk
/sbin/ipchains -A input -p udp -j DENY -s 0.0.0.0/0 -i eth0 -d 0.0.0.0/0 518
/sbin/ipchains -A input -p udp -j ACCEPT -s 127.0.0.1 -i eth0 -d 127.0.0.1 518
#Filter bootp
/sbin/ipchains -A input -p udp -j DENY -s 0.0.0.0/0 -i eth0 -d 0.0.0.0/0 68

I have been successfull at using the above methods to block certain tcp ports like MySQL. If I check the ipchains (ipchains -L) the above posted rules show up correctly, a rule to block 517,518, 68 and two rules to allow both 517 and 518 to localhost only. A udp portscan however shows that those three ports are available.
Any ideas?
-matt

Sorry for being so lazy, but I really didn't look at your chains at any great depth. Though looking at them VERY quickly I saw no problems.

The next thing I was wondering, are you using nmap to scan your system?
If so, I recommend scanning your box like this:
$nmap 12.12.12.12

12.12.12.12 being your actual ip address, another words, don't scan like this:

$nmap localhost
or like this
$nmap 127.0.0.1

This should help, and should show that your chains are blocking traffic from the outside world.

Lilac Echo
http://www.wbglinks.net

You should always work on a "default deny" policy. Block all ports, and then open up holes for anything (eg, DNS) you want to allow. That way you can avoid opening up new security holes if/when your system configuration changes: while it is easy to not notice an open UDP port, it is quite easy to notice that an application isn't working (and then open up a hole for that application).

The next thing I was wondering, are you using nmap to scan your system?
Yes
12.12.12.12 being your actual ip address, another words, don't scan like this:

$nmap localhost
or like this
$nmap 127.0.0.1

This should help, and should show that your chains are blocking traffic from the outside world.


I do my portscanning from another box altogether

You should always work on a "default deny" policy.
Agreed. However I am administering it from a remote location and it becomes a little more complicated. I just can't say DENY everything [i.e. "Oops I blocked everything, where did my SSH connection go?" :) ]. Anyways I have everything blocked save those three previously mentioned ports that need to be blocked.