Firstly i agree with onager..... change the reject to drop. Also iptables does not "close" the ports, but takes the actions you define at the entrance of the port itself. How did you test your script, just with a portscan, or did you actually try to connect to the ports mentioned. If the ports are set to reject, then you can still see them as open in a portscan, but can you actually connect to them?

Then to "hide" them from simple scans, also drop/reject icmp, since some scans have ping enabled which is not blocked if you reject/drop udp, tcp.

Then the most important of all......
Block everything, then allow only what is really needed.

i hope the example below helps you.

(ps $IPTABLES in your case is like you defined it : ./iptables)

ie.


this flushes all rules and should be at the begining of most iptables scripts

#Default policy and flush

$IPTABLES -P INPUT DROP

$IPTABLES -P FORWARD DROP

$IPTABLES -P OUTPUT DROP


$IPTABLES -F #Flushing all chains (table filters)

$IPTABLES -t nat -F #Flushing all chains (table nat)

$IPTABLES -X #Delete all userdefined chains
#(Table filters)

------------------------------------------------------------

this allows your local connections (ssh localhost etc....)

#Local processes

$IPTABLES -A OUTPUT -o lo -j ACCEPT

$IPTABLES -a INPUT -o lo -j ACCEPT


------------------------------------------------------------

After you have blocked all access (the above) then start allowing what you want to accept.

for example the first step is always dns, after that http, ftp, (both for input and output) etc....


ie.

for your web browser

#HTTP

$IPTABLES -A OUTPUT -o $EXT -m state --state NEW \

-p TCP --sport $p_high --dport HTTP \

-j ACCEPT


This is only a rough idea, but i hope it actually helps you out. Important is that you actually have a policy. DONT allow all, and block out the few things you dont want, thats very unsafe. Instead block everything and specifically allow only what you really need. Your example of the script you have posted will not prevent a trojan or any other service running on a port you did not mention, which is why to block everything first, then allow what is wanted/needed.

I also recomend you google for iptables tutorials and see what else you can come up with.

Good luck

ooops, what i forgot to mention.....in my example i have $p_high and $EXT....

at the begining of my script i have defined them :

this is used as source ports most of the time

set p_high = 1024:65535 #Unprivilged ports


and this is my interface (all this is only an example)

set EXT = eth0

you have to add alot more to the iptables script to make it safe. Read up as much as you can on iptables.

good luck