I just set up an iptables firewall on my Linux box and when I nmap'ed it, instead of not being able to see the ports I had closed, nmap found them and said they were "filtered". Does this pose any kind of security risk? Is there any way to configure iptables so that it doesn't even let port scanners like nmap know that there is a server bound to the port?

Thanks.

This will not pose any security risk in itself.
I think you'll find this an interesting answer.

IMO tho, covering up ports like mentioned there won't lower risks. It's in the "security by obscurity" corner in other words providing a false sense of security.

---edit
Uh. Spose I better elaborate a bit on it instead of cutting it this short. The TCP/IP 3-way handshake states that initiating traffic starts by sending a packet with the SYN flag set (+some other options) to your servers' service port:
N pSYN -> you
If all goes well youll send one back, and tack a n ACK on, saying theyre recognized wanting a connection, welcome.
N <- pSYN/ACK you
Now they acknowledge your ACK:
N pACK -> you.

If a port is not "bound" by an application, it is not in a listening state, the system responds with :
N pSYN -> you
N <- pRST(/ACK) you
*Note: this only goes as far as connect(SYN)/half-open(stealth) scans, which can only be used for TCP. FIN scans get the same treatment when a TCP port is encountered, but the system will act with an ICMP packet when UDP ports are targetted.

Ok. back to the box.
You see for UDP scans an ICMP message is sent. You *could* decide to block (nearly) all ICMP type 3 traffic, but since UDP relies on ICMP for control messages this will break some stuff.

Ok, this shows I'm on Ipchains and not using Netfilter/Iptables right now, but IIRC, the basics' still the same. When you use REJECT on Ipchains for some awfull reason it sends a ICMP (port unreach) instead of an RST :-] OTOH, the DENY strategy blackholes traffic, it just drops the packets on the binary carpet. Looking at BSD's ipfw it has a built-in option to send RST's, Ipchains' can work with a helper app to achieve the same, other ppl even went as far as to redirect ports to a known closed one to achieve sending RST's :-]

So, by now you know what to figure out for yourself: use a DENY-type strategy, and be known to *definately have* a firewall (which is kinda interesting for practicing ACK scanning etc etc on), or use a REJECT-type strategy, meaning you won't be "l33t-invisible" but appearing more "innocent".

HTH somehow.

unSpawn, thank you very much. If the response would have been any more complete it just might have been inserted into some kind of SECURITY-HOWTO. Thanks again.