Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

iptables question

Status
Not open for further replies.
stevenriz

stevenriz

IS-IT--Management
May 21, 2001
1,069
this is within the iptables status screen. it seems bad to me, it seems to be telling me we are wide open for connectivity.

ACCEPT tcp -- anywhere xxx.xxx.xxx.xxx tcp dpts:1024:65535 state RELATED,ESTABLISHED
ACCEPT udp -- anywhere xxx.xxx.xxx.xxx state RELATED,ESTABLISHED udp dpts:1024:65535
ACCEPT tcp -- anywhere xx.xx.xx.xx

 
Sort by date Sort by votes
Without the rest of your ruleset or at least the chain these rules are located in I can't be sure.
Those rules are stateful, that is they look at connections
for legitimate two-way communication, before allowing such
traffic. So unless an client starts a connection, these
rules still preclude wanton communication as far as I can tell, but without more info, YMMV.

Personally, I usually configure my ephemeral ports within
a certain range in /proc/sys.. and then design rulesets
that take this into account. The range of ports in your set
is rather large.
1024-5999 and 20000-65000 is usually a good bet.
 
Upvote 0 Downvote
thanks! Shall I post the entire ruleset? It is large. I would want to filter out the public addresses for security just in case correct?
 
Upvote 0 Downvote
No, you don't have to do that.
There are just some basic things to keep in mind.

1. Is your INPUT policy sane? Remember that the firewall
box is the only machine that will actually see this traffic.
What services do you want to allow from untrusted and trusted networks into this box?

2. The FORWARD chain provides your functionality for
actually admitting traffic, outside the prerouting nat
chain.
This is where you can secure your networks granularly, do
egress and access logging, etc, and where, IMHO, the policy
sghould always be set to DROP. YMMV.

3. The OUTPUT chain is really kind of of a failsafe for egress logging from the firewall. I only use this for logging purposes, or if a I need IP based dst restrictions
for certain hosts or traffic types.

4. The nat (sub)chains are useful for all your specialized
traffic, NAT,PAT,etc..Don't forget to set sane policies here
as well. Otherwise you will be allowing behavior that you may not really want.

If you hacve specific ruleset section concerns post these
instead of the whole thing please. ;)


 
Upvote 0 Downvote
Also, if you have to filter out your public IP addresses, then you don't have much faith in your firewall rules. Unless you're afraid of some random DDoS.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

AbidingDude
  • Locked
  • Question
Newbie Apache Cache Question
Replies
5
Views
442
AbidingDude
AbidingDude
johngiggs
  • Locked
  • Question
Regex Question
Replies
1
Views
193
johngiggs
johngiggs
fzx5v0
  • Locked
  • Question
IPTables outgoing firewall rules
Replies
1
Views
182
minicompbx
minicompbx
abrooks3640
  • Locked
  • Question
Two Servers on One Machine - iframe question
Replies
0
Views
122
abrooks3640
abrooks3640
MichealC4
  • Locked
  • Question
iptables + gre + masquerade = doesn't work?
Replies
1
Views
220
MichealC4
MichealC4

Part and Inventory Search

Sponsor

Back
Top