Re: iptables firewall script for debian-woody, 2.4.24
From: Jim (jim999_at_gmx.net)
Date: 19 May 2004 16:08:16 -0000 To: firstname.lastname@example.org('binary' encoding is not supported, stored as-is) In-Reply-To: <4071BC2D.email@example.com>
>Gord Philpott wrote:
>>> I have used the script on other systems, and have commented out the
>>> ports that are not needed for this setup. When I nmap the server
>>> with the firewall script off, I get different results than when the
>>> firewall script is on. I am looking to have the ports needed to run
>>> DNS and SSH available regardless of the firewall status.
>>> $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>> $IPTABLES -A OUTPUT -p tcp --destination-port 53 -j ACCEPT # DNS
>>> $IPTABLES -A OUTPUT -p udp --destination-port 53 -j ACCEPT # DNS
>>> $IPTABLES -A OUTPUT -p tcp --destination-port 22 -j ACCEPT # SSH
>You hope, that destination port for incoming DNS queries will be 53.
>This is not true. The same is for SSH.
This thought is wrong. Of cause SSH and DNS are
services, which are connected on th ports 22 and 53 as
destination, so in principle, this should work.
But only for TCP, as you only allow traffic TO
those ports, not the other way round. So what
you're missing are most responses on UDP, since
not all DNS - queries also use port 53 on their
local side, especially NMAP won't work that way,
and your STATE=RELATED does not seem to work
(and "ESTABLISHED" is always wrong in UDP), so
I would add the following lines:
$IPTABLES -A OUTPUT -p udp --source-port 53 -j ACCEPT
same for the other port, that did not work.
But I have to tell you, that I saw some more un-nice
things in your script and will be sending you
a commented version