Re: iptables firewall script for debian-woody, 2.4.24

From: Jim (
Date: 05/19/04

  • Next message: Beth Skwarecki: "RE: Secure Form Script?"
    Date: 19 May 2004 16:08:16 -0000
    ('binary' encoding is not supported, stored as-is) In-Reply-To: <>

    >Gord Philpott wrote:
    >>> I have used the script on other systems, and have commented out the
    >>> ports that are not needed for this setup. When I nmap the server
    >>> with the firewall script off, I get different results than when the
    >>> firewall script is on. I am looking to have the ports needed to run
    >>> DNS and SSH available regardless of the firewall status.
    >>> $IPTABLES -A OUTPUT -p tcp --destination-port 53 -j ACCEPT # DNS
    >>> $IPTABLES -A OUTPUT -p udp --destination-port 53 -j ACCEPT # DNS
    >>> $IPTABLES -A OUTPUT -p tcp --destination-port 22 -j ACCEPT # SSH
    >You hope, that destination port for incoming DNS queries will be 53.
    >This is not true. The same is for SSH.

    This thought is wrong. Of cause SSH and DNS are
    services, which are connected on th ports 22 and 53 as
    destination, so in principle, this should work.
    But only for TCP, as you only allow traffic TO
    those ports, not the other way round. So what
    you're missing are most responses on UDP, since
    not all DNS - queries also use port 53 on their
    local side, especially NMAP won't work that way,
    and your STATE=RELATED does not seem to work
    (and "ESTABLISHED" is always wrong in UDP), so
    I would add the following lines:
    $IPTABLES -A OUTPUT -p udp --source-port 53 -j ACCEPT
    same for the other port, that did not work.

    But I have to tell you, that I saw some more un-nice
    things in your script and will be sending you
    a commented version

  • Next message: Beth Skwarecki: "RE: Secure Form Script?"