Re: iptables/ dns question (newb)
From: asadchev (***asadchev***@softhome.net)
Date: 03/25/03
- Next message: The Student: "Re: Strange Freeze-ups"
- Previous message: The Student: "Re: Strange Freeze-ups"
- In reply to: joebob: "iptables/ dns question (newb)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: asadchev <***asadchev***@softhome.net> Date: Mon, 24 Mar 2003 21:24:23 -0500
On Mon, 24 Mar 2003 14:51:36 -0800
joebob <joebob@nospam.com> wrote:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
sometimes nameserver will also send tcp packet if data cant fit in udp, but that is not very likely.
ESTABLISHED,RELATED matches packet that are part or somehow related
( like icmp error messages ) of the established connection.
NEW matches new packets.
ESTABLISHED, RELATED, NEW, and few other matches make it really easy to filter packets and IMO it is an added level of security rather then specifying ports >1023 explicitly.
You have to have conntrack as module or in kernel for this to work.
It is part of the standard iptables mechanism though and chances are it is already in the kernel.
-- GrOb and Kino - 32 Kbits mono streams http://inix.ath.cx:8000/grob-radio http://inix.ath.cx:8000/kino-radio
- Next message: The Student: "Re: Strange Freeze-ups"
- Previous message: The Student: "Re: Strange Freeze-ups"
- In reply to: joebob: "iptables/ dns question (newb)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
