Re: allow ports above 1024

From: Bryan Packer (bryanp@visi.com)
Date: 02/05/03

• Next message: SysAdm: "Re: Security Guidance - Part II"
• Previous message: JR: "Re: How to Secure Your Browsers from Malicous Hackers"
• In reply to: bob davis: "allow ports above 1024"
• Next in thread: steve harris: "Re: allow ports above 1024"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Tue, 04 Feb 2003 20:49:41 -0600
From: Bryan Packer <bryanp@visi.com>

bob davis wrote:
>
> Hi I have a iptables firewall script and it allows packets above 1024.
> The stated reason is that these are return packets and they have to be
> allowed.

This would probably be the worst possible way to allow reply packets
back in.

> I have notices most return packets are above 2000. What
> determines the port number of the return packets?

When you initiate a connection of some sort, the sending machine sends a
packet to the destination port of the service to be used (80=http,
23=telnet, 53=DNS, etc) and it assigns a random unpriviledged port (
>1024) to use as the source port. When a remote machine replies to you it uses the port your machine called the destination port as it's source port, and what your machine used as the source port as it's destination port. (i.e. outbound packet DPT=80 and SPT=1161, reply packet DPT=1161 and SPT=80).

> Can I change the rule
> below to 2048? Is there another way that iptables blocks incoming
> connections above 1000? I want to do this because sqlserver and mysql
> and just about every db is between 1000-2000.
>
> iptables -A EXT-IF -p tcp --dport 1024: -j ACCEPT

iptables -A EXT-IF -d $YourAddress(or range) -m state --state
ESTABLISHED,RELATED -j ACCEPT

This only allows packets back in if they are part of a session initiated
from inside your network. The other rule allows any packet at all so
long as it's destination port is high. Iptables is stateful, you should
use it accordingly.

bryan

-- 
Some people just don't know how to drive...I call these 
people "Everybody But Me".

---

• Next message: SysAdm: "Re: Security Guidance - Part II"
• Previous message: JR: "Re: How to Secure Your Browsers from Malicous Hackers"
• In reply to: bob davis: "allow ports above 1024"
• Next in thread: steve harris: "Re: allow ports above 1024"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages X & Gnome crashes the system with iptables ... kernel 2.4.21, ... I spent a lot of time to write rules for iptables to obtain a good firewall. ... # Support for connection tracking ... packets are denied until ... (comp.os.linux.x) X & Gnome crashes the system with iptables ... kernel 2.4.21, ... I spent a lot of time to write rules for iptables to obtain a good firewall. ... # Support for connection tracking ... packets are denied until ... (comp.os.linux.setup) X & Gnome crashes the system with iptables ... kernel 2.4.21, ... I spent a lot of time to write rules for iptables to obtain a good firewall. ... # Support for connection tracking ... packets are denied until ... (alt.linux) X & Gnome crashes the system with iptables ... kernel 2.4.21, ... I spent a lot of time to write rules for iptables to obtain a good firewall. ... # Support for connection tracking ... packets are denied until ... (comp.os.linux.security) PPPOE xDSL Firewall with IPTABLES ... don't know how to modify my firewall to account for this. ... Starts and stops the IPTABLES packet filter \ ... # Kill malformed XMAS packets ... # server/client to server query or response ... (comp.os.linux.networking)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.security.firewalls  > 2003-02