Re: iptables rules : two in one

To: debian-firewall@lists.debian.org
Subject: Re: iptables rules : two in one
From: Franck Joncourt <joncourt_franck@yahoo.co.uk>
Date: Sun, 01 Oct 2006 11:15:18 +0200
Message-id: <[🔎] 451F8726.9070409@yahoo.co.uk>
In-reply-to: <002d01c6e4da$5a9622b0$021111ac@pc>
References: <451E82E7.5070208@yahoo.co.uk> <002d01c6e4da$5a9622b0$021111ac@pc>

Andrey Kozlov wrote:
> Hello,
> 
> with use connection tracking you can define common rules for ongoing
> traffic on top of you rule set:
> 
> iptables -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> and then add specific rules for any required services, e.g.:
> 
> iptables -A OUTPUT -o eth0 -p tcp --sport $UNPRIVPORTS \
>        -d pop.mail.yahoo.co.uk --dport 110 -m state --state NEW -j ACCEPT
> 
> iptables -A OUTPUT -o eth0 -p tcp --sport $UNPRIVPORTS \
>        -d pop.1and1.fr --dport 110 -m state --state NEW -j ACCEPT
> 
So it means, I accept both 'established' and 'related' connections
from/to any ports. Then, I allow 'new' connections to port 110 (for
pop.1and1.fr and pop.mail.yahoo.co.uk).
In the end, 'established' or 'related' connections from/to port 4895,
for instance, will be accept, as well.
Unless I am wrong, it is not really interesting in the case I have got a
mistake in my firewall, and accept 'new' connections from/to port 4895.
I allow more than I should without any reason.

Is that right ?

> -- 
> Regards,
> Kozlov Andrey.
> 
> 
>> I have got some iptables rules suche as :
>>
>> Code:
>>
>>        iptables -A OUTPUT -o eth0 -p tcp -d pop.mail.yahoo.co.uk
>> --dport 110 --sport $UNPRIVPORTS -m state --state
>> NEW,ESTABLISHED,RELATED -j ACCEPT
>>        iptables -A OUTPUT -o eth0 -p tcp -d pop.1and1.fr --dport 110
>> --sport $UNPRIVPORTS -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
>>        iptables -A INPUT -i eth0 -p tcp -s pop.mail.yahoo.co.uk --sport
>> 110 --dport $UNPRIVPORTS -m state --state ESTABLISHED,RELATED -j ACCEPT
>>        iptables -A INPUT -i eth0 -p tcp -s pop.1and1.fr --sport 110
>> --dport $UNPRIVPORTS -m state --state ESTABLISHED,RELATED -j ACCEPT
>>
>>
>> and I would like to put them on only two lines. I glanced at the man
>> page but I have not found anything of interest.
>>
>> Is that possible ?
>>
> 
> 

-- 
Franck Joncourt
http://www.debian.org
http://smhteam.info/wiki/
GPG server : pgpkeys.mit.edu
Fingerprint : C10E D1D0 EF70 0A2A CACF  9A3C C490 534E 75C0 89FE

		
___________________________________________________________ 
To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. http://uk.security.yahoo.com

Reply to:

Follow-Ups:
- Re: iptables rules : two in one
  - From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>

Next by Date: Re: iptables rules : two in one
Next by thread: Re: iptables rules : two in one
Index(es):
- Date
- Thread