Re: iptables rules : two in one
Andrey Kozlov wrote:
> Hello,
>
> with use connection tracking you can define common rules for ongoing
> traffic on top of you rule set:
>
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> and then add specific rules for any required services, e.g.:
>
> iptables -A OUTPUT -o eth0 -p tcp --sport $UNPRIVPORTS \
> -d pop.mail.yahoo.co.uk --dport 110 -m state --state NEW -j ACCEPT
>
> iptables -A OUTPUT -o eth0 -p tcp --sport $UNPRIVPORTS \
> -d pop.1and1.fr --dport 110 -m state --state NEW -j ACCEPT
>
So it means, I accept both 'established' and 'related' connections
from/to any ports. Then, I allow 'new' connections to port 110 (for
pop.1and1.fr and pop.mail.yahoo.co.uk).
In the end, 'established' or 'related' connections from/to port 4895,
for instance, will be accept, as well.
Unless I am wrong, it is not really interesting in the case I have got a
mistake in my firewall, and accept 'new' connections from/to port 4895.
I allow more than I should without any reason.
Is that right ?
> --
> Regards,
> Kozlov Andrey.
>
>
>> I have got some iptables rules suche as :
>>
>> Code:
>>
>> iptables -A OUTPUT -o eth0 -p tcp -d pop.mail.yahoo.co.uk
>> --dport 110 --sport $UNPRIVPORTS -m state --state
>> NEW,ESTABLISHED,RELATED -j ACCEPT
>> iptables -A OUTPUT -o eth0 -p tcp -d pop.1and1.fr --dport 110
>> --sport $UNPRIVPORTS -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
>> iptables -A INPUT -i eth0 -p tcp -s pop.mail.yahoo.co.uk --sport
>> 110 --dport $UNPRIVPORTS -m state --state ESTABLISHED,RELATED -j ACCEPT
>> iptables -A INPUT -i eth0 -p tcp -s pop.1and1.fr --sport 110
>> --dport $UNPRIVPORTS -m state --state ESTABLISHED,RELATED -j ACCEPT
>>
>>
>> and I would like to put them on only two lines. I glanced at the man
>> page but I have not found anything of interest.
>>
>> Is that possible ?
>>
>
>
--
Franck Joncourt
http://www.debian.org
http://smhteam.info/wiki/
GPG server : pgpkeys.mit.edu
Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE
___________________________________________________________
To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. http://uk.security.yahoo.com
Reply to: