Re: iptables rules : two in one
Franck Joncourt a écrit :
Andrey Kozlov wrote:
with use connection tracking you can define common rules for ongoing
traffic on top of you rule set:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
and then add specific rules for any required services, e.g.:
iptables -A OUTPUT -o eth0 -p tcp --sport $UNPRIVPORTS \
-d pop.mail.yahoo.co.uk --dport 110 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport $UNPRIVPORTS \
-d pop.1and1.fr --dport 110 -m state --state NEW -j ACCEPT
So it means, I accept both 'established' and 'related' connections
from/to any ports.
Not only any ports but also any protocol, including DNS replies, ICMP
replies and error notifications... without the need to explicitly allow
each of them. That's why most stateful filtering setups use these kind
of rules. I use a slightly modified version of these rules myself (there
are some RELATED ICMP types I don't want to accept).
Then, I allow 'new' connections to port 110 (for
pop.1and1.fr and pop.mail.yahoo.co.uk).
Yes. So instead of setting up rules for original and return trafic, you
just need to set up one rule for the original traffic.
In the end, 'established' or 'related' connections from/to port 4895,
for instance, will be accept, as well.
Only after they have been first accepted as NEW.
Unless I am wrong, it is not really interesting in the case I have got a
mistake in my firewall, and accept 'new' connections from/to port 4895.
I allow more than I should without any reason.
Why would you have a mistake in your firewall and accept explicitly
traffic that you don't actually want to accept ?
Reply to: