[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: secured server policies

On 2008-10-31 daniel wrote:
> iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
> iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT

You need TCP for fully functional DNS as well.

You should also allow some ICMP types.

> iptables -A INPUT -p tcp -m multiport --dports 22,80 -m state --state NEW -j ACCEPT
> iptables -A OUTPUT -p tcp -m multiport --sports 22,80 -m state --state ESTABLISHED,RELATED -j ACCEPT

What reasons are there to have --sport in the ESTABLISHED,RELATED rule?
Making rules too specific will adversely affect maintenance.

Ansgar Wiechers
"The Mac OS X kernel should never panic because, when it does, it
seriously inconveniences the user."

Reply to: