[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: secured server policies

Ansgar Wiechers wrote:
> On 2008-10-31 daniel wrote:
>> iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
>> iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
> You need TCP for fully functional DNS as well.
Why do I need TCP for fully functional DNS?
TCP must be used for zone transfers.
See --> http://www.freesoft.org/CIE/Topics/77.htm

In the rule iptables -A INPUT -p udp --sport 53 -m state --state
ESTABLISHED,RELATED -j ACCEPT, the module state is not necessary,
because it uses UDP, although it works.

So, the correct form is:
iptables -A INPUT -p udp -j ACCEPT
> You should also allow some ICMP types.
I think so. What ICMP types would you set?
> [...]
>> iptables -A INPUT -p tcp -m multiport --dports 22,80 -m state --state NEW -j ACCEPT
>> iptables -A OUTPUT -p tcp -m multiport --sports 22,80 -m state --state ESTABLISHED,RELATED -j ACCEPT
> What reasons are there to have --sport in the ESTABLISHED,RELATED rule?
> Making rules too specific will adversely affect maintenance.

I agree with you. But I think if a process on that host (i.e. trojan
horse on the door 12345) tries to connect to an external host, it will
not work.
Is it correct?
> Regards
> Ansgar Wiechers
I'm not an expert. :)

I'm sorry, my English is not good...


Reply to: