Re: Iptables config
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>>>>> "Peter" == Peter Cordes <peter@llama.nslug.ns.ca> writes:
Peter> If you set INPUT policy to DROP, doesn't that drop everything,
Peter> not just incoming SYN packets? If you want to be able to
Peter> establish any connections from the machine to anywhere else,
Peter> e.g. for an apt-get update (downloading stuff with ftp or http),
Peter> you need to allow that with iptables. The rule you gave will let
Peter> the replies to your SYN be dropped. I'm just learning iptables,
Peter> and I haven't figured out the connection tracking stuff yet.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
should do the trick. If you use ftp, you should load the
ip_conntrack_ftp module, or use passive mode. (FTP needs some special
handling since it sends the data over a different port.) You may also
want to accept incoming icmp packets:
iptables -A INPUT -p icmp -j ACCEPT
- --
Hubert Chan <hackerhue@geek.com> - http://www.geocities.com/hubertchan/
PGP/GnuPG key: 1024D/71FDA37F
Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F
Key available at wwwkeys.pgp.net. Encrypted e-mail preferred.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8uQ7nZRhU33H9o38RAtfcAJ9Sh+qiUGv8aLjac2dbgRfrXjsudgCgzc6t
EmCaBsCXbtEz3/PNwoJQ6I0=
=HdB+
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: