[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: IPTables configuration.

I see why I should set the "--state NEW" flag on port 80. Would I be sure
that it wouldn't hamper the webserver though? And if I'd like to block an IP
out of the system, how would that be done the easiest way? Put a rule in

//Tore Nilsson

----- Original Message -----
From: "DEFFONTAINES Vincent" <Vincent.DEFFONTAINES@coe.int>
To: <debian-security@lists.debian.org>
Sent: Wednesday, December 04, 2002 3:45 PM
Subject: RE: IPTables configuration.

> The call of PAROLE for TCP DST 80 paquets isnt restrictive enough.
> I would call that rule only this way :
> replace
>  384 19428 PAROLE     tcp  --  *      *
> tcp dpt:80
> with a rule like :
> /sbin/iptables -p tcp --dport 80 -m state --state NEW -j PAROLE
> in the PUB_IN chain
> So that (nearly) only SYN packets go through that rule, not forget TCP
> session packets.
> Your firewall allows all OUT, that is not a bad policy if you trust all
> users and applications you run.
> I would agree with that policy for a personnal firewall as this seems to
> I don't really like the general looking of the rest (some useless chains,
> some useless calls).
> The FORWARD chain could be empty, since the ESTABLISHED, RELATED chain in
> will never match any packet.
> Maybe you want to LOG some packets in that rule, that is another option.
> Chains INT_IN and INT_OUT are never used, delete them.
> Call to chain PUB_OUT is useless, and could be forgotten, as well as that
> chain.
> This seems to be a very "tiny" (personnal) firewall.
> Probably most important in all I said : set the NEW state in incoming TCP
> packets.
> The rest is just to make your rules cleaner, it doesn't modify the way the
> firewall works.

Reply to: