[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Scanning with reverse connections?

On Sun, 08 Jun 2003 at 05:11:43PM -0500, Jones wrote:
> can this weakness be fixed by having these lines in the iptables rules?
> 
> ----
> EXTERNAL_IF="eth0"
> 
> # Log and drop incoming TCP connection establishment packets.
> iptables -A INPUT -i $EXTERNAL_IF -p tcp --syn -j LOG --log-prefix 
> "TCP-SYN: "
> iptables -A INPUT -i $EXTERNAL_IF -p tcp --syn -j DROP
> 
> # Allow packets from already established connections (redundant?)
> iptables -A INPUT -i $EXTERNAL_IF -m state --state 
> ESTABLISHED,RELATED -j ACCEPT

Assuming your default policy is drop or the last rule in your chain a
log/drop, then yes, the second rule would be redundant.  Stick with rule
3 and ESTABLISHED/RELATED.  Of course, no TCP based services on this
machine will work...

-- 
Phillip Hofmeister

PGP/GPG Key:
http://www.zionlth.org/~plhofmei/
wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import
--
Excuse #116: New guy cross-connected phone lines with ac power bus.
Reply to: