Re: Scanning with reverse connections?
On Sun, 08 Jun 2003 at 05:11:43PM -0500, Jones wrote:
> can this weakness be fixed by having these lines in the iptables rules?
>
> ----
> EXTERNAL_IF="eth0"
>
> # Log and drop incoming TCP connection establishment packets.
> iptables -A INPUT -i $EXTERNAL_IF -p tcp --syn -j LOG --log-prefix
> "TCP-SYN: "
> iptables -A INPUT -i $EXTERNAL_IF -p tcp --syn -j DROP
>
> # Allow packets from already established connections (redundant?)
> iptables -A INPUT -i $EXTERNAL_IF -m state --state
> ESTABLISHED,RELATED -j ACCEPT
Assuming your default policy is drop or the last rule in your chain a
log/drop, then yes, the second rule would be redundant. Stick with rule
3 and ESTABLISHED/RELATED. Of course, no TCP based services on this
machine will work...
--
Phillip Hofmeister
PGP/GPG Key:
http://www.zionlth.org/~plhofmei/
wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import
--
Excuse #116: New guy cross-connected phone lines with ac power bus.
Reply to: