|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] blocking ports using iptables
|
On Thu, Aug 23, 2007 at 12:52:29AM -0400, Sonny To wrote:
> iptables -A INPUT -j ACCEPT -p tcp --destination-port 22 -i ppp0
> iptables -A INPUT -j ACCEPT -p tcp --destination-port 80 -i ppp0
> iptables -A INPUT -j DROP -p tcp -i ppp0
> this rule is saying, drop everything coming in from ppp0 except on
> port 22 & 80. computers on the LAN can connect out but the firewall
> cannot connect out.
When you SSH outbound, you're coming from a random high port, let's say 32768
for this explanation. When the sshd on the outside responds, it's replying
to port 32768. You have to allow for that as well coming in, using
--source-port 22 and state ESTABLISHED,RELATED. It's easier but broader (and
therefore perhaps less secure) to have one rule to just allow all incoming
ESTABLISHED,RELATED packets. Saves typing.
Dan W.
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|