On Monday 09 June 2003 21:31, Ruprecht Helms wrote:
Hi,
I need some help to fix some missconfiguration in the following iptables-script.
...
#INPUT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i lo -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth0 -m state --state NEW,ESTABLISHED -j ACCEPT
This IMHO allows all connections to your box (except icmp, which is dropped above).
iptables -A INPUT -i eth0 -p tcp -m multiport --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p tcp -m multiport ! --dport 80 -j DROP iptables -A INPUT -i eth0 -p tcp -m multiport ! --sport 80 -j DROP
#OUTPUT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o lo -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED -j ACCEPT This IMHO allows all connections from your box (except icmp, which is dropped above).
iptables -A OUTPUT -o eth0 -p tcp -m multiport --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp -m multiport ! --dport 80 -j DROP iptables -A OUTPUT -o eth0 -p tcp -m multiport ! --sport 80 -j DROP iptables -A OUTPUT -o etho -p tcp -m multiport ! --dport 53 -j DROP iptables -A OUTPUT -j DROP
..
The problem is that users in the internal lansegment can connect to the host. This should be not possible. Also not possible should the connection to outside expect of http and the dns-client-part. Please see my comments above.
Andreas Baetz