From: Andreas Baetz (lac01web.de)
Date: Tue Jun 10 2003 - 02:38:30 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Monday 09 June 2003 21:31, Ruprecht Helms wrote:
> Hi,
>
> I need some help to fix some missconfiguration in the following
> iptables-script.
>
...
>
> #INPUT
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -i lo -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -i eth0 -m state --state NEW,ESTABLISHED -j ACCEPT
This IMHO allows all connections to your box (except icmp, which is dropped above).

> iptables -A INPUT -i eth0 -p tcp -m multiport --dport 80 -m state
> --state NEW,ESTABLISHED -j ACCEPT
> iptables -A INPUT -i eth0 -p tcp -m multiport ! --dport 80 -j DROP
> iptables -A INPUT -i eth0 -p tcp -m multiport ! --sport 80 -j DROP
>
>
> #OUTPUT
> iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT -o lo -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED -j ACCEPT
This IMHO allows all connections from your box (except icmp, which is dropped above).

> iptables -A OUTPUT -o eth0 -p tcp -m multiport --dport 80 -m state
> --state NEW,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -o eth0 -p tcp -m multiport ! --dport 80 -j DROP
> iptables -A OUTPUT -o eth0 -p tcp -m multiport ! --sport 80 -j DROP
> iptables -A OUTPUT -o etho -p tcp -m multiport ! --dport 53 -j DROP
> iptables -A OUTPUT -j DROP
>
..
> The problem is that users in the internal lansegment can connect to the
> host. This should be not possible. Also not possible should the connection
> to outside expect of http and the dns-client-part.
Please see my comments above.

Andreas Baetz

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]