here's a scenario i have opened outgoing webserver requests and their resposes thus (output from iptables -v -L) INPUT 0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp spt:http dpts:1024:65535 OUTPUT 0 0 ACCEPT tcp -- any eth0 anywhere anywhere tcp spts:1024:65535 dpt:http now, it occurs to me that i have opened access to ports 1024 to 65535, as long as the source port is port 80, correct? where as I only want it open for connections originating on the local machine. I presume the answer here is conntrack, could someone help me with the command for the INPUT chain? should it be --state RELATED or ESTABLISHED or both or something like ! NEW (if that can be done)? as a hypothetical example of the problem: let's say i run an admin type webserver for some app, listening on a port above 1024, for example. if someone hacked a web client to use port 80 as the source port for it's connections, (dunno, would you have to hack the kernel too, or just be root?) , then they could bypass the firewall part of the security, right? or with ssh, surely it would be easy enough to hack an ssh client to use port 80 as it's source port. ok, so you probably shouldn't run an ssh listener on a port above 1024, but nevertheless, it's a good hole to close. thanks! Keith.
