Hello NetFilter,
Iam working with a stateless firewall to help keep up with DoS and a
state flood. I have a few doubts about my setup:
a.) When allowing web traffic, is it neecessary to allow port range
1000:65535 ? i saw that due to this rule sending packets to those ports
directly respond with a REJECT instead of a DROP which is preffered. Any
work arround and still have a stateless setup?
b.) What is needed to safely have a default OUTPUT DROP, apparently as
soon as i change it to that iam unable to access it via ssh, even if I
add a rule like this: /sbin/iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
Thanks for your help.
Alex
#!/bin/bash
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT
#ICMP IN
/sbin/iptables -A INPUT -p icmp -s 178.174.50.29/24 -j ACCEPT
#ICMP IN (TRACEROUTE)
/sbin/iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
#ICMP OUT
/sbin/iptables -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
#DNS RESOLVERS
/sbin/iptables -A INPUT -s 63.15.64.91 -j ACCEPT
/sbin/iptables -A INPUT -s 63.15.64.92 -j ACCEPT
#SSH
/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
#WEB
/sbin/iptables -A INPUT -p tcp --dport 1000:65535 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
