[PLUG] iptables firewalling...

Tue Sep 5 17:22:52 UTC 2006

Lots.  XDMCP, vnc, cvspserver, etc.  Look in /etc/services for an
incomplete list.

Of course, you would drop packets for all ports first, and then accept
specific ports afterward.  Therefore, you would only be concerned with
those ports on which you had services running.

Then there's the distinction between LAN firewall (FORWARD chain) and
WAN firewall.  You would allow tcp port 3128 (squid) on your LAN, but
not to the WAN.  Same with database socket ports.

Carlos Konstanski

On Sat, 2 Sep 2006, plug_0 at robinson-west.com wrote:

> Date: Sat,  2 Sep 2006 17:21:22 -0700
> From: plug_0 at robinson-west.com
> Reply-To: "General Linux/UNIX discussion and help;	civil and on-topic"
>     <plug at lists.pdxlinux.org>
> To: plug at lists.pdxlinux.org
> Subject: [PLUG] iptables firewalling...
> 
> Is there any standard service that an Internet client should be able to
> access between tcp/udp ports 1024 and 65535 on my server?  I'm thinking
> no, so I have this rule in my firewall:
>
> iptables -A PREROUTING -t mangle -p tcp -i $global_interface \
>         -d $out_address --dport 1024:65535 --syn -j DROP
>
> I am not running a proxy server, web server, or ftp server on
> this Internet connected machine.  This machine does run X, so I
> don't want that to become a security problem.  NFS and RPC in
> general bind to non root ports, but those aren't supposed to
> be available from my server to anyone on the Net.  My rule
> doesn't cover udp, but udp apparently doesn't have a
> connection flag so I don't know what to do there.
>
> Another curiosity, why might someone or a bot for that matter
> want to connect to a very low numbered tcp/udp port such as 2
> or even port 0?
>
> Michael Robinson
>
> -------------------------------------------------
> This mail sent through IMP: http://horde.org/imp/
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>