Iptables : --dport vs. --sport
If I just want to allow incoming traffic on port 4569 and also outgoing traffic on port 4569, on my interface eth1, is this rule then well written :
Code:
-A INPUT ! -i eth1 -j ACCEPT I think I still need to define a destination port for incoming traffic on port 4569, but how do I do that ? Do I define an extra rule (--dport) or can I do it in the existing one ? |
Quote:
If "yes", then you just need to allow stateful traffic. Basic ruleset script example: Code:
#!/bin/bash |
There is UDP-traffic on port 4569 (IAX).
Indeed if a remote client sends an invite on this port, I want the UDP-traffic on this port to continue... It's very simple : a connection on port 4569 from the internet is allowed. |
The same solution applies. As you probably know, udp isn't really "stateful", but the bolded rule I noted above will track the connection anyway.
|
Do I need the part "-m state --state NEW" ?
Someone called me with his IAX-softphone (and thus on port 4569 of my Asterisk-server) and everything went well. So for the moment, with my rule (as posted above) I have no problems at all... |
Quote:
Without requiring that only new packets match, there is a risk of someone sending weird packets to match it -- i.e. with weird bits set that don't really make sense -- to try to run an exploit. |
All times are GMT -5. The time now is 07:20 AM. |