Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Applied the same idea to http/https/ftp. That fixed that. Any other common protocols I should add?
are you referring to the ESTABLISHED rule?? if so, i'd recommend you just add a rule like this:
Code:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
to the top of your INPUT chain and you won't have to worry about making RELATED,ESTABLISHED rules for particular services (they would only need rules for packets of state NEW)... for example:
Code:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p TCP --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -p TCP --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -p TCP --dport 443 -m state --state NEW -j ACCEPT
# Etc, etc, etc...
thankfully, there is no need to open a port range for this (unlike back in the ipchains days), because it would be a security weakness... you only need port 21 to send packets of state NEW to ACCEPT, the rest is handled by the RELATED,ESTABLISHED rule at the top of the chain... ftp connection tracking will allow netfilter to inspect the tcp packets and detect which random port is being used for the passive ftp connection, hence no need for netfilter to have prior knowledge or opened port ranges... if your kernel doesn't have ftp conntrack support built-in then load the module/helper on your own:
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.