Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
|
01-31-2006, 06:13 AM
|
#16
|
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep: 
|
Could you post the ouput of iptables -vnL?
|
|
|
|
|
01-31-2006, 07:53 PM
|
#17
|
|
Member
Registered: Sep 2005
Distribution: Debian
Posts: 304
Original Poster
Rep:
|
Here it is...
Code:
Chain INPUT (policy ACCEPT 5414 packets, 494K bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:81
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121
781 46980 DROP tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:0:65500
Chain FORWARD (policy ACCEPT 10066 packets, 7581K bytes)
pkts bytes target prot opt in out source destination
37 2220 TCPMSS tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 tcpmss match 1400:1536 TCPMSS clamp to PMTU
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 1/sec burst 5
5 200 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: avg 1/sec burst 5
Chain OUTPUT (policy ACCEPT 7284 packets, 9155K bytes)
pkts bytes target prot opt in out source destination
|
|
|
|
|
01-31-2006, 09:03 PM
|
#18
|
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
I'd recommend adding a rule to allow traffic that is in the ESTABLISHED or RELATED states. When you are using your web browser like lynx, the outgoing traffic will use destination port 80 and a semi-random source port >1023. Therefore the reply packets from the webserver will be returned on the same random destination port >1023 with source port 80 (so just the reverse of the outgoing packets). This also explains why opening ports 1024-65500 helps the problem.
The easiest and most secure way of solving this problem is to use iptables state tracking mechanism to accept these reply packets. Something like this should work:
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Note that this will only accept incoming traffic that is in reply to connections that *you* initiate.
|
|
|
|
All times are GMT -5. The time now is 10:49 AM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
