iptables: rejecting/dropping port range 1000-65535 problem
I've been noticing that users leave their computers on and browsers open overnight. I have no control of this.
Traffic monitoring using tcpdump shows the open browsers on websites like marketwatch.com and the there's a constant stream of advert. traffic between client machine on the LAN and outside webservers like the site listed above.
I thought I would squelch this traffic by simply not forwarding ports on the observed range -- 1000-6000.
I tried it briefly <<items in ( ) = clarification>>:
iptables -t filter -A FORWARD -i (lan_nic) -p tcp -s (local_SUBNET) --dport 1000:6000 --syn -m state --state NEW -j REJECT
iptables -t filter -A FORWARD -i (lan_nic) -p tcp -s (local_SUBNET) --sport 1000:6000 --syn -m state --state NEW -j REJECT
and
iptables -t filter -A FORWARD -i (lan_nic) -o (internet_nic) -p tcp --dport 1000:6000 --syn -m state --state NEW -j REJECT
iptables -t filter -A FORWARD -i (lan_nic) -o (internet_nic) -p tcp --sport 1000:6000 --syn -m state --state NEW -j REJECT
I was surprised to find that this made all connections from LAN client machines to the internet non-functional. I could not access any website: google.com, imap webmail service, lxer.com, etc., nothing.
I must need to update my training and understanding. :-)
I thought calling up google.com would use port 80, which I have open on the firewall.
I thought logging into an ssl-enabled webmail service would use ports 443, 143, and/or 993, which I have open on the firewall.
Why is so much web traffic traversing ports beyond 1024?
What can I do to re-route and re-assign such traffic so that I can better control it in/out of the LAN?
I appreciate your guidance and suggestions.
|