another quick question

Chris Brenton cbrenton at chrisbrenton.org
Mon Sep 20 12:02:41 CEST 2004


On Mon, 2004-09-20 at 04:02, Askar wrote:
>
> iptables -A INPUT -p TCP -s 0/0 -d 0/0 --dport 135:140 -j DROP
> iptables -A INPUT -p UDP -s 0/0 -d 0/0 --dport 135:140 -j DROP
> iptables -A FORWARD -p TCP -s 0/0 -d 0/0 --dport 135:140 -j DROP
> iptables -A FORWARD -p UDP -s 0/0 -d 0/0 --dport 135:140 -j DROP
> iptables -t nat -A PREROUTING -p TCP -s 0/0 -d 0/0 --dport 135:140 -j DROP
> iptables -t nat -A PREROUTING -p UDP -s 0/0 -d 0/0 --dport 135:140 -j DROP
> 
> aren't there are unnecessary repitions ?

Agreed. The "proper" place for filtering rules is the INPUT and/or
FORWARD chain. You should be able to delete the two PREROUTING rules
without a problem.

> also why he (my
> predecssor) droping such port in INPUT table ? aren't it unnecessary,
> coz it a linux box no port 135:140 are open on our fw machine.

Unless you run SAMBA. ;-)

My guess is it was done to keep the traffic from hitting a later logging
rule, but its hard to say without seeing the entire rule base. It could
also have something to do with the "permit what has not been denied"
policy you mentioned in your last e-mail. Either way, it should not hurt
anything and its a good idea to block outbound NetBIOS/IP if your
organization does not need it to do business. Attackers can use it to
transfer a rootkit onto the system. If the ports are blocked, their
lives become just a little bit harder.

HTH,
Chris





More information about the netfilter mailing list