droping too many ports
Jason Opperisano
opie at 817west.com
Thu Sep 23 23:01:06 CEST 2004
On Thu, 2004-09-23 at 16:45, Askar wrote:
> hi all
>
> what if I do (and im doing this from last two hours ;))
>
> iptables -A FORWARD -p tcp --dport 31000:65500 -j DROP
> iptables -A FORWARD -p udp --dport 31000:65500 -j DROP
>
uh...depending on your other rules--you could be dropping tons o'
legitimate traffic; i.e, inbound replies to your outbound requests.
how's about showing us:
iptables -vnxL FORWARD
a better approach (in general) is to set the policy of FORWARD to DROP,
and only allow through that which you need to allow through. it keeps
you from getting tempted to do what you just did, as well.
-j
--
Jason Opperisano <opie at 817west.com>
More information about the netfilter
mailing list