droping too many ports

Jason Opperisano opie at 817west.com
Thu Sep 23 23:01:06 CEST 2004


On Thu, 2004-09-23 at 16:45, Askar wrote:
> hi all
> 
> what if I do (and im doing this from last two hours ;))
> 
> iptables -A FORWARD -p tcp --dport 31000:65500 -j DROP
> iptables -A FORWARD -p udp --dport 31000:65500 -j DROP
> 

uh...depending on your other rules--you could be dropping tons o'
legitimate traffic; i.e, inbound replies to your outbound requests.

how's about showing us:

  iptables -vnxL FORWARD

a better approach (in general) is to set the policy of FORWARD to DROP,
and only allow through that which you need to allow through.  it keeps
you from getting tempted to do what you just did, as well.

-j

-- 
Jason Opperisano <opie at 817west.com>




More information about the netfilter mailing list