coming in through the outgoing hole?
keith at media-solutions.ie
Mon Nov 21 18:58:50 CET 2005
here's a scenario
i have opened outgoing webserver requests and their resposes thus
(output from iptables -v -L)
0 0 ACCEPT tcp -- eth0 any anywhere
anywhere tcp spt:http dpts:1024:65535
0 0 ACCEPT tcp -- any eth0 anywhere
anywhere tcp spts:1024:65535 dpt:http
now, it occurs to me that i have opened access to ports 1024 to 65535,
as long as the source port is port 80, correct?
where as I only want it open for connections originating on the local
I presume the answer here is conntrack, could someone help me with the
command for the INPUT chain?
should it be --state RELATED or ESTABLISHED or both or something like !
NEW (if that can be done)?
as a hypothetical example of the problem:
let's say i run an admin type webserver for some app, listening on a
port above 1024, for example. if someone hacked a web client to use port
80 as the source port for it's connections, (dunno, would you have to
hack the kernel too, or just be root?) , then they could bypass the
firewall part of the security, right? or with ssh, surely it would be
easy enough to hack an ssh client to use port 80 as it's source port.
ok, so you probably shouldn't run an ssh listener on a port above 1024,
but nevertheless, it's a good hole to close.
More information about the netfilter