Clamav Update and iptable rules
Anton Hofmann
doomrunner.lists at gmail.com
Wed Nov 14 10:05:29 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Tony Arnold wrote:
Hi Tony,
> The problem is that although you allow any outbound connection, you only
> allow inbound on specific ports.
Outbound connections are blocked with my standard rule "iptables -I
INPUT -p tcp --sport 0:1023 ! --syn -j ACCEPT"
so all packages without a the tcp-synflag are droped.
When an outbound connection is made,
> the reply comes back on a randomly picked high number port which your
> INPUT chain will block.
That could be the problem, as the outbound rule blockes every connction
with a destinationport higher than 1023.
>
> You need to add a rule to your INPUT chain that allows connections that
> are replies to outbound connections. I can't remember the exact syntax,
> but I think there is a flag called 'established' that will do this for you.
Do you mean the "iptables -A INPUT -i eth0 -m state --state ESTABLISHED
- -j ACCEPT" rule?
so long....
Anton
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
iD8DBQFHOshpUhOOK1n0VVkRAsBaAJsFcjyKgqEYJ6IYFE0c8MygkCIUlACeMNOZ
NmpL1w08B4taMiuziCllfbc=
=fI6T
-----END PGP SIGNATURE-----
More information about the ubuntu-users
mailing list