[ale] IP table question
JK
jknapka at kneuro.net
Tue Sep 12 11:36:08 EDT 2006
Terry Bailey wrote:
>
> The following line on a web server with IP of 192.168.1.50 allows my
> computer with IP of 192.168.1.100 to access the web site of the
> server. But it also allows access via https from my computer. I thought
> https used another port. Could someone explain this?
>
> iptables -I INPUT -p tcp --dport 80 -s ! 192.168.1.100 -j DROP
In fact, this rule *prohibits* HTTP access from any device whose
address is NOT ...100. It says nothing whatever about any
other port or protocol.
There must be some other rule that is allowing in https traffic.
As usual, it's basically impossible to tell what's going on
without seeing the whole ruleset. Probably you have a rule
or policy somewhere that says, "What the hell, let any old
packet in!", and the rule quoted above is an attempt to plug
an obvious hole. The problem with that is, the box is already
swiss cheese -- you're never going to be able to plug every
hole. That's why you should start your ruleset with:
iptables -P INPUT DROP
and then add rules to specifically *allow* the stuff you want
to let in, eg:
iptables -A INPUT -p tcp --dport 80 -s 192.168.1.100 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
The other chains (FORWARD, OUTPUT) should be treated similarly.
I have a reasonably well-commented set of rules; shall I post
it? I've no qualms about that; security by obscurity is, of
course, an illusion; in fact I'd really love it if someone
found flaws in my ruleset. I think a good discussion of iptables
rules would be a great thing to have in the list archive.
-- JK
More information about the Ale
mailing list