You are not logged in.

#1 2013-05-06 07:34:35

Lockheed
Member
Registered: 2010-03-16
Posts: 1,429

Opening ports in iptables

I set up iptables firewall according to wiki here: https://wiki.archlinux.org/index.php/Si … PEN_chains

However, I am not sure if I restoring the final rule like that

# iptables -D INPUT -j REJECT --reject-with icmp-proto-unreachable
# iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable

is necessary also after opening a new port, like that:

# iptables -A TCP -p tcp --dport 80 -j ACCEPT
iptables -A UDP -p udp --dport 53 -j ACCEPT

Laptop: ThinkPad W500, C2D P9500, 8GB, Radeon RV635 (HD3650), Arch | Server/fw: Zotac AQ01, A4-5000 Kabini, 4GB, Arch/pfSense VM

Offline

#2 2013-05-06 08:26:44

illusionist
Member
From: localhost
Registered: 2012-04-03
Posts: 498

Re: Opening ports in iptables

Why not just drop it instead of rejecting it ?


  Never argue with stupid people,They will drag you down to their level and then beat you with experience.--Mark Twain
@github

Offline

#3 2013-05-06 20:59:26

ajbibb
Member
Registered: 2012-02-12
Posts: 118

Re: Opening ports in iptables

You only need to restore the final rule if you are using one of the port scanning tricks from the wiki.  If you follow the directions in the wiki for the port scanning tricks (they are optional) the final rule will no longer be final, the two line section of code you quoted just puts it back to its proper position as the last rule in your INPUT chain.  It really has nothing to do with opening ports in your TCP and UDP chains.

--reject-with icmp-proto-unreachable is supposed to be the proper response for this rule.   A lot of people have opinions that dropping is better, and they are not hard to find on the internet.  I use the "proper" response in my firewalls, I'll let you decide which you want in yours.

Offline

Board footer

Powered by FluxBB