You are not logged in.

#1 2013-05-06 07:34:35

Registered: 2010-03-16
Posts: 1,450

Opening ports in iptables

I set up iptables firewall according to wiki here: … PEN_chains

However, I am not sure if I restoring the final rule like that

# iptables -D INPUT -j REJECT --reject-with icmp-proto-unreachable
# iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable

is necessary also after opening a new port, like that:

# iptables -A TCP -p tcp --dport 80 -j ACCEPT
iptables -A UDP -p udp --dport 53 -j ACCEPT

Laptop: ThinkPad T420s, i7/i5, 16GB RAM, 1080p IPS mod, Arch | HTPC/Server/fw: Zotac AQ01, A4-5000 Kabini, 8GB, Arch/lxd NethServer


#2 2013-05-06 08:26:44

From: localhost
Registered: 2012-04-03
Posts: 498

Re: Opening ports in iptables

Why not just drop it instead of rejecting it ?

  Never argue with stupid people,They will drag you down to their level and then beat you with experience.--Mark Twain


#3 2013-05-06 20:59:26

Registered: 2012-02-12
Posts: 133

Re: Opening ports in iptables

You only need to restore the final rule if you are using one of the port scanning tricks from the wiki.  If you follow the directions in the wiki for the port scanning tricks (they are optional) the final rule will no longer be final, the two line section of code you quoted just puts it back to its proper position as the last rule in your INPUT chain.  It really has nothing to do with opening ports in your TCP and UDP chains.

--reject-with icmp-proto-unreachable is supposed to be the proper response for this rule.   A lot of people have opinions that dropping is better, and they are not hard to find on the internet.  I use the "proper" response in my firewalls, I'll let you decide which you want in yours.


Board footer

Powered by FluxBB