| View previous topic :: View next topic |
| Author |
Message |
Robert S
Guru
Joined: 15 Aug 2004
Posts: 463
Location: Canberra Australia
|
 Posted: Mon May 23, 2005 9:32 pm Post subject: N00b - several iptables questions |
 |
|
I've been trying to get to grips with iptables over the last few weeks. I've already got a hardware router, so I only need to block incoming traffic - no NAT/routing etc. I've had a firewall up and running and I've got a few queries:
1. I get the following in my log:
iptables: IN=eth0 OUT= MAC= SRC=192.168.2.40 DST=192.168.2.255 LEN=44 TOS=00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=33216 DPT=7741 LEN=24
What is udp port 7741? I haven't found out much about it - is it used to shut down services or is it used by lisa (which I have running)?
2. What is udp port 68? I've read that its the bootp client. I get the following in my logs:
iptables udp: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:05:5d:31:6c:25:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=330 TOS=00 PREC=0x00 TTL=128 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=310
3. A number of firewall scripts use the --syn flag (eg: iptables -A INPUT -i eth0 -p tcp --dport <port> --syn -j ACCEPT) - eg. lokkit. Is it necessary (or better) to have this set?
At the moment I've got udp ports 7741 and 68 blocked, and I use the --syn flag on most tcp settings, with no obvious problems with my network. Should I leave things the way they are?
TIA |
|
| Back to top |
|
 |
mr-simon
Guru
Joined: 22 Nov 2002
Posts: 367
Location: Leamington Spa, Warks, UK
|
| Posted: Tue May 24, 2005 9:45 am Post subject: |
|
|
1) udp port 7741 is indeed something to do with lisa, yes. If you want lisa to play nice with your box, I'd recommend enabling this. However, I don't know very much about lisa so I don't know exactly what you need to do here. Maybe you only need it on a lisa server (if there is such a thing... ?)
2) The second packet 0.0.0.0 to 255.255.255.255, src 68 dest 67 udp, is something to do with DHCP. If you are running a DHCP server on your box, you should make sure this is allowed. Otherwise it is safe to ignore.
3) from the iptables man page: | Code: | [!] --syn
Only match TCP packets with the SYN bit set and the ACK and RST
bits cleared. Such packets are used to request TCP connection
initiation; for example, blocking such packets coming in an
interface will prevent incoming TCP connections, but outgoing
TCP connections will be unaffected. It is equivalent to --tcp-
flags SYN,RST,ACK SYN. If the "!" flag precedes the "--syn",
the sense of the option is inverted.
|
I guess this is more of an advanced option, but is probably usefil with connection tracking. I've never used it, so I probably can't give you a very authoritative answer on this one. My guess is that you're probably okay without it though, particularly if things are working well. (Leaving it off is not going to open up any major security holes)
_________________
"Pokey, are you drunk on love?"
"Yes. Also whiskey. But mostly love... and whiskey." |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
