I changes the subject and started a new thread here. Anyway . . . Nicolas Boullis wrote: > You should add the rule: > >$IPTABLES -A INPUT -j ACCEPT -i eth0 -m state --state ESTABLISHED,RELATED
Thanks, those rules that I gave as an example are from my workstation which has 2.4 kernel installed. I will add this connection tracking stuff on my workstation. But, my server has a 2.2 kernel installed and from the man page, there doesn't seem to be connection tracking in ipchains. Correct? >>> # Drop spoofed packets >>> iptables -A INPUT -i eth0 -j DROP -s 192.168.1.3 -d 0.0.0.0/0 >What about outgoing spoofed packets? They didn't get dropped in this >script >at all. It's only a selfish half-hearted firewall if all it does is to >protect yourself against incoming nasties; there's always a >responsibility >not to inflict dodgy packets on others, as much as possible. OK, but how do you tell if a packet is spoofed going out? I can tell coming in by looking at the source address and the interface. >>> iptables -A INPUT -i eth0 -j ACCEPT -p TCP -s 0.0.0.0/0 --source-port >>> domain #53 >>> iptables -A INPUT -i eth0 -j ACCEPT -p UDP -s 0.0.0.0/0 --source-port >>> domain #53 >"Hey! I'm a nice port, let me in!". > >Oops. You're right, I should probably change that to be the address of the DNS server. I'll also add connection tracking in my iptables script. Is there anything I can do in my ipchains script? -- http://www.torrin.net
