droping too many ports

droping too many ports

[Askar]

hi all

what if I do (and im doing this from last two hours ;))

iptables -A FORWARD -p tcp --dport 31000:65500 -j DROP
iptables -A FORWARD -p udp --dport 31000:65500 -j DROP

yes I am Droping too many ports at once, (actually its default ACCEPT
machine), as far I know not a single well known service is running on
port above 31000?

Actaully I duno what to do coz im watching (through tcpdump )lot of
clients accessing higher ports, thats why I puts these rules.

iptables -L -nvx  gives too many counts whenever I checked, especailly
numbers are very high for UDP "udp --dport 31000:65500 -j DROP"


Im i doing right thing? (see im getting counts on it )
Am I droping some ligitimate packets? 
or ours clients (sitting on M$ OS) are infected?

may I extend the rules to INPUT and OUTPUT ?

regards
tired :(
-- 
(after bouncing head on desk for days trying to get mine working, I'll make
yer life a little easier)

Re: droping too many ports

[Gavin Hamill]

On Thursday 23 September 2004 21:45, Askar wrote:
> hi all
>
> what if I do (and im doing this from last two hours ;))
>
> iptables -A FORWARD -p tcp --dport 31000:65500 -j DROP
> iptables -A FORWARD -p udp --dport 31000:65500 -j DROP
>
> yes I am Droping too many ports at once, (actually its default ACCEPT
> machine), 

I think you answered your own question - why not make the default policy DROP, 
and then just permit the services you want?

gdh

Re: droping too many ports

[Jason Opperisano]

On Thu, 2004-09-23 at 16:45, Askar wrote:
> hi all
> 
> what if I do (and im doing this from last two hours ;))
> 
> iptables -A FORWARD -p tcp --dport 31000:65500 -j DROP
> iptables -A FORWARD -p udp --dport 31000:65500 -j DROP
> 

uh...depending on your other rules--you could be dropping tons o'
legitimate traffic; i.e, inbound replies to your outbound requests.

how's about showing us:

  iptables -vnxL FORWARD

a better approach (in general) is to set the policy of FORWARD to DROP,
and only allow through that which you need to allow through.  it keeps
you from getting tempted to do what you just did, as well.

-j

-- 
Jason Opperisano <opie@817west.com>

Re: droping too many ports

[Aleksandar Milivojevic]

Askar wrote:
> hi all
> 
> what if I do (and im doing this from last two hours ;))
> 
> iptables -A FORWARD -p tcp --dport 31000:65500 -j DROP
> iptables -A FORWARD -p udp --dport 31000:65500 -j DROP

[snip]

> iptables -L -nvx  gives too many counts whenever I checked, especailly
> numbers are very high for UDP "udp --dport 31000:65500 -j DROP"

Depending on your other rules this might not be good idea.  Here's an 
example why.  If client connects to say your web server, it may look 
something like this:

  client sport 54321 to server dport 80     for incoming packets
  server sport 80    to client dport 54321  for outgoing packets

As you can guess by now, your rules are blocking outgoing packets of an 
perfectly legal connection.

BTW, you should really consider setting default policy to DROP, and 
allow only what you need.

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7