OUTPUT chain, Source Port 80 ---> Destination Port Unprivileged

OUTPUT chain, Source Port 80 ---> Destination Port Unprivileged

[Adam Rosi-Kessel]

[-- Attachment #1: Type: text/plain, Size: 821 bytes --]

I've noticed that I occasionally have output packets on my webserver that
have source port 80 and a destination port > 1024 (I've recently seen 4911,
4912, 49440, 49521, and 50296).

My current OUTPUT policy drops outbound traffic except on ports that are
specifically allowed. The unprivileged ports are not currently allowed.

I've seen a few sample iptables rulesets that allow outbound traffic to
unprivileged ports from source port 80.

Can someone explain to me why this happens, or point me to an explanation
elsewhere?  Are there reasons to allow (or not to allow) such traffic, i.e.,
with a rule like:

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp -s $IPADDR 1024:65535 \
		--source-port 80 --destination-port "1024:65535" -j ACCEPT

?
-- 
Adam Rosi-Kessel
http://adam.rosi-kessel.org


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 250 bytes --]

Re: OUTPUT chain, Source Port 80 ---> Destination Port Unprivileged

[Adam Rosi-Kessel]

On Sun, Nov 20, 2005 at 02:13:03PM -0500, Adam Rosi-Kessel wrote:
> iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp -s $IPADDR 1024:65535 \
> 		--source-port 80 --destination-port "1024:65535" -j ACCEPT

Oops, that should have been:

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp -s $IPADDR \
		--source-port 80 --destination-port "1024:65535" -j ACCEPT

I should also mention that I already have an OUTPUT matching rule to
ACCEPT all packets that are established and related. So it would seem
that the additional rule above should be unnecessary, right? But then why
am I seeing dropped OUTPUT packets with SPT=80 and DPT=>1024?
-- 
Adam Rosi-Kessel
http://adam.rosi-kessel.org