Ansgar Wiechers wrote: > On 2008-10-31 daniel wrote: >> iptables -A OUTPUT -p udp --dport 53 -j ACCEPT >> iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j >> ACCEPT > > You need TCP for fully functional DNS as well. Why do I need TCP for fully functional DNS? TCP must be used for zone transfers. See --> http://www.freesoft.org/CIE/Topics/77.htm
In the rule iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT, the module state is not necessary, because it uses UDP, although it works. So, the correct form is: iptables -A INPUT -p udp -j ACCEPT > > You should also allow some ICMP types. I think so. What ICMP types would you set? > > [...] >> iptables -A INPUT -p tcp -m multiport --dports 22,80 -m state --state NEW -j >> ACCEPT >> iptables -A OUTPUT -p tcp -m multiport --sports 22,80 -m state --state >> ESTABLISHED,RELATED -j ACCEPT > > What reasons are there to have --sport in the ESTABLISHED,RELATED rule? > Making rules too specific will adversely affect maintenance. I agree with you. But I think if a process on that host (i.e. trojan horse on the door 12345) tries to connect to an external host, it will not work. Is it correct? > > Regards > Ansgar Wiechers I'm not an expert. :) I'm sorry, my English is not good... Regards Daniel. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]