Mart van de Wege a écrit : > Reco <recovery...@gmail.com> writes: > >> The simplest *working* solution is to use iptables this way: >> >> iptables -F INPUT >> iptables -A INPUT -i lo -j ACCEPT >> iptables -A INPUT -p icmp -j ACCEPT
Too permissive. Allow only safe error types (i.e. destination-unreachable, time-exceeded and parameter-problem but NOT redirect or source-quench) in the RELATED state. >> iptables -A INPUT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT Too restrictive. If you allow any protocol outbound, you must allow any protocol reply inbound. >> iptables -I INPUT -p tcp --dport 22 -m conntrack --ctstate NEW --j ACCEPT >> iptables -P INPUT DROP >> iptables -F OUTPUT >> iptables -P OUTPUT ACCEPT >> >> >> Your rules will block anything on the interface lo and outbound traffic, >> which is just asking for all kinds of trouble. And blocking icmp is just >> rude ;) No. Blocking /valid/ ICMP /error/ packets is rude and may cause trouble. You may happily and safely drop any other ICMP packets. > Outbound traffic is not necessary, surely? Of course it is. At least reply packets to incoming SSH packets. > The > RELATED,ESTABLISHED rule is only for stupid protocols like FTP, that > like to open new outbound connections in response to inbound requests. Wrong. ESTABLISHED is for all connection-oriented protocols like TCP and SCTP, but also some UDP-based protocols such as DNS, and ICMP echo (ping). RELATED is also for ICMP error messages. Useful to get the replies from an outgoing traceroute. > Then again, chain OUTPUT defaults to ACCEPT anyway. > > Mart > -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54933279.1050...@plouf.fr.eu.org