On Tue, Feb 19, 2002 at 10:42:00PM -0500, Steve West wrote:
>
> I'm having some problems w/ my iptables rules and I have tried almost 20 or
> so different attempts and I hope someone here can help. Our network consists
> of one network (eth0) connected to the Internet. The iptables are setup on
> RedHat 7.1 (running Kernel 2.4.9-21smp). This server needs to have ssh, dns,
> smpt, & http running.
>
> iptables -A OUTPUT -p tcp -m tcp --dport 1024:65535 -j ACCEPT
>
> Is there a security risk to allow ports 1024:65535 out? And if so, how can I
> correct this and still allow ssh,dns,smpt,http,https to work fine?
>
> Also, the way the rules are currently setup do not allow for DNS queries or
> updates between this server which is a secondary name server and the primary
> name server. What am I doing wrong? I added for both INPUT & OUTPUT tcp and
> udp rules for port 53 and it still doesn't work. (I don't even know if I
> need to have such rules)
You shouldn't have to put that rule in there, have you tried using your
system w/o it? I've never had to do it, maybe because I said that I
would allow "ESTABLISHED,RELATED" packets to an incoming port 22
request.
To debug your problem I would add a marker before you DROP any packet
and as the last rule before it goes to the default which should be a
drop. To do so use this notation:
-j LOG --log-prefix "DROP "
If you purposely drop something like incoming web, make it look like
this:
--dport 80 -j LOG --log-prefix "INWEB "
--dport 80 -j DROP
So you can see and count the number dropped.
Doing this will greatly help you in debugging as you'll see a line in
syslog that says that it is dropping packets outbound on eth0 with a
source port of 53 and that you should open it up, for example.
Is this a part of the FAQ to LOG all drops to help out in debugging?
More than half the posts on this list could be solved if people did
that.
Chris
