4

I am configuring my iptables. The policy for OUTPUT is ACCEPT. Though INPUT is DROP. I am wondering what I need to open up on INPUT so I can receive responses on outgoing traffic (automatic or manual, i.e. wget), without leaving me vulnerable to ddos attacks.

I'm thinking somehwere along the lines of

iptables -A INPUT -p tcp --dport 80 --state ESTABLISHED -j ACCEPT

Thanks for any input!

Menno
  • 159
  • 9
  • 3
    Why not just make it simple and say `iptables -A INPUT --state ESTABLISHED -j ACCEPT`? – Zoredache Apr 01 '13 at 19:46
  • 1
    @Zoredache `-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT` Don't forget `-m state --state` and you probably want related, too. (For FTP or other services that use dynamic port assignment.) – Aaron Copley Apr 01 '13 at 20:57
  • Indeed, I forgot to type `-m state`. Though, I'd rather go with MadHatter's approach since I'm trying to close the firewall as much as possible (since I'm handling data of a client on it). – Menno Apr 01 '13 at 20:59
  • That was @Zoredache, not you. :) – Aaron Copley Apr 01 '13 at 21:00
  • Well, me too (in my question). On another note, I'm not 100% familiar with the way ddos attacks work, are these all packets with a NEW state or will such an attack make use of an ESTABLISHED connection? – Menno Apr 01 '13 at 21:00

1 Answers1

5

You'll need to use --sport 80, not --dport 80; the traffic is coming from a web server. But other than that, it should work, for http:// requests.

MadHatter
  • 79,770
  • 20
  • 184
  • 232
  • You're right, always forgetting about `source/destination`. Will give it a quick try before accepting :) – Menno Apr 01 '13 at 20:05