iptables rule issue

| | Comments (0)

內部網路環境 192.168.0.0/24, 要阻檔內部連外的 tcp port 2000-20000
使用下面這個 rule , 看似正確, 而嚴格說起來這樣的 rule 是有問題的
iptables -A FORWARD -p tcp --dport 2000:20000 -j DROP

為什麼?
因為有可能誤檔回來封包的連線, 有一個連線 sport 3000, dport 80
這封包就出得去, 但是回不來, 因為回來的封包符合上面的 rule
正確的做法應該用
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 2000:20000 -j DROP

Leave a comment

March 2009

Sun Mon Tue Wed Thu Fri Sat
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30 31        

About this Entry

This page contains a single entry by Pank published on June 7, 2004 9:48 AM.

robots.txt was the previous entry in this blog.

8M/640K ADSL is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.