Redundant iptables rules? #1236

thusoy · 2015-12-29T15:19:00Z

Looking over the iptables ruleset it seems that this rule on line 24:
-A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow traffic back for tor"
shadows the later rules on line 66 and line 89:

-A INPUT -p tcp --match multiport --sports 80,8080,443 -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "apt updates"
-A INPUT -p tcp --sport {{ smtp_relay_port }} -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow ossec email alerts out"

I haven't configured a local install for testing, but I would guess that the latter rules are never hit?

The text was updated successfully, but these errors were encountered:

singuliere · 2018-02-27T10:58:45Z

I confirm that running a staging app server and removing iptables -D INPUT -p tcp -m multiport --sports 80,8080,443 -m state --state RELATED,ESTABLISHED -m comment --comment "apt updates" -j ACCEPT does not inpact apt-get update. It shadows all --state ESTABLISHED,RELATED INPUT rules.

ghost added bug security labels Dec 7, 2017

singuliere mentioned this issue Feb 27, 2018

group and simplify iptables INPUT rules #3072

Closed

3 tasks

eloquence added this to the Long Term Product Backlog milestone Jul 31, 2018

eloquence mentioned this issue Dec 2, 2020

Support for Ubuntu 20.04 (Focal) #4768

Closed

53 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Redundant iptables rules? #1236

Redundant iptables rules? #1236

thusoy commented Dec 29, 2015

singuliere commented Feb 27, 2018

Redundant iptables rules? #1236

Redundant iptables rules? #1236

Comments

thusoy commented Dec 29, 2015

singuliere commented Feb 27, 2018