-----BEGIN PGP SIGNED MESSAGE-----
First, a few clarifications.
For starters, SuSEfirewall2 is nothing more than a script which runs
various iptables commands when it runs, and those are based on settings
you specify in Yast. This seems to be a common confusion but it’s worth
Second, iptables, or NetFilter, is just a command to configure the
“firewall” which is, as I understand it, part of the kernel. The state
of the firewall is modified with every command sent to it so the
SuSEfirewall2 script just modifies that state a few dozen times in a row
where your own customization makes however many modifications you have
programmed in to setup the state as you wish it to be.
So on to the issue at hand… where did you see that a web server would
use a port greater-than 1023? While it is possible that a web server
could run on any port the default HTTP port 80, and HTTP is 443. Tomcat
often uses port 8080 and 8443 by default but it’s not just a web server
so I’m guessing you’re not referring to that. If you are using
something like Apache you should be opening port 80 with something like
the following commands:
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
The former allows inbound data to the web server (on port 80) and the
latter allows an ESTABLISHED connection on any port to be maintained,
though not specifically for port 80.
> hi, this is my first post, good to be here.
> So I’m running SuSE enterprise edition and I want to create my own
> firewall. Suse comes with a program called ‘SuSEfirewall2’ that boots at
> runlevels 3 and 5. I’m deffinalty a linux noob, but I successfully
> disabled SuSEfirewall2 and I’m using iptables instead.
> I have played around with iptables a bit and I made minimal progress,
> but have learned alot.
> I want the INPUT chain in the ‘filter’ table to have a default policy
> of DROP which is the cause of my problems.
> I want the computer to be able to surf the web so I added> iptables -A INPUT -p tcp -s 0/0 --dport 1024:65535 -m state --state
>> ESTABLISHED -j ACCEPT
> this line is supposed to accept all tcp packets from any source,
> destined for all ports from 1024 → 65535, where a connection has
> already been established.
> the idea was that the host running this rule will be able to recieve
> tcp packets on the specified ports, but intruders wont be able to
> connect to these ports because the host has to be the one who
> established a connection (I hope that made sence).
> Im under the assumption that the packets from webservers come in on
> ports 1024 to 65535. Im not 100% sure about this but that is what I
> found searching google.
> as usual this didn’t work, the code “compiled” or whatever, but I still
> cant receive webpages.if anyone could help me get a working rule to
> acomplish this task I would greatly appreciate it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----