search

freedomofpress / securedrop

GitHub repository for the SecureDrop whistleblower platform. Do not submit tips here!
https://securedrop.org/
Other
3.62k stars 688 forks source link

Redundant iptables rules? #1236

Open thusoy opened 8 years ago

thusoy commented 8 years ago

Looking over the iptables ruleset it seems that this rule on line 24: -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow traffic back for tor" shadows the later rules on line 66 and line 89:

-A INPUT -p tcp --match multiport --sports 80,8080,443 -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "apt updates"
-A INPUT -p tcp --sport {{ smtp_relay_port }} -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow ossec email alerts out"

I haven't configured a local install for testing, but I would guess that the latter rules are never hit?

singuliere commented 6 years ago

I confirm that running a staging app server and removing iptables -D INPUT -p tcp -m multiport --sports 80,8080,443 -m state --state RELATED,ESTABLISHED -m comment --comment "apt updates" -j ACCEPT does not inpact apt-get update. It shadows all --state ESTABLISHED,RELATED INPUT rules.