Iptables – How to drop inbound traffic to port 80 (HTTP) from source ports below 1024

I'm trying to make a simple restriction on www packets under two rules:

1. Allow inbound/outbound www packets. (This works.)
2. Drop inbound traffic to port 80 from source ports below 1024. (This does not work.)

Now, technically, when I use hping to test my rules,

hping3 192.168.100.100 -S -p80 -s 1023

I should not receive any packets. However, I still receive packets, which means that my rule about dropping packets from ports below 1024 does not work.

Does anyone know why?

This is my iptables rules in shell-script so far:

##!/bin/sh
INTERNET=eth0

SERVER_IP="192.168.7.100"

ALLOWED_WWW_PORT=80

IPT="/sbin/iptables"

clear
# Flushing all rules
$IPT -F
$IPT -X


# DROP all incomming traffic

$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP


# Drop inbound traffic to port 80(http) from source ports less than 1024

$IPT -A INPUT -p tcp -i $INTERNET -s 0/0 --sport 0:1023 -d $SERVER_IP --dport 80 -j DROP



# Permit inbound www(80) packets.

$IPT -A INPUT -p tcp -i $INTERNET -s 0/0 -d $SERVER_IP --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp -o $INTERNET -s $SERVER_IP --sport 80 -d 0/0 -m state --state ESTABLISHED -j ACCEPT


# Permit outbound www(80) packets.

$IPT -A OUTPUT -p tcp -o $INTERNET -s $SERVER_IP -d 0/0 --dport $ALLOWED_WWW_PORT -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p tcp -i $INTERNET -s 0/0 --sport $ALLOWED_WWW_PORT -d $SERVER_IP -m state --state ESTABLISHED -j ACCEPT



# Log and drop all other packets to file /var/log/messages
iptables -A OUTPUT -j LOG
iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG

# make sure nothing comes or goes out of this box
iptables -A OUTPUT -j DROP
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP

# save, restart, and check the iptables

service iptables save

service iptables restart

iptables -L -n -v -x

When I run my shell script, here's the Chain INPUT result:

Chain INPUT (policy DROP 0 packets, 0 bytes)

    pkts      bytes target     prot opt in     out     source               destination         

       0        0 DROP       tcp  --  eth0   *       0.0.0.0/0            192.168.7.100       tcp spts:0:1023 dpt:80 

       0        0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            192.168.7.100       tcp dpt:80 state NEW,ESTABLISHED 

       0        0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            192.168.7.100       tcp spt:80 state ESTABLISHED 

What is the correct way to use hping to test my rule from another machine?

Here's my packets result:

[root@daniel-laptop ~]# hping2 192.168.7.100 -S -p 80 -s 1023

HPING 192.168.7.100 (eth0 192.168.7.100): S set, 40 headers + 0 data bytes

len=46 ip=192.168.7.100 ttl=64 DF id=0 sport=80 flags=RA seq=1 win=0 rtt=0.5 ms

len=46 ip=192.168.7.100 ttl=64 DF id=0 sport=80 flags=RA seq=2 win=0 rtt=0.3 ms

len=46 ip=192.168.7.100 ttl=64 DF id=0 sport=80 flags=RA seq=3 win=0 rtt=0.4 ms

len=46 ip=192.168.7.100 ttl=64 DF id=0 sport=80 flags=RA seq=4 win=0 rtt=0.5 ms

len=46 ip=192.168.7.100 ttl=64 DF id=0 sport=80 flags=RA seq=5 win=0 rtt=0.5 ms

len=46 ip=192.168.7.100 ttl=64 DF id=0 sport=80 flags=RA seq=6 win=0 rtt=0.3 ms

len=46 ip=192.168.7.100 ttl=64 DF id=0 sport=80 flags=RA seq=7 win=0 rtt=0.4 ms

^C

--- 192.168.7.100 hping statistic ---

8 packets tramitted, 7 packets received, 13% packet loss

round-trip min/avg/max = 0.3/0.4/0.5 ms

[root@daniel-laptop ~]#