Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
SDN 101: An Introduction to Software Defined Networking
Discover the advantages of SDN.
SDN has quickly become one of the hottest trends in IT. But not all SDN solutions offer real software-defined functionality. As more enterprises consider SDN, they want to know, “What is SDN? And what are the real benefits?” If you're ready to explore the advantages of SDN, and want to know how it should be implemented within your enterprise, start by reading our introductory white paper.
Click Here to receive this Complete Guide absolutely free.
I want to have this script run at start up and add these rules to iptables. But, do I have to flush all chains first? Or will this work ok, how it is?
My virtual machine software places a bunch of rules in there and I didn't want it to conflict with that. I'm not sure what all the processes are that the vm uses, so kind of difficult to whitelist that.
Any ideas/suggestions? Should I try to whitelist the vm?
# -WOPP- Whitelist Outbound Processes/Programs
# v1.0 by xoros
# Purpose: You don't need to allow -ALL- outbound traffic -ALL- the time!
# First we define normal services to be allowed
# Comment-out any to turn off what you don't want
# accept localhost traffic
iptables -A INPUT -i lo -j ACCEPT
# accept dns tcp
iptables -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
# accept dns udp
iptables -A INPUT -p udp -m udp --sport 53 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
# accept dhcp
iptables -A INPUT -p udp -m udp --sport 67:68 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 67:68 -j ACCEPT
# accept http and https
iptables -A INPUT -p tcp -m multiport --sports 80,88,443 -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --dports 80,88,443 -j ACCEPT
# mail tsl outbound
# iptables -A OUTPUT -p tcp -m tcp --dport 587 -j ACCEPT
# mail ssl outbound
# iptables -A OUTPUT -p tcp -m tcp --dport 995 -j ACCEPT
# Now we can use our whitelist
# Manually use "ps aux" to find names
# Substitute "wprocessname1..etc" with names you want
for whtproc in $WHTPROC
pid=`ps aux | grep $whtproc | head -n 1 | cut -b 10-14`
iptables -A OUTPUT -p tcp -m owner --pid-owner $pid -j ACCEPT
iptables -A OUTPUT -p udp -m owner --pid-owner $pid -j ACCEPT
# Drop everything else
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
well it doesn't look like it would conflict, expect the default drops at the bottom, but you've not said anything about what distro / firewall system you're currently using. it's normally a much better option to take these rules and add them to your normal iptables configuration, e.g. /etc/sysconfig/iptables on a redhat / fedora system.
Again, it depends how these rules are being implemented, so again can depend on what distro and firewall mechanism you are using. is it a secret??
in your specific example, you have a nat operation and a filter operation, so they wouldn't directly conflict as POSTROUTING is always done after OUTPUT. Of course a catchall DROP in OUTPUT would mean nothing explicitly passed already would never hit POSTROUTING and the rest of the world.