Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
I want to have this script run at start up and add these rules to iptables. But, do I have to flush all chains first? Or will this work ok, how it is?
My virtual machine software places a bunch of rules in there and I didn't want it to conflict with that. I'm not sure what all the processes are that the vm uses, so kind of difficult to whitelist that.
Any ideas/suggestions? Should I try to whitelist the vm?
# -WOPP- Whitelist Outbound Processes/Programs
# v1.0 by xoros
# Purpose: You don't need to allow -ALL- outbound traffic -ALL- the time!
# First we define normal services to be allowed
# Comment-out any to turn off what you don't want
# accept localhost traffic
iptables -A INPUT -i lo -j ACCEPT
# accept dns tcp
iptables -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
# accept dns udp
iptables -A INPUT -p udp -m udp --sport 53 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
# accept dhcp
iptables -A INPUT -p udp -m udp --sport 67:68 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 67:68 -j ACCEPT
# accept http and https
iptables -A INPUT -p tcp -m multiport --sports 80,88,443 -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --dports 80,88,443 -j ACCEPT
# mail tsl outbound
# iptables -A OUTPUT -p tcp -m tcp --dport 587 -j ACCEPT
# mail ssl outbound
# iptables -A OUTPUT -p tcp -m tcp --dport 995 -j ACCEPT
# Now we can use our whitelist
# Manually use "ps aux" to find names
# Substitute "wprocessname1..etc" with names you want
for whtproc in $WHTPROC
pid=`ps aux | grep $whtproc | head -n 1 | cut -b 10-14`
iptables -A OUTPUT -p tcp -m owner --pid-owner $pid -j ACCEPT
iptables -A OUTPUT -p udp -m owner --pid-owner $pid -j ACCEPT
# Drop everything else
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
well it doesn't look like it would conflict, expect the default drops at the bottom, but you've not said anything about what distro / firewall system you're currently using. it's normally a much better option to take these rules and add them to your normal iptables configuration, e.g. /etc/sysconfig/iptables on a redhat / fedora system.
Again, it depends how these rules are being implemented, so again can depend on what distro and firewall mechanism you are using. is it a secret??
in your specific example, you have a nat operation and a filter operation, so they wouldn't directly conflict as POSTROUTING is always done after OUTPUT. Of course a catchall DROP in OUTPUT would mean nothing explicitly passed already would never hit POSTROUTING and the rest of the world.