iptables configuration help
Hi, I am relatively new to linux, sort of off and on again user. I've been using the same firewall script for a while and it seemed to work fine. Recently I've decided to convert my laptop to a linux machine and using the same iptables script I can't seem to access the internet (wired). Apparently it has something to do with the outbound rules because when I allow access to everything the internet works fine. I would have thought opening up port 80 would have been good enough. Can you please help me? I am running Slackware 10.1. My iptables script is below. Thanks.
#(1) Policies (default) iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP #((2) Loopback #Always allow loopback traffic iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -i lo -j ACCEPT iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -o lo -j ACCEPT #Deny outside packets from internet which claim to be from loopback iptables -A INPUT -j REJECT -p all -s localhost -i eth0 #(3) INPUT chain rules iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #TCP rules iptables -A INPUT -p TCP -i eth0 --destination-port 22 -j ACCEPT iptables -A INPUT -p TCP -i eth0 --destination-port 80 -j ACCEPT #UDP rules iptables -A INPUT -p UDP -i eth0 --destination-port 53 -j ACCEPT #(4) OUTPUT chain rules iptables -A OUTPUT -p TCP --destination-port 80 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p TCP --destination-port 22 -m state --state NEW -j ACCEPT |
Re: iptables configuration help
Quote:
[QUOTE ]iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT[/QUOTE] If you want a functional connection, append NEW to --state in the OUTPUT rule. The internet isn't only port 80, not even the web which may use 443 (https) too. What about 25 (smtp), 110 (pop3), et cetera and their SSL equivalents? |
Hi, ah I see. I added NEW to --state in the OUTPUT rule and it seems to work fine. However, would this be safe to allow all new,established, related outbound connections? Wouldn't it be safer to specify each and every port, or will this cause problems as well? Also when you say loosen the loopback, i thought the ip of the local machine is always 127.0.0.1. Does this change? Do you need to specify others? Thanks.
|
All times are GMT -5. The time now is 02:02 AM. |