iptables - default output policy
Below is my firewall script for a host with only ports 22, 80 and 443 open. However, I can't seem to get this to work without setting the default OUTPUT policy to ACCEPT. I would rather not allow all traffic out, but need to be able to serve pages as well as browse using lynx. Can someone shed some wisdom on this...
#!/bin/sh
# Load modules for FTP connection tracking and NAT
modprobe ip_conntrack_ftp
modprobe iptable_nat
# Initialize all the chains by removing all rules
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
# Delete any user-defined chains
iptables --delete-chain
iptables -t nat --delete-chain
iptables -t mangle --delete-chain
# Set default policies
iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD DROP
# Accept all traffic on the loopback (lo) device
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT
# Accept internally-requested input
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Accept user-specified traffic
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
|