LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 05-08-2004, 06:02 PM   #1
ridertech
Member
 
Registered: Dec 2003
Location: Seattle, Washington
Distribution: Debian 'Sarge'
Posts: 85

Rep: Reputation: 15
iptables - default output policy


Below is my firewall script for a host with only ports 22, 80 and 443 open. However, I can't seem to get this to work without setting the default OUTPUT policy to ACCEPT. I would rather not allow all traffic out, but need to be able to serve pages as well as browse using lynx. Can someone shed some wisdom on this...


#!/bin/sh

# Load modules for FTP connection tracking and NAT
modprobe ip_conntrack_ftp
modprobe iptable_nat

# Initialize all the chains by removing all rules
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush

# Delete any user-defined chains
iptables --delete-chain
iptables -t nat --delete-chain
iptables -t mangle --delete-chain

# Set default policies
iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD DROP

# Accept all traffic on the loopback (lo) device
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT

# Accept internally-requested input
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Accept user-specified traffic

iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
 
Old 05-08-2004, 07:37 PM   #2
Mara
Moderator
 
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,696

Rep: Reputation: 232Reputation: 232Reputation: 232
You need to allow your data to be sent from the server. OUTPUT blocked results in your data dropped. You can allow OUTPUT on higher ports (>1024) - you'l need to for updates or add a line for ESTABILISHED, RELATED as you have the INPUT one.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables DEFAULT POLICY lappen Linux - Newbie 8 02-23-2011 04:55 AM
Samba System Policy, Default User Policy scooter549 Linux - General 2 02-24-2009 03:23 AM
security policy iptables Ammad Linux - Security 2 11-14-2005 07:15 AM
iptables: Bad policy name rioguia Linux - Security 10 01-10-2003 12:21 AM
WU-FTPD and IPTABLES DROP Policy Cpare Linux - Networking 0 10-23-2001 10:19 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 06:44 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration