iptables disables outbound traffic

Jerry Sievers Those rules seem a bit lax to me, but they may be better than the default firewall that comes with Windows XP Home. ;-)

My policy is to drop everything: incoming, outgoing, and forwarding. Then I explicitly allow replies to stuff I send out, and stuff from my own machine (i.e., loopback). Then I allow spontaneous stuff from outside (i.e., from the rest of my LAN) with one set of rules, and the Internet with another set of rules. If it is not explicitly allowed, it does not go through. Then I allow stuff to go out only to a restricted set of IP addresses. This set is pretty open, but not totally. And when it is forwarding from the Windows machine, it forwards only to port 80 of a small white list of IP addresses.

It looks, in part, like this to start:

########################################################################### # # # NOW SETUP THE FIREWALL # # # ###########################################################################

########################################################################### # # # Clear the existing firewall rules # # # ########################################################################### # # $IPT -P INPUT DROP # Set default policy to DROP $IPT -P OUTPUT DROP # Set default policy to DROP $IPT -P FORWARD DROP # Set default policy to DROP $IPT -F # Flush all chains $IPT -X # Delete all userchains # # for table in filter nat mangle; do $IPT -t $table -F # Delete the table's rules $IPT -t $table -X # Delete the table's chains $IPT -t $table -Z # Zero the table's counters done # # ###########################################################################

Then it does some stuff that accepts the lo stuff, and selects the specific rules for what happens next:

########################################################################### # # # Main Firewall Rules # # # ########################################################################### # # # The explicit drops here (-j DROP, -j BADINPUT, and -j BADOUTPUT) # # should be unnecessary, but are included here just in case an error # # in the other chains lets something fall through. # # # $IPT -A FORWARD -j SHUN $IPT -A FORWARD -i $EXTDEV0 -j INNETWORK $IPT -A FORWARD -i $INTDEV0 -j OUTNETWORK $IPT -A FORWARD -i $INTDEV1 -j OUTNETWORK $IPT -A FORWARD -j LOG --log-prefix "IPT FORWARD: " $LOGOPT $IPT -A FORWARD -j DROP # # $IPT -A INPUT -j SHUN $IPT -A INPUT -i lo -j ACCEPT $IPT -A INPUT -j INIPCHECK $IPT -A INPUT -j INFIREWALL $IPT -A INPUT -j BADINPUT # # $IPT -A OUTPUT -j SHUN $IPT -A OUTPUT -o lo -j ACCEPT $IPT -A OUTPUT -j OUTIPCHECK $IPT -A OUTPUT -j OUTFIREWALL $IPT -A OUTPUT -j BADOUTPUT # # ###########################################################################

SHUN is a simple set of rules that drop specific IP addresses or range of addresses. This list of IP addresses is usually null, but if someone is attacking, their IP address can be put in and his stuff dropped until a better solution can be worked out.

OOo2.0rc1 and nfs
I'm having a problem with OOo-2.0rc1 and one of my computers. I have a home network...

EXTDEV0 is my PPP connection to the Internet. INTDEV0 is my eth0, and INTDEV1 is my eth1.

*IPCHECKs verify that the IP addresses are OK.

And so on.

Here is the beginning of INFIREWALL to give a taste...

########################################################################### # # # INPUT TABLE CHAINS. # # # ########################################################################### # # $IPT -N INFIREWALL $IPT -A INFIREWALL -p icmp -j INFICMP $IPT -A INFIREWALL -p tcp -j TCPFLAGS $IPT -A INFIREWALL -p tcp --syn -j SYNFLOOD $IPT -A INFIREWALL -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A INFIREWALL -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT # # # AOL Instant Messenger. for sip in $EBFAIM $IBFAIM; do $IPT -A INFIREWALL -p tcp -m state --state NEW -s $sip --dport $TCPAIM -j ACCEPT $IPT -A INFIREWALL -p tcp -m state --state NEW -s $sip --dport $TCPMLTMB -j ACCEPT done # # # For IDENT (AUTH) daemon. # for sip in $EBFAUTH $IBFAUTH; do $IPT -A INFIREWALL -p tcp -m state --state NEW -s $sip --dport auth -j ACCEPT done # ... ... ... # Everything else is logged and dropped. # $IPT -A INFIREWALL -j BADINFIREWALL # #

INFICMP rejects ICMP requests we do not like (i.e., from most sources). TCPFLAGS rejects invalid TCP flags. SYNFLOOD rejects floods of SYNs.

-- .~. Jean-David Beyer Registered Linux User 85642. V PGP-Key: 9A2FC99A Registered Machine 241939. ^^-^^ 09:50:00 up 8 days, 2:52, 3 users, load average: 4.04, 4.15, 4.20

help with serial port
I need help, i can't figure out why this code doesnt work. I am using linux. All i want to be able to do is write...

List | Previous | Next

OOo2.0rc1 and nfs

Linux groups from Newsgroups

The #1 Usenet Provider on the Internet

Overclocking in Dell 5046

PLEX86 x86- Virtual Machine (VM) Program


	Plex86 \| CVS \| Mailing List \| Download \| Linux \| Newsgroups

		iptables disables outbound traffic Jerry Sievers Those rules seem a bit lax to me, but they may be better than the default firewall that comes with Windows XP Home. ;-) My policy is to drop everything: incoming, outgoing, and forwarding. Then I explicitly allow replies to stuff I send out, and stuff from my own machine (i.e., loopback). Then I allow spontaneous stuff from outside (i.e., from the rest of my LAN) with one set of rules, and the Internet with another set of rules. If it is not explicitly allowed, it does not go through. Then I allow stuff to go out only to a restricted set of IP addresses. This set is pretty open, but not totally. And when it is forwarding from the Windows machine, it forwards only to port 80 of a small white list of IP addresses. It looks, in part, like this to start: ########################################################################### # # # NOW SETUP THE FIREWALL # # # ########################################################################### ########################################################################### # # # Clear the existing firewall rules # # # ########################################################################### # # $IPT -P INPUT DROP # Set default policy to DROP $IPT -P OUTPUT DROP # Set default policy to DROP $IPT -P FORWARD DROP # Set default policy to DROP $IPT -F # Flush all chains $IPT -X # Delete all userchains # # for table in filter nat mangle; do $IPT -t $table -F # Delete the table's rules $IPT -t $table -X # Delete the table's chains $IPT -t $table -Z # Zero the table's counters done # # ########################################################################### Then it does some stuff that accepts the lo stuff, and selects the specific rules for what happens next: ########################################################################### # # # Main Firewall Rules # # # ########################################################################### # # # The explicit drops here (-j DROP, -j BADINPUT, and -j BADOUTPUT) # # should be unnecessary, but are included here just in case an error # # in the other chains lets something fall through. # # # $IPT -A FORWARD -j SHUN $IPT -A FORWARD -i $EXTDEV0 -j INNETWORK $IPT -A FORWARD -i $INTDEV0 -j OUTNETWORK $IPT -A FORWARD -i $INTDEV1 -j OUTNETWORK $IPT -A FORWARD -j LOG --log-prefix "IPT FORWARD: " $LOGOPT $IPT -A FORWARD -j DROP # # $IPT -A INPUT -j SHUN $IPT -A INPUT -i lo -j ACCEPT $IPT -A INPUT -j INIPCHECK $IPT -A INPUT -j INFIREWALL $IPT -A INPUT -j BADINPUT # # $IPT -A OUTPUT -j SHUN $IPT -A OUTPUT -o lo -j ACCEPT $IPT -A OUTPUT -j OUTIPCHECK $IPT -A OUTPUT -j OUTFIREWALL $IPT -A OUTPUT -j BADOUTPUT # # ########################################################################### SHUN is a simple set of rules that drop specific IP addresses or range of addresses. This list of IP addresses is usually null, but if someone is attacking, their IP address can be put in and his stuff dropped until a better solution can be worked out. OOo2.0rc1 and nfs I'm having a problem with OOo-2.0rc1 and one of my computers. I have a home network... EXTDEV0 is my PPP connection to the Internet. INTDEV0 is my eth0, and INTDEV1 is my eth1. *IPCHECKs verify that the IP addresses are OK. And so on. Here is the beginning of INFIREWALL to give a taste... ########################################################################### # # # INPUT TABLE CHAINS. # # # ########################################################################### # # $IPT -N INFIREWALL $IPT -A INFIREWALL -p icmp -j INFICMP $IPT -A INFIREWALL -p tcp -j TCPFLAGS $IPT -A INFIREWALL -p tcp --syn -j SYNFLOOD $IPT -A INFIREWALL -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A INFIREWALL -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT # # # AOL Instant Messenger. for sip in $EBFAIM $IBFAIM; do $IPT -A INFIREWALL -p tcp -m state --state NEW -s $sip --dport $TCPAIM -j ACCEPT $IPT -A INFIREWALL -p tcp -m state --state NEW -s $sip --dport $TCPMLTMB -j ACCEPT done # # # For IDENT (AUTH) daemon. # for sip in $EBFAUTH $IBFAUTH; do $IPT -A INFIREWALL -p tcp -m state --state NEW -s $sip --dport auth -j ACCEPT done # ... ... ... # Everything else is logged and dropped. # $IPT -A INFIREWALL -j BADINFIREWALL # # INFICMP rejects ICMP requests we do not like (i.e., from most sources). TCPFLAGS rejects invalid TCP flags. SYNFLOOD rejects floods of SYNs. -- .~. Jean-David Beyer Registered Linux User 85642. V PGP-Key: 9A2FC99A Registered Machine 241939. ^^-^^ 09:50:00 up 8 days, 2:52, 3 users, load average: 4.04, 4.15, 4.20 help with serial port I need help, i can't figure out why this code doesnt work. I am using linux. All i want to be able to do is write... List \| Previous \| Next



		OOo2.0rc1 and nfs Linux groups from Newsgroups The #1 Usenet Provider on the Internet Overclocking in Dell 5046