iptables problem

Aleksandar Milivojevic alex at milivojevic.org
Wed Dec 20 17:15:33 UTC 2006 

Quoting Lord of Gore <lordofgore at logsoftgrup.ro>:

[ deleted some good advice ]

Actually, if you look into his rules, he was configuring the system  
that allows outgoing connections to limited set of services, and  
accepting incomming connections only on port 25 (SMTP).  The system  
also seems to be DHCP client.  Or at least that was the way he  
attempted to construct his firewall rules.  Unless he got everything  
totally messed up.

Something like this.  Again, not tutorial, just an example that could  
be closed down a bit more than it is now.

# define filter table and set default policy to DROP in all chains
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

# some generic stuff, no need to go wild with RELATED
-A INPUT -m state --state ESTABLISHED -j ACCEPT
# this could be closed down a bit to allow only unreachable and ttl exceeded
-A INPUT -p icmp -m state --state RELATED -j ACCEPT

# smtp service running on this host
-A INPUT -p tcp --dport 25 --syn -m state --state NEW -j ACCEPT

# accept DHCP replies, assuming IP address of DHCP server is known
# and we always get address on fixed network.  replace dhcp-server
# and local-network with appropriate IP addresses
-A INPUT -p udp --sport 67 --dport 68 -s dhcp-server-ip -d  
local-network -j ACCEPT

# log
-A INPUT -j LOG --log-prefix="INPUT "

# unless this host is router, no rules in FORWARD chain
# other than logging
-A FORWARD -j LOG --log-prefix="FORWARD "

# again some generic stuff
-A OUTPUT -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m state --state RELATED -j ACCEPT

# allow this host to access these services, and nothing else
-A OUTPUT -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT
-A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp --dport 53 --syn -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp --dport 25 --syn -m state --state NEW -j ACCEPT

# Allow this system to request and renew its IP address, this
# could be closed down a bit more, but not much gain in doing it
-A OUTPUT -p udp --sport 68 --dport 67 -j ACCEPT

# log the rest
-A OUTPUT -j LOG --log-prefix="OUTPUT "

More information about the redhat-list mailing list