[sf-lug] iptables.
Jason Corcoran
jason at jcorcoran.net
Mon Jan 26 17:39:00 PST 2009
I have a Ubuntu hardy installation. Most things are up to date on the machine.
I was wondering about iptables. I have allowed access into the box for all the
services I am interested in (ssh, imaps, www, smtp and DNS). I was wondering
what rule will allow all connections from the box to the outside.
When I try the iptables-restore with the information below, I can not ping off
the box. I thought by default that it was only incoming connections that are
restricted and I should be able to ping etc.. off the box. I have googled and
I am not seeing the solution. Any pointers would be gratefully received.
Thanks,
Jason.
Script that is passed to iptables-restore ->
# Generated by iptables-save v1.3.8 on Fri Jan 23 16:08:03 2009
*raw
:PREROUTING ACCEPT [2024:583729]
:OUTPUT ACCEPT [1782:128780]
COMMIT
# Completed on Fri Jan 23 16:08:03 2009
# Generated by iptables-save v1.3.8 on Fri Jan 23 16:08:03 2009
*nat
:PREROUTING ACCEPT [244:71022]
:POSTROUTING ACCEPT [716:42490]
:OUTPUT ACCEPT [716:42490]
COMMIT
# Completed on Fri Jan 23 16:08:03 2009
# Generated by iptables-save v1.3.8 on Fri Jan 23 16:08:03 2009
*mangle
:PREROUTING ACCEPT [2024:583729]
:INPUT ACCEPT [1866:529061]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1782:128780]
:POSTROUTING ACCEPT [1782:128780]
COMMIT
# Completed on Fri Jan 23 16:08:03 2009
# Generated by iptables-save v1.3.8 on Fri Jan 23 16:08:03 2009
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1782:128780]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -m tcp -p tcp --dport ssh -j
ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport ssh -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -m tcp -p tcp --dport www -j
ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport www -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -m tcp -p tcp --dport smtp -j
ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -m tcp -p tcp --dport imap -j
ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport imap -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -m tcp -p tcp --dport imaps -j
ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport imaps -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -m tcp -p tcp --dport webmin -j
ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport webmin -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -m tcp -p tcp --dport mysql -j
ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport mysql -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -m udp -p udp --dport 53 -j
ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -m tcp -p tcp --dport 53 -j
ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -m state --state ESTABLISHED,RELATED -m tcp -p tcp -j ACCEPT
COMMIT
--
Jason.
E: jason at jcorcoran.net
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the sf-lug
mailing list