[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: iptables: input / output chains ..

On Wed, 18 Apr 2001, HGS: Buchleitner Martin wrote:

> how may i set the policies ?

to set the default policy of the INPUT chain, use e.g.

iptables -P INPUT DROP

This will cause any packet traversing the INPUT chain which does not
explicitly match any rule to be dropped.

> ipchains -A input -i ppp0 -p tcp -s $DNSSERVER 53 -d $IPADDR
> 1024-65535 -j ACCEPT

iptables -A INPUT -i ppp0 -p tcp -s $DNSSERVER --sport 53 -d $IPADDR \
--dport 1024:65535 -j ACCEPT

> ipchains -A output -i ppp0 -p tcp -s $IPADDR 1024-65535 -d $DNSSERVER 53

iptables -A OUTPUT -o ppp0 -p tcp -s $IPADDR --sport 1024-65535 \ 
-d $DNSSERVER --dport 53 -j ACCEPT

However, if I may guess what you want to do with the above rules, you
ought to remember that firewalling is stateful in 2.4.x
kernels; therefore, if you want to allow outgoing DNS queries from your
computer to your DNS server and the related incoming answers, you should
be using something like

iptables -A OUTPUT -o ppp0 -p tcp -s $IPADDR -d $DNSSERVER --dport 53 \
iptables -A INPUT -i ppp0 -p tcp -s $DNSSERVER --sport 53 -m state \

which says: 
- allow tcp packets from any port of $IPADDR to port 53 of $DNSSERVER
going out on the ppp0 interface; 
- allow tcp packets from port 53 of $DNSSERVER to any port of $IPADDR
coming in on the ppp0 interface and belonging to an already established

In this way, your computer is able to establish a connection (the first
rule) and to receive any answers belonging to that connection (the second
rule) but you are not allowing anybody to initiate a connection to your
computer on a high port.



Giacomo Mulas <gmulas@ca.astro.it, giacomo.mulas@tin.it>

Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA)

Tel.: +39 070 71180 216     Fax : +39 070 71180 222

"When the storms are raging around you, stay right where you are"
                         (Freddy Mercury)

Reply to: