[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: simple iptables rules



hi,

On Thu, 9 Oct 2003 17:02:04 +1000
Tarragon Allen <tarragon@onthe.net.au> wrote:

> On Thursday 09 October 2003 16:33, Léon Hagenaars wrote:
> > Thursday, October 9, 2003, 3:33:53 AM, Tarragon Allen wrote:
> >
> > TA> On Thursday 09 October 2003 01:09, Tiago Fernandes wrote:
> > >> hi,
> > >>
> > >> i thing that this should do the trick, for you
> > >>
> > >> iptables -F
> > >> iptables -P INPUT DROP
> > >> iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
> > >> iptables -A INPUT -i "ppp0 or -s external_ip" -m state --state
> > >> ESTABLISHED,RELATED -j ACCEPT
> > >>
> > >> all packages related with sended packages should be accepted.
> >
> > TA> You might need to add this as well :
> >
> > TA> iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
> >
> > TA> t
> > TA> --
> > TA> GPG: http://n12turbo.com/tarragon/public.key
> >
> > I don't think te "iptables -A OUTPUT" line is needed, as the default policy
> > is ACCEPT and I don't see anything has changed in the OUTPUT of iptables.
> 
> Will iptables keep state on outgoing connections without you implicitly 
> telling it to though?
> 

yes. you don't need to tell iptables to track all connections.
with that line in iptables you just say that all NEW,ESTABLISHED,RELATED are accept
for output, you don't tell iptables to track connections.



Tiago Fernandes


> t
> -- 
> GPG: http://n12turbo.com/tarragon/public.key
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 

Attachment: pgpCQEtBUeqMQ.pgp
Description: PGP signature


Reply to: