[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[solved] Re: iptables ruleset ...

On Wednesday 09 February 2005 17:12, Dave Ewart wrote:
> On Wednesday, 09.02.2005 at 16:45 +0100, Manfred Sampl wrote:
> > > [...]
> > >
> > > For every INPUT you need apropriate OUTPUT rule :)
> > > I don't know your configuration or how exactly you are connected to the
> > > network but for ssh you should probably have to add:
> > >
> > > $IPTABLES -A OUTPUT -o $EXTINT -d $EXTIP -p tcp --sport 22 -j ACCEPT
> > > $IPTABLES -A OUTPUT -o $INTIF -p tcp --sport 22 -j ACCEPT
>
> [...]
>
> When I have INPUT rules to allow special types of traffic in, such as
> SSH, I usually find that the best corresponding OUTPUT rules are to
> allow ESTABLISHED and RELATED, rather than on the source ports of the
> services one is allowing: which means that you won't need to add
> additional OUTPUT rules if you later allow a different special service
> in.  This is probably just a matter of taste, though.

I have actually a ESTABLISHED, RELATED rule, but that didn't help:

$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \
 ESTABLISHED,RELATED -j ACCEPT

Is there a gui tool that is able to set up a firewall rule set on a remote 
computer or write a bash script? I had a quick look at knetfilter and 
firestarter, but that isn't really what I need. Shorewall is somehow nice, 
but wouldn't that be a step back for me?

Regards
Manfred
Reply to: