Thanks all! - Re: How do I configure iptables to allow DNS lookups?
HdV@DTO.TUDelft.NL wrote:
If you want to see the full script go to
http://huizen.dto.tudelft.nl/devries/security/iptables_example.nl.html
for an explanation and to
http://huizen.dto.tudelft.nl/devries/files/iptables_files.tar.gz
for the archive. Currently there's only a Dutch explanation available,
but I am translating it into English for another reader of the debian lists. I expect to have it available this weekend. I'll post the new link then. 'Til then you should be able to figure things out from the shell-scripts in the archive.
That's fantastic thanks! The web page was what I really needed before,
from what I can see without understand Dutch ;) The scripts were very
clear and understandable too. Why doesn't the netfilter.org
documentation page link to you? :D
I think I was having a bit of a brain-fart. I didn't get my head around
the packet nature of this (durr!), rather thinking in connection terms.
Packets flow in and out for a single connection - the concept of
incoming and outgoing connections is irrelevant! Anyway, I think I have
the basics sussed, so when I have time, I will integrate some nicer
scripts like the ones on those URLs, and make it more maintainable and
understandable, etc.
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state
NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:smtp state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:domain state ESTABLISHED
ACCEPT udp -- anywhere anywhere state ESTABLISHED udp spt:domain
ACCEPT tcp -- anywhere anywhere tcp spt:www state ESTABLISHED
ACCEPT udp -- anywhere anywhere state ESTABLISHED udp spt:ntp
ACCEPT tcp -- anywhere anywhere tcp spt:ntp state ESTABLISHED
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp spt:ssh state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp state
NEW,ESTABLISHED
ACCEPT udp -- anywhere anywhere state NEW,ESTABLISHED udp
dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain state
NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:www state
NEW,ESTABLISHED
ACCEPT udp -- anywhere anywhere state NEW,ESTABLISHED udp
dpt:ntp
ACCEPT tcp -- anywhere anywhere tcp dpt:ntp state
NEW,ESTABLISHED
DROP all -- anywhere anywhere
Thanks again to all who helped,
Malc
Reply to: