Thanks all! - Re: How do I configure iptables to allow DNS lookups?

To: debian-user@lists.debian.org
Subject: Thanks all! - Re: How do I configure iptables to allow DNS lookups?
From: Malcolm Ferguson <Malcolm_Ferguson@yahoo.com>
Date: Thu, 07 Aug 2003 16:46:03 -0400
Message-id: <[🔎] 3F32BA8B.5030706@yahoo.com>
In-reply-to: <[🔎] Pine.GSO.4.44.0308071642520.6995-100000@sanders.rc.tudelft.nl>
References: <[🔎] Pine.GSO.4.44.0308071642520.6995-100000@sanders.rc.tudelft.nl>

HdV@DTO.TUDelft.NL wrote:

 If you want to see the full script go to

http://huizen.dto.tudelft.nl/devries/security/iptables_example.nl.html

for an explanation and to

http://huizen.dto.tudelft.nl/devries/files/iptables_files.tar.gz

for the archive. Currently there's only a Dutch explanation available,
but I am translating it into English for another reader of the debian lists.  I expect to have it available this weekend. I'll post the new link then.  'Til then you should be able to figure things out from the shell-scripts in the archive.

That's fantastic thanks! The web page was what I really needed before,from what I can see without understand Dutch ;) The scripts were veryclear and understandable too. Why doesn't the netfilter.orgdocumentation page link to you? :D

I think I was having a bit of a brain-fart. I didn't get my head aroundthe packet nature of this (durr!), rather thinking in connection terms.Packets flow in and out for a single connection - the concept ofincoming and outgoing connections is irrelevant! Anyway, I think I havethe basics sussed, so when I have time, I will integrate some nicerscripts like the ones on those URLs, and make it more maintainable andunderstandable, etc.


Chain INPUT (policy DROP)
target     prot opt source      destination
ACCEPT     icmp --  anywhere    anywhere

ACCEPT tcp -- anywhere anywhere tcp dpt:ssh stateNEW,ESTABLISHED

ACCEPT     tcp  --  anywhere    anywhere    tcp spt:smtp state ESTABLISHED
ACCEPT     tcp  --  anywhere    anywhere    tcp spt:domain state ESTABLISHED
ACCEPT     udp  --  anywhere    anywhere    state ESTABLISHED udp spt:domain
ACCEPT     tcp  --  anywhere    anywhere    tcp spt:www state ESTABLISHED
ACCEPT     udp  --  anywhere    anywhere    state ESTABLISHED udp spt:ntp
ACCEPT     tcp  --  anywhere    anywhere    tcp spt:ntp state ESTABLISHED
DROP       all  --  anywhere    anywhere

Chain FORWARD (policy DROP)
target     prot opt source      destination
DROP       all  --  anywhere    anywhere

Chain OUTPUT (policy DROP)
target     prot opt source      destination
ACCEPT     icmp --  anywhere    anywhere
ACCEPT     tcp  --  anywhere    anywhere    tcp spt:ssh state ESTABLISHED

ACCEPT tcp -- anywhere anywhere tcp dpt:smtp stateNEW,ESTABLISHEDACCEPT udp -- anywhere anywhere state NEW,ESTABLISHED udpdpt:domainACCEPT tcp -- anywhere anywhere tcp dpt:domain stateNEW,ESTABLISHEDACCEPT tcp -- anywhere anywhere tcp dpt:www stateNEW,ESTABLISHEDACCEPT udp -- anywhere anywhere state NEW,ESTABLISHED udpdpt:ntpACCEPT tcp -- anywhere anywhere tcp dpt:ntp stateNEW,ESTABLISHED

DROP       all  --  anywhere    anywhere


Thanks again to all who helped,
Malc

Reply to:

Follow-Ups:
- Re: Thanks all! - Re: How do I configure iptables to allow DNS lookups?
  - From: HdV@DTO.TUDelft.NL

References:
- Re: How do I configure iptables to allow DNS lookups?
  - From: HdV@DTO.TUDelft.NL

Prev by Date: Re: finding the cause of a lock-up
Next by Date: Re: GCC for kernel compilation
Previous by thread: Re: How do I configure iptables to allow DNS lookups?
Next by thread: Re: Thanks all! - Re: How do I configure iptables to allow DNS lookups?
Index(es):
- Date
- Thread