On Fri, 2007-05-25 at 15:52 +0200, Benny Amorsen wrote: > >>>>> "sv" == seth vidal <skvidal@xxxxxxxxxxxxxxxxx> writes: > > sv> Here's what I've used in the past. It allows connections for > sv> certain ports/places and then drops everything else as the last > sv> item. > > sv> http://linux.duke.edu/~skvidal/misc/iptables-template > > sv> it's pretty painless, really. > > sv> If we want to add explicit outbound rules, too, that's fine, but > sv> I'd advise enabling logging b/c that stuff is easy to get wrong. > sv> :) > > sv> This is just a sample but it's simple and straightforward. > > The sample script accepts all non-syn TCP packets, whether they are > related to an established connection or not. That is not necessarily a > bad thing, I'm just pointing it out so people are aware of it. fair enough drop the -y and let the stateful handler earlier up take care of it. -sv
