On Friday 03 January 2003 07:23 am, Roy Sigurd Karlsbakk wrote: > > If you trust that nothing on the box is or ever will connect that > > you don't want to, then output chain can just have an ACCEPT policy. > > If you > > want to lock down to make it harder for a trojan or such to > > communicate back from the box, you can set a DROP policy, then: > > > > iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > just remember to allow incoming ICMP. Please? ICMP _is_ an integral > part of IP, and shouldn't be blocked out! The RELATED state does just this. If you allow absolutely nothing in but tcp 80 and established, and absolutely nothing out but established, only the port 80 request and reply will get through. If you also allow related out then so long as an 'established' connection exists then supplementary connections are accepted as well, like ICMP fragmentation control stuff. The only /initial/ connection allowed in this mini-scenario is to destination port 80 with TCP, but once that connection is flowing then the server would be allowed to send related packets to the same client, even other ports or protocols, and they will get through regardless of whether they are explicitly accepted or explicitly dropped by the firewall. That is the basic purpose of the RELATED state. It's extended with helpers too consider things like FTP data to be related to FTP control, and the NAT functions are extended as well, but the whole idea of RELATED is to let through stuff that is, well, related. j
