El lun, 28-02-2005 a las 17:43 -0800, seberino@xxxxxxxxxxxxxxx escribiÃ: > The snippet below was intended to *ONLY* allow types of traffic that > I desired in and out of PC. For example, I tried to only allow DNS, SSH > and HTTP. > > These services don't work. It seems like they need more than /one/ > port opened. Or, they need something else I'm forgetting. > Any help would be greatly appreciated..... > You don't post your vars so we don't know what ports you are opening... But it's just: DNS=53/tcp 53/udp SSH=22/tcp HTTP=80/tcp > # INPUT > > $IPTABLES -t filter -A INPUT \ > -i $INTERNET_INTERFACE \ > -d $INTERNET_ADDRESS \ > -m state --state ESTABLISHED,RELATED \ > -j ACCEPT > for PORT in $OPEN_INCOMING_TCP_PORTS; do > $IPTABLES -t filter -A INPUT \ > -i $INTERNET_INTERFACE \ > -d $INTERNET_ADDRESS \ > -p tcp --dport $PORT \ > -j ACCEPT > done > for PORT in $OPEN_INCOMING_UDP_PORTS; do > $IPTABLES -t filter -A INPUT \ > -i $INTERNET_INTERFACE \ > -d $INTERNET_ADDRESS \ > -p udp --dport $PORT \ > -j ACCEPT > done > > # OUTPUT > > $IPTABLES -t filter -A OUTPUT \ > -o $INTERNET_INTERFACE \ > -s $INTERNET_ADDRESS \ > -m state --state ESTABLISHED,RELATED \ > -j ACCEPT > for PORT in $OPEN_OUTGOING_TCP_PORTS; do > $IPTABLES -t filter -A OUTPUT \ > -o $INTERNET_INTERFACE \ > -s $INTERNET_ADDRESS \ > -p tcp --dport $PORT \ > -j ACCEPT > done > for PORT in $OPEN_OUTGOING_UDP_PORTS; do > $IPTABLES -t filter -A OUTPUT \ > -o $INTERNET_INTERFACE \ > -s $INTERNET_ADDRESS \ > -p udp --dport $PORT \ > -j ACCEPT > done Regards. -- Jose Maria Lopez Hernandez Director Tecnico de bgSEC jkerouac@xxxxxxxxx bgSEC Seguridad y Consultoria de Sistemas Informaticos http://www.bgsec.com ESPAÃA The only people for me are the mad ones -- the ones who are mad to live, mad to talk, mad to be saved, desirous of everything at the same time, the ones who never yawn or say a commonplace thing, but burn, burn, burn like fabulous yellow Roman candles. -- Jack Kerouac, "On the Road"
