Re: these INPUT and OUTPUT rules blocking more than desired....

Christian Seberino <seberino@xxxxxxxxxxxxxxx> · Tue, 01 Mar 2005 11:22:12 -0800

Jose

Thanks.  The port numbers you mentioned are the ones I'm using.
(I got them from /etc/services.)  It *is* possible that
I'm not defining my variables correctly.  I'll check that.
Assuming INCOMING_TCP_PORTS == INCOMING_UDP_PORTS == OUTGOING_TCP_PORTS 
== OUTGOING_UDP_PORTS == "53 80", Is there any reason
by code snippet won't do DNS and HTTP fine? (i.e. is there anything else
wrong?)

Chris

On Tue, 2005-03-01 at 01:31, Jose Maria Lopez Hernandez wrote:
> El lun, 28-02-2005 a las 17:43 -0800, seberino@xxxxxxxxxxxxxxx escribiÃ:
> > The snippet below was intended to *ONLY* allow types of traffic that
> > I desired in and out of PC.  For example, I tried to only allow DNS, SSH
> > and HTTP.
> > 
> > These services don't work.  It seems like they need more than /one/
> > port opened.  Or, they need something else I'm forgetting.
> > Any help would be greatly appreciated.....
> > 
> 
> You don't post your vars so we don't know what ports you are
> opening...
> But it's just:
> DNS=53/tcp 53/udp
> SSH=22/tcp
> HTTP=80/tcp
> 
> >       # INPUT
> > 
> >       $IPTABLES -t filter -A INPUT                      \
> >                 -i $INTERNET_INTERFACE                  \
> >                 -d $INTERNET_ADDRESS                    \
> >                 -m state --state ESTABLISHED,RELATED    \
> >                 -j ACCEPT
> >       for PORT in $OPEN_INCOMING_TCP_PORTS; do
> >          $IPTABLES -t filter -A INPUT                   \
> >                    -i $INTERNET_INTERFACE               \
> >                    -d $INTERNET_ADDRESS                 \
> >                    -p tcp --dport $PORT                 \
> >                    -j ACCEPT
> >       done
> >       for PORT in $OPEN_INCOMING_UDP_PORTS; do
> >          $IPTABLES -t filter -A INPUT                   \
> >                    -i $INTERNET_INTERFACE               \
> >                    -d $INTERNET_ADDRESS                 \
> >                    -p udp --dport $PORT                 \
> >                    -j ACCEPT
> >       done
> > 
> >       # OUTPUT
> > 
> >       $IPTABLES -t filter -A OUTPUT                     \
> >                 -o $INTERNET_INTERFACE                  \
> >                 -s $INTERNET_ADDRESS                    \
> >                 -m state --state ESTABLISHED,RELATED    \
> >                 -j ACCEPT
> >       for PORT in $OPEN_OUTGOING_TCP_PORTS; do
> >          $IPTABLES -t filter -A OUTPUT                  \
> >                    -o $INTERNET_INTERFACE               \
> >                    -s $INTERNET_ADDRESS                 \
> >                    -p tcp --dport $PORT                 \
> >                    -j ACCEPT
> >       done
> >       for PORT in $OPEN_OUTGOING_UDP_PORTS; do
> >          $IPTABLES -t filter -A OUTPUT                  \
> >                    -o $INTERNET_INTERFACE               \
> >                    -s $INTERNET_ADDRESS                 \
> >                    -p udp --dport $PORT                 \
> >                    -j ACCEPT
> >       done
> 
> Regards.