Re: Question related to DROP target?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thanks, 

I made it :) with your suggestion.

Regards 
--- Bjørn Ruberg <bjorn@xxxxxxxxx> wrote:

> Elvir Kuric <omasnjak@xxxxxxxxx> writes:
> 
> [...]
> 
> > that comes after are not implemented. I want to
> block
> > all traffic first and theh allow specified trafic.
> 
> Then you actually need to specify it properly.
> 
> > Please I need your opinions, I read many sources
> and I
> > understand what above rules means, but I can not
> > understand why rules after does not working.
> 
> [...]
> 
> > iptables -F
> > iptables -t nat -F
> > iptables -t mangle -F
> > 
> > iptables -X
> > iptables -t nat -X
> > iptables -t mangle -X
> > 
> > #iptables -P INPUT DROP
> > #iptables -P OUTPUT DROP
> > #iptables -P FORWARD DROP
> 
> Here, you accept traffic to and from localhost. You
> should probably
> specify the interface.
> 
> > iptables -A INPUT -s 127.0.0.1/255.0.0.0 -j ACCEPT
> > iptables -A OUTPUT -d 127.0.0.1/255.0.0.0 -j
> ACCEPT
> 
> This one allows both new and established traffic.
> However, if I read
> the documentation right, you allow -only- the
> initiating traffic
> (e.g. SYN packets, if you are familiar with the TCP
> three-way
> handshake) to your server; only the start of any
> connection. E.g. completing a login will then not
> work.
> 
> > iptables -A INPUT -m state --state
> > NEW,ESTABLISHED,RELATED -j ACCEPT
> 
> [...]
> 
> > iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
> 
> Finally, you accept all _outbound_ traffic to port
> 22 (SSH) on other
> servers. The return traffic to your firewall will be
> allowed due to
> your ESTABLISHED rule above.
> 
> Summarily, you allow yourself to use SSH from your
> firewall, and
> that's about it.
> 
> You should check out the information and scripts at
> http://www.linuxguruz.com/iptables/
> 
> Good luck :-)
> 
> -- 
> Bjørn
> 
> 
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam
protection around 
http://mail.yahoo.com 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux