Re: iptables blocks dns
Posted by TrevorH on 2011/12/8 22:18:00
I think you are making this way too complicated. If you want to set your OUTPUT policy to DENY then I would set up a bare minimum of rules, for example
That's simple and needs the last rule repeated per output port that you want to allow connections through to. It also allows all outgoing requests in response to packets that have already been allowed. The INPUT side of that is now handled by
You don't need separate input rules for accepting the replies to things that have been allowed out as they're allowed by the 2nd rule above. The things you want on your INPUT chain are for services that you have running on the machine - so, yes, port 1234 wants one like
This allows the initial connection (optionally from -s my.source.ip.addresses ) and subsequent traffic is allowed in and out by the RELATED,ESTABLISHED rules on input and output chains.
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
That's simple and needs the last rule repeated per output port that you want to allow connections through to. It also allows all outgoing requests in response to packets that have already been allowed. The INPUT side of that is now handled by
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
You don't need separate input rules for accepting the replies to things that have been allowed out as they're allowed by the 2nd rule above. The things you want on your INPUT chain are for services that you have running on the machine - so, yes, port 1234 wants one like
-A INPUT -i eth0 -p tcp [-s my.source.ip.addresses ] -m state --state NEW -m tcp --dport 1234 - j ACCEPT
This allows the initial connection (optionally from -s my.source.ip.addresses ) and subsequent traffic is allowed in and out by the RELATED,ESTABLISHED rules on input and output chains.
This Post was from: https://www.centos.org/newbb/viewtopic.php?forum=55&topic_id=34640&post_id=149006