CentOS Icon CentOS Logo
CentOS Text
   
  
www.centos.org Forum Index
   CentOS 6 - General Support
   iptables blocks dns

 

  Bottom    Previous Topic    Next Topic
  •  Rate Thread
      Rate this Thread
      Excellent
      Good
      Average
      Bad
      Terrible
Poster Thread
  •  TrevorH
      TrevorH
Re: iptables blocks dns
#1
Moderator
Joined: 2009/9/24
From Brighton, UK
Posts: 6351
I think you are making this way too complicated. If you want to set your OUTPUT policy to DENY then I would set up a bare minimum of rules, for example

-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT


That's simple and needs the last rule repeated per output port that you want to allow connections through to. It also allows all outgoing requests in response to packets that have already been allowed. The INPUT side of that is now handled by

-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT


You don't need separate input rules for accepting the replies to things that have been allowed out as they're allowed by the 2nd rule above. The things you want on your INPUT chain are for services that you have running on the machine - so, yes, port 1234 wants one like

-A INPUT -i eth0 -p tcp [-s my.source.ip.addresses ] -m state --state NEW -m tcp --dport 1234 - j ACCEPT


This allows the initial connection (optionally from -s my.source.ip.addresses ) and subsequent traffic is allowed in and out by the RELATED,ESTABLISHED rules on input and output chains.
_________________
Linux/VoIP Systems Administrator
Posted on: 2011/12/8 22:18
Create PDF from Post Print
Top
Subject Poster Date
     Re: iptables blocks dns TrevorH 2011/12/8 20:31
       Re: iptables blocks dns agriz 2011/12/8 20:49
         Re: iptables blocks dns TrevorH 2011/12/8 21:01
           Re: iptables blocks dns agriz 2011/12/8 21:10
             Re: iptables blocks dns TrevorH 2011/12/8 21:20
               Re: iptables blocks dns agriz 2011/12/8 21:28
                 Re: iptables blocks dns agriz 2011/12/8 21:30
                   Re: iptables blocks dns TrevorH 2011/12/8 21:46
                     Re: iptables blocks dns agriz 2011/12/8 21:52
                       Re: iptables blocks dns TrevorH 2011/12/8 22:18
                         Re: iptables blocks dns agriz 2011/12/8 22:32
                           Re: iptables blocks dns TrevorH 2011/12/8 22:43
                             Re: iptables blocks dns agriz 2011/12/8 22:53
                               Re: iptables blocks dns TrevorH 2011/12/8 23:17
                                 Re: iptables blocks dns agriz 2011/12/8 23:30
                                   Re: iptables blocks dns TrevorH 2011/12/8 23:40
                                     Re: iptables blocks dns agriz 2011/12/8 23:46
                                       Re: iptables blocks dns TrevorH 2011/12/8 23:52
                                         Re: iptables blocks dns agriz 2011/12/8 23:54
                                           Re: iptables blocks dns agriz 2011/12/9 19:08
                                             Re: iptables blocks dns TrevorH 2011/12/9 19:46
                                               Re: iptables blocks dns agriz 2011/12/9 21:15
                                                 Re: iptables blocks dns TrevorH 2011/12/9 21:42
                                                   Re: iptables blocks dns agriz 2011/12/9 21:51
                                                     Re: iptables blocks dns agriz 2011/12/9 22:04
                                                       Re: iptables blocks dns TrevorH 2011/12/9 23:14
                                                         Re: iptables blocks dns agriz 2011/12/9 23:18
                                                           Re: iptables blocks dns agriz 2011/12/9 23:27
                                                           Re: iptables blocks dns TrevorH 2011/12/9 23:29
                                                             Re: iptables blocks dns agriz 2011/12/9 23:30
                                                               Re: iptables blocks dns TrevorH 2011/12/9 23:32
                                                                 Re: iptables blocks dns agriz 2011/12/9 23:36
                                                                   Re: iptables blocks dns agriz 2011/12/9 23:52
                                                                     Re: iptables blocks dns agriz 2011/12/10 0:07
 Top   Previous Topic   Next Topic

 

 You cannot start a new topic.
 You can view topic.
 You cannot reply to posts.
 You cannot edit your posts.
 You cannot delete your posts.
 You cannot add new polls.
 You cannot vote in polls.
 You cannot attach files to posts.
 You cannot post without approval.




"Linux" is a registered trademark of Linus Torvalds. | All other trademarks are property of their respective owners. | All other content is Copyright @ 2004-2009 by the CentOS Project or "each individual contributor (forums, comments, etc.) unless otherwise assigned".| Theme based on a theme by 7dana.com