Output chain
Martin Pavlas
martin.pavlas@pwrgeneration.net
Mon, 25 Mar 2002 17:04:52 +0100
Hi,
I use kernel version 2.4.17 and 2.4.18 (Debian 2.2) and I have these
rules
in my IPtables settings:
iptables -P OUTPUT DROP
## Allow ESTABLISHED and RELATED trafic
iptables -A OUTPUT -o $IFACE -m state --state ESTABLISHED,RELATED -j
ACCEPT
## DNS
iptables -A OUTPUT -o $IFACE -p udp --dport domain -m state --state NEW
-j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --dport domain -m state --state NEW
-j ACCEPT
## SSH
iptables -A OUTPUT -o $IFACE -p tcp --dport ssh -m state --state NEW -j
ACCEPT
## SMTP
iptables -A OUTPUT -o $IFACE -p tcp --dport smtp -m state --state NEW -j
ACCEPT
## WEB
iptables -A OUTPUT -o $IFACE -p tcp --dport www -m state --state NEW -j
ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --dport https -m state --state NEW
-j ACCEPT
# Any tcp not already allowed is logged and then dropped.
iptables -A OUTPUT -o $IFACE -p tcp -j LOG --log-prefix "IPTABLES
TCP-OUT: "
iptables -A OUTPUT -o $IFACE -p tcp -j DROP
Sometimes I see in my log file something like this:
Mar 25 03:16:40 box kernel: IPTABLES TCP-OUT: IN= OUT=eth0
SRC=MYIPADDRESS DST=66.185.84.69 LEN=1500 TOS=0x00
PREC=0x00 TTL=64 ID=16488 PROTO=TCP SPT=80 DPT=54030 WINDOW=6432
RES=0x00 ACK URGP=0
It's a reply from a web server, so it should be allowed in the first
line as an established packet, so I don't know why it's not. It happens
from different ports, not just from 80.
--
Martin Pavlas
Pwrgeneration.net ICC s.r.o.