these INPUT and OUTPUT rules blocking more than desired....

Jose Maria Lopez Hernandez jkerouac at bgsec.com
Tue Mar 1 10:31:26 CET 2005 

El lun, 28-02-2005 a las 17:43 -0800, seberino at spawar.navy.mil escribió:
> The snippet below was intended to *ONLY* allow types of traffic that
> I desired in and out of PC.  For example, I tried to only allow DNS, SSH
> and HTTP.
> 
> These services don't work.  It seems like they need more than /one/
> port opened.  Or, they need something else I'm forgetting.
> Any help would be greatly appreciated.....
> 

You don't post your vars so we don't know what ports you are
opening...
But it's just:
DNS=53/tcp 53/udp
SSH=22/tcp
HTTP=80/tcp

>       # INPUT
> 
>       $IPTABLES -t filter -A INPUT                      \
>                 -i $INTERNET_INTERFACE                  \
>                 -d $INTERNET_ADDRESS                    \
>                 -m state --state ESTABLISHED,RELATED    \
>                 -j ACCEPT
>       for PORT in $OPEN_INCOMING_TCP_PORTS; do
>          $IPTABLES -t filter -A INPUT                   \
>                    -i $INTERNET_INTERFACE               \
>                    -d $INTERNET_ADDRESS                 \
>                    -p tcp --dport $PORT                 \
>                    -j ACCEPT
>       done
>       for PORT in $OPEN_INCOMING_UDP_PORTS; do
>          $IPTABLES -t filter -A INPUT                   \
>                    -i $INTERNET_INTERFACE               \
>                    -d $INTERNET_ADDRESS                 \
>                    -p udp --dport $PORT                 \
>                    -j ACCEPT
>       done
> 
>       # OUTPUT
> 
>       $IPTABLES -t filter -A OUTPUT                     \
>                 -o $INTERNET_INTERFACE                  \
>                 -s $INTERNET_ADDRESS                    \
>                 -m state --state ESTABLISHED,RELATED    \
>                 -j ACCEPT
>       for PORT in $OPEN_OUTGOING_TCP_PORTS; do
>          $IPTABLES -t filter -A OUTPUT                  \
>                    -o $INTERNET_INTERFACE               \
>                    -s $INTERNET_ADDRESS                 \
>                    -p tcp --dport $PORT                 \
>                    -j ACCEPT
>       done
>       for PORT in $OPEN_OUTGOING_UDP_PORTS; do
>          $IPTABLES -t filter -A OUTPUT                  \
>                    -o $INTERNET_INTERFACE               \
>                    -s $INTERNET_ADDRESS                 \
>                    -p udp --dport $PORT                 \
>                    -j ACCEPT
>       done

Regards.

-- 

Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac at bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"

More information about the netfilter mailing list