| Stephen Gran on 17 Jan 2005 20:57:59 -0000 |
|
On Mon, Jan 17, 2005 at 03:42:51PM -0500, Jeff Abrahamson said: > I'm setting up IP tables on my lab's machines at work. (Something > exists, but we don't like what's there by default.) > > I'm curious what others think of this script (attached). Do you > believe the comments and the code make the same statements? > > I want to say for one machine that outgoing packets are allowed only > if they are part of an ssh or http connection that an external party > is trying to establish or has established. But I don't see how this > is done. > > I'm also rather unclear on how to say, "Accept packets on connections > that are already established or where we've begun a handshake, > regardless of port." > > Anyone see any rules I ought to have that I don't? > > Thanks much for any help or suggestions. I think you want the state module, e.g.: $IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT HTH, -- -------------------------------------------------------------------------- | Stephen Gran | Anyone can hold the helm when the sea | | steve@lobefin.net | is calm. -- Publius Syrus | | http://www.lobefin.net/~steve | | -------------------------------------------------------------------------- Attachment:
pgp2VVOgv9OQl.pgp ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|