| sean finney on 18 Jan 2005 17:14:04 -0000 |
|
On Mon, Jan 17, 2005 at 11:06:19PM -0500, Stephen Gran wrote: > > iptables -P OUTPUT DROP > > iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > > iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT > > iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT > > > > That will drop all outgoing traffic except SSH or HTTP sessions and > > connections that are already open or logically related to those that > > are already open (which in the case of HTTP is none). > > Minor nitpick - I think Jeff said that this machine hosted an ssh and http > _server_, so he wants sport rather than dport above. Otherwise, well > said. in that case he'd also want to use the INPUT chain, not the OUTPUT chain. of course, doing both would always be a good idea too: iptables -P OUTPUT DROP iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT iptables -P INPUT DROP iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --sport 22 -j ACCEPT iptables -A INPUT -p tcp --sport 80 -j ACCEPT you'll also find that if you're blocking your output chain, you'll need to make various other holes as well, like for your distribution's local ftp mirror, dns, ntp, etc. sean Attachment:
signature.asc ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|