You are not logged in.
Hello to everybody,
I'm trying to configure iptables to allow only web-browsing.
My idea is:
1) set drop policy to every chain
2) allow input from connection already established
3) add rules to allow new connection in the output chain at port 80 (http) 443 (https) and 53 (dns)
the command:
# iptables -L -v -n gave me this:
Chain INPUT (policy DROP 1 packets, 36 bytes)
pkts bytes target prot opt in out source destination
11785 8242K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 127.0.0.0/8 127.0.0.0/8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 129 packets, 7884 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 192.168.1.252 0.0.0.0/0 tcp spt:80 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- * * 192.168.1.252 0.0.0.0/0 tcp spt:443 state NEW,ESTABLISHED
0 0 ACCEPT udp -- * * 192.168.1.252 0.0.0.0/0 udp spt:443 state NEW,ESTABLISHED
0 0 ACCEPT udp -- * * 192.168.1.252 0.0.0.0/0 udp spt:80 state NEW,RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 192.168.1.252 0.0.0.0/0 tcp spt:53 state NEW,RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 192.168.1.252 0.0.0.0/0 udp spt:53 state NEW,RELATED,ESTABLISHED
0 0 ACCEPT all -- * lo 127.0.0.0/8 127.0.0.0/8 If I change the policy of the output in accept, it works fine; so I guess the 1 and 2 point are well configured.
When I change the output policy to drop, like in the example above, it doesn't work.
It's the first time I try to configure the firewall manually so maybe I'm doing some trivial error.
Last edited by EnergiaPotenziale (2015-05-03 15:28:23)
Offline
You must work with destination ports ( --dport ) in the OUTPUT chain.
Offline
Thank's man (y) ...it works. I mistakenly used --sport instead of --dprot.
After the change it worked.
Offline