-----Original Message-----
From: Bernd Petrovitsch [mailto:bernd@firmix.at]
Sent: 21 November 2006 10:13
To: Tim Edwards
Cc: netfilter@lists.netfilter.org
Subject: Re: (no subject)
> Yes. Just insert such a rule into the OUTPUT chain.
Ok I have the following rules but it still isn't cutting off existing
connections:
#!/bin/bash
# First clear all rules (and set the policy to DROP on the default
chains)
iptables -F
# Second delete all the extra (user-defined) chains
iptables -X
# Set polcy on the default chains
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# allow anything over loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow incoming ssh and http/s connections
iptables -A INPUT -p tcp -m tcp -m multiport --dports 22,80,443 -j
ACCEPT
iptables -A INPUT -j LOG --log-prefix="INPUT REJECT" --log-level=info
iptables -A INPUT -j REJECT
# Allow already established ssh and http/s connections back out through
the firewall
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -j LOG --log-prefix="OUTPUT REJECT" --log-level=info
iptables -A OUTPUT -j REJECT
iptables -A FORWARD -j LOG --log-prefix="FORWARD REJECT"
--log-level=info
iptables -A FORWARD -j REJECT
This email and any attachment may contain confidential, privileged information
for the sole use of the intended recipient. If you are not the intended
recipient, do not disclose, reproduce, disseminate or otherwise use this
communication. If you received this communication in error, please immediately
notify the sender via email and delete the communication from your system.
|