RE: (no subject)

["Tim Edwards" <t.edwards@tideway.com>]

> -----Original Message-----
> From: Bernd Petrovitsch [mailto:bernd@firmix.at]
> Sent: 21 November 2006 10:54
> To: Tim Edwards
> Cc: netfilter@lists.netfilter.org
> Subject: RE: (no subject)
> 
> On Tue, 2006-11-21 at 10:44 +0000, Tim Edwards wrote:
> >
> > -----Original Message-----
> > From: Bernd Petrovitsch [mailto:bernd@firmix.at]
> > Sent: 21 November 2006 10:13
> > To: Tim Edwards
> > Cc: netfilter@lists.netfilter.org
> > Subject: Re: (no subject)
> >
> > > Yes. Just insert such a rule into the OUTPUT chain.
> >
> > Ok I have the following rules but it still isn't cutting off
existing
> > connections:
> 
> Yup.
> 
> > #!/bin/bash
> >
> > # First clear all rules (and set the policy to DROP on the default
> > chains)
> > iptables -F
> > # Second delete all the extra (user-defined) chains
> > iptables -X
> > # Set polcy on the default chains
> > iptables -P INPUT DROP
> > iptables -P OUTPUT DROP
> > iptables -P FORWARD DROP
> > # allow anything over loopback
> > iptables -A INPUT -i lo -j ACCEPT
> > iptables -A OUTPUT -o lo -j ACCEPT
> > # Allow incoming ssh and http/s connections
> > iptables -A INPUT -p tcp -m tcp -m multiport --dports 22,80,443 -j
> > ACCEPT
> > iptables -A INPUT -j LOG --log-prefix="INPUT REJECT"
--log-level=info
> > iptables -A INPUT -j REJECT
> > # Allow already established ssh and http/s connections back out
through
> > the firewall
> > iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j
ACCEPT
> 
> This allows all existing connections. If the above comment should be
> correct, you probably forgot here something.
> 
> > iptables -A OUTPUT -j LOG --log-prefix="OUTPUT REJECT"
--log-level=info
> > iptables -A OUTPUT -j REJECT
> > iptables -A FORWARD -j LOG --log-prefix="FORWARD REJECT"
> > --log-level=info
> > iptables -A FORWARD -j REJECT

Good point, that line was definitely wrong. What I'm trying to do this
block all traffic, including active connections, except incoming ssh and
http/s connections. From testing I've found the above does block all
traffic while allowing ssh and http/s in, but doesn't cutoff existing
connections.

I've tried this line instead of the one above but now all traffic,
including incoming ssh and http/s, seems to be blocked:
iptables -A OUTPUT -m tcp -m multiport --sports 22,80,443 -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT

Any suggestions?

Thanks

Tim
This email and any attachment may contain confidential, privileged information 
for the sole use of the intended recipient. If you are not the intended 
recipient, do not disclose, reproduce, disseminate or otherwise use this 
communication. If you received this communication in error, please immediately 
notify the sender via email and delete the communication from your system.