Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

doubled rules/chains for INPUT/OUTPUT ?
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
genitus
Tux's lil' helper
Tux's lil' helper


Joined: 07 Jun 2007
Posts: 87
Location: Europe
PostPosted: Sun Jul 08, 2007 10:47 pm    Post subject: doubled rules/chains for INPUT/OUTPUT ? Reply with quote
for example i have a rule to allow only INPUT packets from several services :
Code:

iptables -P INPUT DROP

iptables -A INPUT -j services


iptables -N services
iptables -A services -p tcp --sport 80 -j ACCEPT
iptables -A services -p tcp --sport 443 -j ACCEPT
iptables -A services -p ALL -j RETURN


but now i want also to allow the same services (http/https) for OUTPUT packets .
do i need a doubled "services"-chain then (with --dport instead --sport) for OUTPUT packets ?

isn't there a better solution ?


greetings
Back to top
View user's profile Send private message
didymos
Advocate
Advocate


Joined: 10 Oct 2005
Posts: 4798
Location: California
PostPosted: Sun Jul 08, 2007 11:13 pm    Post subject: Reply with quote
Usually, it's alright to just have the OUTPUT policy as ACCEPT, since anything going out is coming from your machine. Now, if you want to allow only those services out, then you'll need specific rules.
_________________
Thomas S. Howard
Back to top
View user's profile Send private message
genitus
Tux's lil' helper
Tux's lil' helper


Joined: 07 Jun 2007
Posts: 87
Location: Europe
PostPosted: Mon Jul 09, 2007 1:03 am    Post subject: Reply with quote
well , i think specifying the OUTPUT chain should be rather commonly used ( although it is maybe
pointless for a simple single user desktop machine ), so i wonder if there is not a better way instead of having
to make rules for the exactly same services for input and output chain...


also i wonder why you can/need to specify an INPUT interface like "lo" and for OUTPUT an interface can not be defined...
is it not OUTPUT when i "ping localhost" ?... i guess when you want to specify OUTPUT interface specific rules then you need to
use a routing chain , but anyway strange....
Back to top
View user's profile Send private message
didymos
Advocate
Advocate


Joined: 10 Oct 2005
Posts: 4798
Location: California
PostPosted: Mon Jul 09, 2007 2:49 am    Post subject: Reply with quote
You can specify:
Quote:

-o, --out-interface [!] name
Name of an interface via which a packet is going to be sent (for packets entering the FORWARD, OUTPUT and POSTROUTING
chains). When the "!" argument is used before the interface name, the sense is inverted. If the interface name ends in
a "+", then any interface which begins with this name will match. If this option is omitted, any interface name will
match.


You're probably used to thinking '-i' means interface, which makes sense given how many commands use it that way.
_________________
Thomas S. Howard
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy