| View previous topic :: View next topic |
| Author |
Message |
marineunit
n00b
Joined: 20 Apr 2007
Posts: 8
|
 Posted: Sun Jul 06, 2008 10:07 am Post subject: [solved] ip tables - how do i block all except blah |
 |
|
Hi! I just started using iptables toady and I'm having some troubles. I'm not setting up a server or gateway of any kind. I'm doing this on my PC that I use for web browsing. My PC is connected directly to the Internet via cable modem.
How do I make iptables block all packets except those with destination port 80?
I tried this:
| Code: | iptables -A INPUT -p TCP --dport 80 -j ACCEPT
iptables -A INPUT -j DROP
|
and iptables -L shows this:
| Code: | Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:http
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination |
But when I use this setting I can't visit websites. I read elsewhere that iptables do rules in order, so shouldn't this work?
Thanks.
Last edited by marineunit on Mon Jul 07, 2008 12:07 am; edited 1 time in total |
|
| Back to top |
|
 |
Akhouk
Guru
Joined: 23 May 2003
Posts: 476
Location: The Two Niles, Africa
|
| Posted: Sun Jul 06, 2008 11:13 am Post subject: |
|
|
You will also need to accept DNS packets coming in otherwise you won't be able to resolve any websites.
you might want to add a rule to enable anything that is already connected.
| Code: | | iptables -I INPUT -m state --state ESTABLISHED -j ACCEPT |
Before the drop line.
Do you mean that you you want people to access port 80 on your local machine?
_________________
AMD 64 3500+, 2Gb RAM DDR400, 2 x 180Gb SATA, 256Mb Nvidia |
|
| Back to top |
|
|
nephros
Advocate
Joined: 07 Feb 2003
Posts: 2139
Location: Graz, Austria (Europe - no kangaroos.)
|
| Posted: Sun Jul 06, 2008 12:39 pm Post subject: |
|
|
Do you want to block connections TO or FROM your computer?
Right now (with the INPUT chain) you are blocking incoming traffic.
If you want to disable outgoing traffic you will have to drop in the OUTPUT chain.
Heed the advice about port 53 (DNS) and you might want to consider allowing port 443 (https) too.
HTH.
_________________
Please put [SOLVED] in your topic if you are a moron. |
|
| Back to top |
|
|
Veldrin
Veteran
Joined: 27 Jul 2004
Posts: 1945
Location: Zurich, Switzerland
|
| Posted: Sun Jul 06, 2008 12:57 pm Post subject: |
|
|
I would chcange to policy to DROP - depending on the direction - and then open those ports you need.
For average webbrowsing that would be 53 (DNS), 80 (http), 443 (https). if you browse to some more exotic - but still rather normal - page, you might want to include 8000 and 8080.
and as Akhouk suggensted, don't forget the ESTABLISHED policy. |
|
| Back to top |
|
|
infernus
n00b
Joined: 11 Jan 2008
Posts: 24
Location: US
|
| Posted: Sun Jul 06, 2008 11:29 pm Post subject: |
|
|
Here man I think I have an idea what you want..
Try something like this:
| Code: | iptables -F
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT |
Pretty simple but if ALL you do is web browsing you should be able to use that..
_________________
--
Sal.
Linux latitude 2.6.25-hardened-r4 #1 SMP Sat Aug 23 15:23:14 EDT 2008 i686 Intel(R) Core(TM)2 Duo CPU T7500 @ 2.20GHz GenuineIntel GNU/Linux |
|
| Back to top |
|
|
marineunit
n00b
Joined: 20 Apr 2007
Posts: 8
|
| Posted: Mon Jul 07, 2008 12:07 am Post subject: |
|
|
| Thanks, I had to open those other ports and now its working. |
|
| Back to top |
|
|
|
Networking & Security
