Question:
What is wrong with my iptables rules?
Alex
2012-06-04 19:42:19 UTC
Hi,

I am trying to set minimal rules to my Linux iptables rules file. I just want to surf the internet.

Here it is:

* filter

-A OUTPUT -p tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp --dport 443 -j ACCEPT
-A OUTPUT -p udp --dport 53 -j ACCEPT

COMMIT

What else do I need to surf the internet?
Note: I want all other ports closed.
Thanks a lot. Regards
Three answers:
Robert J
2012-06-05 00:02:31 UTC
You can set the policy of the output chain to accept - there is no need to block anything on that.



The one to work with is Input, as that's where anything unwanted hits.



For that, you ideally want to set up 'stateful' rules, so input data is only accepted as a response to something your machine sends, and anything unsolicited (like port probing attempts) is dropped.



See the link for an example of working through a stateful setup.

Read the description of each section in the example carefully to decide what you need.



Once you have it set up, you can test it using the 'Shields Up' utility on grc.com

(But if the machine is behind a nat router without a dmz route to it, you are testing the router firewall rather than that machine. If you enable dmz for testing, don't forget to disable it again afterwards..)





If you have file sharing between machines, you need to also allow traffic to & from other machines on your local subnet.
ʄaçade
2012-06-05 02:53:25 UTC
Hmm. Your browser connects to a REMOTE computer on, say, port 80. That means that the REMOTE web server needs to have port 80 open for you.



Opening YOUR port 80 does nothing. Nothing unless YOU are running a web server.



Same for the other ports. Your firewall rules are there to prevent someone connecting to YOUR MACHINE. They do not prevent you from connecting to the outside.





Added: Hmmm. Let me re-think that. Make some trails.

Added: {I used to be better at this stuff.}



It looks like you want to use the default ACCEPT rules for all out-going packets. So I think now that you need to leave the OUTPUT chain alone because it normally ACCEPTS all.



Thus you would only need to reject in-coming connexion requests.



(Clearly I need to re-review this.)
keerok
2012-06-05 03:32:00 UTC
I find that Linux default values are enough by their own. I only play around with the settings if I want to completely block a computer from connecting to the internet. By default, the installation will allow internet connection automatically. Usually, merely providing an IP address for the default gateway is enough to allow connection to the internet if there are no hardware installation issues.


This content was originally posted on Y! Answers, a Q&A website that shut down in 2021.
Loading...