From: "IT Clown" <iptables@mailbox.co.za>
To: netfilter@lists.netfilter.org
Subject: Re: client on local network
Date: Sun, 28 Mar 2004 13:36:22 +0200 [thread overview]
Message-ID: <web-269346104@mail01.infosat.net> (raw)
In-Reply-To: <200403281213.26394.Antony@Soft-Solutions.co.uk>
Hi
Thanks for the help there now i understand the iptables -A
INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT.I
never looked at it that it sends the data back to the
OUTPUT rules that made a connection, thanks.
Regards
On Sun, 28 Mar 2004 12:13:26 +0100
Antony Stone <Antony@Soft-Solutions.co.uk> wrote:
> On Sunday 28 March 2004 12:02 pm, Antony Stone wrote:
>
> > On Sunday 28 March 2004 11:49 am, IT Clown wrote:
> > > Hi
> > >
> > > I have just finished reading netfilter howto and im
> just
> > > over halfway with Oskar Andreasson's tutorial.Here is
> my
> > > rule again does this look correct?
> >
> > You should be using the "-m state --state
> ESTABLISHED,RELATED" match in
> > your INPUT chain to allow in replies to packets which
> went out, but not to
> > allow new connections from outside (especially to any
> service on the
> > firewall).
> >
> > See Chapter 4 of Oskar's tutorial.
>
> Here is an example, to allow browsing *from* the local
> machine, but no access
> from anywhere else *to* the local machine.
>
> # Set default DROP policies
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
>
> # Allow out the packets we want
> iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
> iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
> iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
>
> # Allow the replies back in again
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j
> ACCEPT
>
> # Done.
>
> Regards,
>
> Antony.
>
> --
> Perfection in design is achieved not when there is
> nothing left to add, but
> rather when there is nothing left to take away.
>
> - Antoine de Saint-Exupery
>
>
Please
> reply to the list;
>
> please don't CC me.
>
>
__________________________________________________________________________
http://www.webmail.co.za/dialup Webmail ISP - Cool Connection, Cool Price
prev parent reply other threads:[~2004-03-28 11:36 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-03-28 8:31 client on local network IT Clown
2004-03-28 8:48 ` Antony Stone
2004-03-28 10:49 ` IT Clown
2004-03-28 11:02 ` Antony Stone
2004-03-28 11:13 ` Antony Stone
2004-03-28 11:36 ` IT Clown [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=web-269346104@mail01.infosat.net \
--to=iptables@mailbox.co.za \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.