I'm setting up a server to operate as a tor relay and nothing else. I setup iptables to only allow talk on port 9001 and it worked fine, but there was an issue, the clock needs to be properly set and maintained for the relay to work properly, so I needed ntpd setup and running, but for some reason I can't get iptables to work as I want it. I'm trying to have it allow only tor and ntpd to talk over the network, but when I set it up to allow port 123 using udp, suddenly it ignores my -A OUTPUT ! -s 127.0.0.1 -j DROP and allows everything through. How should I go about this? Please excuse my ignorance, I've brand new to iptables.
I've gone through a number of permutations, but here are my rules as they stand now:
-A INPUT -p udp --sport 123 --dport 123 -j ACCEPT
-A OUTPUT -p udp --sport 123 --dport 123 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 9001 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 9001 -j ACCEPT
-A INPUT ! -s 127.0.0.1 -j DROP
-A OUTPUT ! -s 127.0.0.1 -j DROP
two generic hints. as first rules always put:
and then your regulars