I was wondering if someone could help me with the following iptables rule:
We would like to allow ANY and ALL locally originating (as in, on the server running iptables) traffic.
DNS, HTTP, etc... all of it. Any connection initiated by the server running iptables should be allowed.
Currently we are using basically OUTPUT default policy, ACCEPT. Is this correct? Inputs are blocked, so I am assuming this means that the connections (except those we allow) cannot be started because they will be dropped before our side can hit the OUTPUT policy?
Sorry, my iptables skills are weak ;)
Thank you kindly.
You need two rules to do that:
Some notes.
-Ito force these rules to be first.iptablesrules are evaluated top down.-oand-iflags mean "out" and "in" respectively. Replaceeth0with the proper ethernet interface name.That's enough for OUTPUT because Netfilter doesn't need special rules to start stateful connections tracking.
But if you want to filter out inbound traffic according to "default deny" policy it can be done with switching
INPUT-chain toDROP:iptables -P INPUT DROPAfterwards it all would be set with just 2 rules:
Pay your attention to the rule allowing input traffic on loopback interface — as I pointed out in my blog posting "Minimal firewall for end user", unless allowed explicitly, loopback traffic won't be handled by "established" state checking, compared to return traffic over, say,
eth0.To ensure this minimal ruleset is loaded "as is" w/o interfering with rules that already might be there, it's convenient to make use of
iptables-restorein SHELL-session:Before doing that make sure you won't cut your own networking connection1, although already open SSH sessions should continue to work normally, the attempts to open new ones won't work.
__
-A INPUT -j ACCEPT -p tcp --dport 22— no need to tinker with-m statehere. Also don't forget to fixlptables-restoreback toiptables-restorebefore trying it out ;)