I am not an iptables expert.
I have a use case to block all outgoing traffic that does not destined for either 10.0.0.0/8 or 167.114.0.0/16. I have two NIS servers (10.57.132.11, 10.57.132.40). I generated the below iptables ruleset which I thought would work, but if I run service iptables start, I am unable to also get ypbind to load. It times out on hitting the two NIS servers. I see nothing in the logs other than a timeout.
# Generated by iptables-save v1.4.7 on Fri Jul 17 11:08:39 2015
*filter
:INPUT ACCEPT [78622:10507056]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-I OUTPUT -d 10.57.132.11 -j ACCEPT
-I OUTPUT -d 10.57.132.40 -j ACCEPT
-I OUTPUT -d 167.114.0.0/16 -j ACCEPT
-I OUTPUT -d 10.0.0.0/8 -j ACCEPT
-P OUTPUT DROP
COMMIT
# Completed on Fri Jul 17 11:08:39 2015
Any thoughts on what I'm doing wrong? Thanks, Jack.
UPDATE: To clarify, ypbind binds when iptables is off, but won't bind when I turn the above ruleset on. Since it is only filtering OUTPUT and those rules seem correct, I don't understand the problem and I can't find anything useful in the logs.
tl;dr: iptables is really literal, don't forget localhost rules.
Okay! Got it. Michael Hampton gave me the idea to use a logging rule (this was my first time). So I did the following:
From there, I started iptables and then attempted to restart ypbind and immediately saw this:
OH NO! It's blocking localhost. I added that to the output rule and got:
One more ypbind restart and
There you have it!