iptables templates

seth vidal skvidal at linux.duke.edu
Fri May 25 13:56:31 UTC 2007


On Fri, 2007-05-25 at 15:52 +0200, Benny Amorsen wrote:
> >>>>> "sv" == seth vidal <skvidal at fedoraproject.org> writes:
> 
> sv> Here's what I've used in the past. It allows connections for
> sv> certain ports/places and then drops everything else as the last
> sv> item.
> 
> sv> http://linux.duke.edu/~skvidal/misc/iptables-template
> 
> sv> it's pretty painless, really.
> 
> sv> If we want to add explicit outbound rules, too, that's fine, but
> sv> I'd advise enabling logging b/c that stuff is easy to get wrong.
> sv> :)
> 
> sv> This is just a sample but it's simple and straightforward.
> 
> The sample script accepts all non-syn TCP packets, whether they are
> related to an established connection or not. That is not necessarily a
> bad thing, I'm just pointing it out so people are aware of it.

fair enough drop the -y and let the stateful handler earlier up take
care of it.

-sv





More information about the Fedora-infrastructure-list mailing list