Thanks all! - Re: How do I configure iptables to allow DNS lookups?

[Malcolm Ferguson]

[EMAIL PROTECTED] wrote:

 If you want to see the full script go to

http://huizen.dto.tudelft.nl/devries/security/iptables_example.nl.html

for an explanation and to

http://huizen.dto.tudelft.nl/devries/files/iptables_files.tar.gz

for the archive. Currently there's only a Dutch explanation available,
but I am translating it into English for another reader of the debian lists.  I expect 
to have it available this weekend. I'll post the new link then.  'Til then you should 
be able to figure things out from the shell-scripts in the archive.
That's fantastic thanks!  The web page was what I really needed before, 
from what I can see without understand Dutch ;)  The scripts were very 
clear and understandable too.  Why doesn't the netfilter.org 
documentation page link to you? :D

I think I was having a bit of a brain-fart.  I didn't get my head around 
the packet nature of this (durr!), rather thinking in connection terms.  
Packets flow in and out for a single connection - the concept of 
incoming and outgoing connections is irrelevant!  Anyway, I think I have 
the basics sussed, so when I have time, I will integrate some nicer 
scripts like the ones on those URLs, and make it more maintainable and 
understandable, etc.

Chain INPUT (policy DROP)
target     prot opt source      destination
ACCEPT     icmp --  anywhere    anywhere
ACCEPT     tcp  --  anywhere    anywhere    tcp dpt:ssh state 
NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere    anywhere    tcp spt:smtp state ESTABLISHED
ACCEPT     tcp  --  anywhere    anywhere    tcp spt:domain state ESTABLISHED
ACCEPT     udp  --  anywhere    anywhere    state ESTABLISHED udp spt:domain
ACCEPT     tcp  --  anywhere    anywhere    tcp spt:www state ESTABLISHED
ACCEPT     udp  --  anywhere    anywhere    state ESTABLISHED udp spt:ntp
ACCEPT     tcp  --  anywhere    anywhere    tcp spt:ntp state ESTABLISHED
DROP       all  --  anywhere    anywhere

Chain FORWARD (policy DROP)
target     prot opt source      destination
DROP       all  --  anywhere    anywhere
Chain OUTPUT (policy DROP)
target     prot opt source      destination
ACCEPT     icmp --  anywhere    anywhere
ACCEPT     tcp  --  anywhere    anywhere    tcp spt:ssh state ESTABLISHED
ACCEPT     tcp  --  anywhere    anywhere    tcp dpt:smtp state 
NEW,ESTABLISHED
ACCEPT     udp  --  anywhere    anywhere    state NEW,ESTABLISHED udp 
dpt:domain
ACCEPT     tcp  --  anywhere    anywhere    tcp dpt:domain state 
NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere    anywhere    tcp dpt:www state 
NEW,ESTABLISHED
ACCEPT     udp  --  anywhere    anywhere    state NEW,ESTABLISHED udp 
dpt:ntp
ACCEPT     tcp  --  anywhere    anywhere    tcp dpt:ntp state 
NEW,ESTABLISHED
DROP       all  --  anywhere    anywhere

Thanks again to all who helped,
Malc
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]