Home | Content | Search | Navigation | Indexes
 

Mailinglist Archive: opensuse (4570 mails)

< Previous Next >
Re: [SLE] A question for the iptables gurus. :)
  • From: Ian Marlier <ian.marlier@xxxxxxxxxxxxxxxxxxx>
  • Date: Fri, 4 Nov 2005 13:06:07 +0000 (UTC)
  • Message-id: <BF90C6ED.2DF8E%ian.marlier@xxxxxxxxxxxxxxxxxxx>



> From: Ian Marlier <ian.marlier@xxxxxxxxxxxxxxxxxxx>
> Date: Fri, 04 Nov 2005 08:00:20 -0500
> To: sle <suse-linux-e@xxxxxxxx>
> Conversation: [SLE] A question for the iptables gurus. :)
> Subject: Re: [SLE] A question for the iptables gurus. :)
>
>> From: Ben Rosenberg <red.kryptonite@xxxxxxxxx>
>> Date: Thu, 3 Nov 2005 20:44:02 -0800
>> To: sle <suse-linux-e@xxxxxxxx>
>> Subject: [SLE] A question for the iptables gurus. :)
>>
>> I'm trying to write some iptables rules so that I can let someone
>> telnet to machines on a 10.0.0.0 network but not allow them to telnet
>> anywhere else.. effectively blocking outbound telnet to ANYTHING
>> except the machines on the 10.0.0.0 network. I thought I had it but I
>> guess I don't. The rules are as follows...
>>
>> # allow outgoing telnet traffic
>> /usr/sbin/iptables -A FORWARD -p TCP -i eth2 -d 10.0.0.0/8 --dport 23 -j
>> ACCEPT
>> # block all other outgoing telnet traffic
>> /usr/sbin/iptables -A FORWARD -p TCP -i eth2 -d 0/0 --dport 23 -j DROP
>>
>> This machine is a Compaq DL760 with 2 dual port 10/100 cards in it and
>> eth2 is the first port on card 2.
>
> Right idea, but I think what you're actually looking for is the OUTPUT
> chain...could be wrong on that, though.
>
> Regardless: the default policy for the base iptables chains is ACCEPT, so
> I'd narrow it down to a single rule by doing:
>
> `iptables -A OUTPUT -p TCP -i eth2 -d ! 10.0.0.0/8 --dport 23 -j DROP`
>
> (If that doesn't work, then I was wrong about the output chain, and so try
> it with the FORWARD chain instead.)

Yes, you're looking for the OUTPUT chain.

>From `man iptables`:
filter:
This is the default table (if no -t option is passed).
It contains the built-in chains INPUT (for packets destined to local
sockets), FORWARD (for packets being routed through the box), and OUTPUT
(for locally-generated packets).

Since an outgoing telnet session is a locally-generated packet, that's what
you're looking forward.


< Previous Next >
Follow Ups
References