Outgoing connections will be filtered, but some services should be allowed (dns, dhcp, smtp, ntp) and some external websites should be available to get updates.Ĭoncepts ESTABLISHED stateWhen using this option, you can filter for established connections.The server hosts a samba service (several TCP and UDP ports), that should only be available from a limited set of IP addresses (admin + webmaster PC's).The server can be managed remotely using ssh (port 20) and webmin (port 10000), but only from a limited set of IP addresses (admin PC's).internet) on port 80 (http) and 443 (https) A web service should be available from all networks (i.e.
My goal was to get easier to read and configure iptables rules, but it will result in faster handling of packets as well. I got some inspiration in an article that uses chains to make iptables more efficient (faster). To make your rules more manageable, you can make use of chains in your iptables rules. a server that hosts a website available for the entire internet, but with an ssh and samba service that should only be available for the local subnet, or even some specific IP addresses, it becomes a bit more complex.Īnd if you want to filter the outgoing traffic as well, your iptables rules get a mess after a while, and when you want to change anything, chances of a mistake or forgetting something are high, which may result in locking yourself out of your box (at least for remote access), or leaving something open that shouldn't. the replies on the outgoing requests you made), or on a simple webserver (allow port 80 only).īut if you need more complex rules, f.e.
on your laptop, block all incoming requests (except the established connections, i.e. In most cases, you can do with some simple firewall rules, f.e. IntroductionSetting up a firewall on your *nix box, being it a workstation, laptop, or server, is always a good idea.
0 kommentar(er)
