[CentOS] CentOS 4.4 blocking outbound connections?
Fabian Arrotin
fabian.arrotin at arrfab.net
Sat Feb 17 16:04:12 UTC 2007
On Sat, 2007-02-17 at 09:15 -0600, Neil Aggarwal wrote:
> Hello:
>
> When I installed CentOS 4.4 (from the ServerCD) on my server, I told
> it not to install a firewall and I disabled SELinux. The server is
> a SuperMicro 5015P-TR.
>
> I set up my own /etc/init.d/firewall with these rules:
>
> #!/bin/sh
> # Firewall script
> #
> # Source function library
> . /etc/init.d/functions
>
> RETVAL=0
>
> # Some definitions (Will need to change ETH0_IP to match your configuration)
> ETH0_IP=38.114.192.86
>
> # See how we were called.
> case "$1" in
> start)
> echo -n "Starting firewall: "
> /sbin/modprobe ip_conntrack_ftp
>
> # Set the default policies to drop all packets
> /sbin/iptables -P INPUT DROP
> /sbin/iptables -P OUTPUT DROP
> /sbin/iptables -P FORWARD DROP
>
> # Flush any existing rules
> /sbin/iptables -F
>
> # Allow loopback traffic
> /sbin/iptables -A INPUT -i lo -j ACCEPT
> /sbin/iptables -A OUTPUT -o lo -j ACCEPT
>
> # Allow icmp protocol packets
> /sbin/iptables -A INPUT -i eth0 -d $ETH0_IP -p icmp -j ACCEPT
> /sbin/iptables -A OUTPUT -o eth0 -s $ETH0_IP -p icmp -j ACCEPT
>
> # Allow ssh connections from the outside world
> /sbin/iptables -A INPUT -i eth0 -d $ETH0_IP -p tcp --sport 1024:
> --dport ssh -m state --state NEW,ESTABLISHED -j ACCEPT
> /sbin/iptables -A OUTPUT -o eth0 -s $ETH0_IP -p tcp --sport ssh
> --dport 1024: -m state --state ESTABLISHED -j ACCEPT
Why not using ESTABLISHED,RELATED instead of just using ESTABLISHED ?
Can you also consider giving us the result of `iptables -L -v -n --line-
numbers` ? That gives a better view of what the system is using as
iptables rules ...
>
> <snip>
--
Fabian Arrotin <fabian.arrotin at arrfab.net>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.centos.org/pipermail/centos/attachments/20070217/f26cc174/attachment.sig>
More information about the CentOS
mailing list