Firewall configuration for Fedora 16
William Muriithi
william.muriithi-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Fri Jun 1 20:43:47 UTC 2012
Andrei,
> $IPTABLES -A INPUT -i !lo -j LOG --log-prefix "DROP " --log-ip-options
--log-tcp-options
>
>
Would you mind breaking this rule into two, one to allow local traffic and
another at the end of the list to block all traffic that don't match any of
the above rules?
> #### OUTPUT chain ####
> echo "[+] Setting up OUTPUT chain..."
> ### state tracking rules
> $IPTABLES -A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP
INVALID " --log-ip-options --log-tcp-options
> $IPTABLES -A OUTPUT -m state --state INVALID -j DROP
> $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> ### ACCEPT rules for allowing connections out
> $IPTABLES -A OUTPUT -p tcp --dport 21 --syn -m state --state NEW -j ACCEPT
> $IPTABLES -A OUTPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT
> $IPTABLES -A OUTPUT -p tcp --dport 25 --syn -m state --state NEW -j ACCEPT
> $IPTABLES -A OUTPUT -p tcp --dport 43 --syn -m state --state NEW -j ACCEPT
> $IPTABLES -A OUTPUT -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT
> $IPTABLES -A OUTPUT -p tcp --dport 443 --syn -m state --state NEW -j
ACCEPT
> $IPTABLES -A OUTPUT -p tcp --dport 4321 --syn -m state --state NEW -j
ACCEPT
> $IPTABLES -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
> $IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
> ### default OUTPUT LOG rule
> $IPTABLES -A OUTPUT -o !lo -j LOG --log-prefix "DROP " --log-ip-options
--log-tcp-options
>
>
> #### FORWARD chain ####
> echo "[+] Setting up FORWARD chain..."
> ### state tracking rules
> $IPTABLES -A FORWARD -m state --state INVALID -j LOG --log-prefix "DROP
INVALID " --log-ip-options --log-tcp-options
> $IPTABLES -A FORWARD -m state --state INVALID -j DROP
> ### default log rule
> $IPTABLES -A FORWARD -i !lo -j LOG --log-prefix "DROP " --log-ip-options
--log-tcp-options
>
>
> After enabling the configuration and rebooting, I am able to login and
use the laptop in text mode, but not able to login in graphic mode.
>
> Would you be able to tell me how to tweak the script so that it will
allow me to login in graphic mode as well?
>
Look at the logs generated by the iptables and see if there is any traffic
being dropped. Are you connecting remotely or this is a local console? If
remote, you may need to make sure xorg is tunneling through SSH
>
> Regards,
> Andrei.
>
William
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/legacy/attachments/20120601/c7b1bfbb/attachment.html>
More information about the Legacy
mailing list