how to only allow tcp on dport 443 on the OUTPUT chain?
JD
jd1008 at gmail.com
Sat Mar 19 22:03:45 UTC 2011
On 03/19/2011 02:19 PM, Bill Davidsen wrote:
> erikmccaskey64 wrote:
>> it's a normal desktop machines iptables firewall:
>>
>> If i want to block udp on dport 80 on the output chain, then is this
>> enough? i want to only allow tcp on it!
>> iptables -P OUTPUT DROP
>> iptables -A OUTPUT -o $PUBIF --dport 80 -j ACCEPT
>>
>> or i need this rule?
>> iptables -P OUTPUT DROP
>> iptables -A OUTPUT -o $PUBIF -p tcp --dport 80 -j ACCEPT
>>
>> the second one is the good one?
>>
> You don't want to do that, if you block everything on OUTPUT things like DHCP,
> ARP, ICMP, etc, fail. You would need pages of ACCEPT rules.
>
> iptables -A OUTPUT -p tcp ! --dport 80 -j REJECT
>
> Would at least block only tcp, although I bet you will find that you want to do
> mail and such. You are rapidly entering deep waters, I fear, but it's your machine.
>
Blocking output on port 80 will render your web browsers largely useless,
because web browsers send connection requests to web servers on port 80
using the TCP protocol.
More information about the users
mailing list