I have a virtual machine on debian. I have made some modification to the HN to allow statefull firewall inside vm (http://wiki.openvz.org/Setting_up_an_iptables_firewall).
Here is my firewall script :
# Flushing all rules
iptables -F
iptables -X
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Allow unlimited traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow all related and established tcp connections to my_machine.
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
# Https In
iptables -A INPUT -p tcp -s 0/0 --sport 513:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
# Allow ping
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# Allow incoming ssh only
iptables -A INPUT -p tcp -s 0/0 --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
# make sure nothing comes
iptables -A INPUT -j DROP
# Allow all outgoing connection
iptables -A OUTPUT -j ACCEPT
iptables -L
iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:login:65535 dpt:https state NEW,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT tcp -- anywhere anywhere tcp spts:login:65535 dpt:ssh state NEW,ESTABLISHED
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
When I try to use fsockopen. It fails. Why ?
Thanks in advance
Answer
I add this rule and i worked fine :
# Allow DNS client request
iptables -A INPUT -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
No comments:
Post a Comment