FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 03-09-2011, 06:35 AM
erikmccaskey64
 
Default how to only allow tcp on dport 443 on the OUTPUT chain?

it's a normal desktop machines iptables firewall:*
If i want to block udp on dport 80 on the output chain, then is this enough? i want to only allow tcp on it!iptables -P OUTPUT DROPiptables -A OUTPUT -o $PUBIF --dport 80 -j ACCEPT
or i need this rule?iptables -P OUTPUT DROPiptables -A OUTPUT -o $PUBIF -p tcp --dport 80 -j ACCEPT
the second one is the good one?
 
Old 03-09-2011, 06:35 AM
erikmccaskey64
 
Default how to only allow tcp on dport 443 on the OUTPUT chain?

it's a normal desktop machines iptables firewall:*
If i want to block udp on dport 80 on the output chain, then is this enough? i want to only allow tcp on it!iptables -P OUTPUT DROPiptables -A OUTPUT -o $PUBIF --dport 80 -j ACCEPT
or i need this rule?iptables -P OUTPUT DROPiptables -A OUTPUT -o $PUBIF -p tcp --dport 80 -j ACCEPT
the second one is the good one?______________________________________________ _
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 03-09-2011, 06:35 AM
erikmccaskey64
 
Default how to only allow tcp on dport 443 on the OUTPUT chain?

it's a normal desktop machines iptables firewall:*
If i want to block udp on dport 80 on the output chain, then is this enough? i want to only allow tcp on it!iptables -P OUTPUT DROPiptables -A OUTPUT -o $PUBIF --dport 80 -j ACCEPT
or i need this rule?iptables -P OUTPUT DROPiptables -A OUTPUT -o $PUBIF -p tcp --dport 80 -j ACCEPT
the second one is the good one?--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 03-09-2011, 06:35 AM
erikmccaskey64
 
Default how to only allow tcp on dport 443 on the OUTPUT chain?

it's a normal desktop machines iptables firewall:*
If i want to block udp on dport 80 on the output chain, then is this enough? i want to only allow tcp on it!iptables -P OUTPUT DROPiptables -A OUTPUT -o $PUBIF --dport 80 -j ACCEPT
or i need this rule?iptables -P OUTPUT DROPiptables -A OUTPUT -o $PUBIF -p tcp --dport 80 -j ACCEPT
the second one is the good one?--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 03-09-2011, 08:24 AM
Virgo Pärna
 
Default how to only allow tcp on dport 443 on the OUTPUT chain?

On Tue, 08 Mar 2011 23:35:03 -0800, erikmccaskey64 <erikmccaskey64@zoho.com> wrote:
>
> it's a normal desktop machines iptables firewall:
>
>
> If i want to block udp on dport 80 on the output chain, then is this enough? i want to only allow tcp on it!
> iptables -P OUTPUT DROP
> iptables -A OUTPUT -o $PUBIF --dport 80 -j ACCEPT
>

Only allowed outgoing traffic is on $PUBIF inteface for tcp and udp port 80.
On all other interfaces all outgoing traffic is blocked.

>
> or i need this rule?
> iptables -P OUTPUT DROP
> iptables -A OUTPUT -o $PUBIF -p tcp --dport 80 -j ACCEPT
>

Only allowed outgoing traffic is on $PUBIF interface for tcp port 80. On all
other interfaces all outgoing traffic is blocked.

I may be mistaken, but such hard rules could cause serious problems. I think
that even dns name resolution would not work anymore (you cannot send out dns queries).
Essentialy you could only browse websites on port 80 using IP numbers instead of server
name.


--
Virgo Pärna
virgo.parna@mail.ee


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: slrninehqp.q6s.virgo.parna@dragon.gaiasoft.ee">htt p://lists.debian.org/slrninehqp.q6s.virgo.parna@dragon.gaiasoft.ee
 
Old 03-09-2011, 08:35 AM
Andrej Kacian
 
Default how to only allow tcp on dport 443 on the OUTPUT chain?

On Wed, 9 Mar 2011 09:24:41 +0000 (UTC)
Virgo Pärna <virgo.parna@mail.ee> wrote:

> I may be mistaken, but such hard rules could cause serious
> problems. I think that even dns name resolution would not work
> anymore (you cannot send out dns queries). Essentialy you could only
> browse websites on port 80 using IP numbers instead of server name.

I suspect (and hope ) that the rules listed by the OP were only part
of a bigger rule set, and the drop policy rule was only included to give
more context. If this is not the case, I agree with Virgo.

Kind regards,
--
Andrej


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110309103512.00004528@unknown">http://lists.debian.org/20110309103512.00004528@unknown
 
Old 03-09-2011, 08:45 AM
ZLIGUI Hammou
 
Default how to only allow tcp on dport 443 on the OUTPUT chain?

pour iptables il y a une régle par defaut si il accept tous par defaut
dans ce cas il faut juste inderdit udp au 80 si l'inverse ( reject par
defaut ) il faut accepte tcp a 80



pour le premier :

iptables -A output -p udp --dport 80 -j drop



si la dexieme :

iptables -A output -p tcp--dport 80 -j accept

iptables -A input -p tcp--dport 80 -j accept





bon courage
 
Old 03-09-2011, 04:09 PM
Jacob Mansfield
 
Default how to only allow tcp on dport 443 on the OUTPUT chain?

Do you want to stop normal HTTP web access and restrict the server to HTTPS only, if so you want to change the httpd settings, not iptables. as far as I can see these commands would block ALL outgoing traffic on the server, including some vital services. as for specifics, try this with the settings:

add this to the relevent section in your httpd.confRewriteEngine on


RewriteRule ^/(.*):SSL$ https://<YOUR_SERVER_URL>/$1 [R,L]
RewriteRule ^/(.*):NOSSL$ http://<YOUR_SERVER_URL>/$1 [R,L]

Redirect permanent / https://<YOUR_SERVER_URL>/

this autamaticly redirects HTTP requests to HTTP ones. then add this to enable HTTPSSSLProtocol -all +SSLv2


+MEDIUM:+LOW:+ESSLCipherSuite SSLv2:+HIGH:XPfor more information see

http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html
and
http://httpd.apache.org/docs/2.0/ssl/ssl_faq.htmlJacob Mansfield


Programmer
CyberKing Solutions�
www.cyberkingsolutions.co.uk - I do know the database is down

"When Windows� is opened the bugs come in."


Please avoid sending me Word or PowerPoint attachments.
See�http://www.gnu.org/philosophy/no-word-attachments.html

-----BEGIN GEEK CODE BLOCK-----


Version: 3.1-Jacob1
GCM/CS/CC/E/ED/MC/S/AT/! d++(---) s-: a--->? C++++ UL$++(++++)>$ P(+)�
L$+++(++++)>$ E(?) W+++$ N(?)>+ o k(+/++) w---()>$ O? M(+)>$ V? PS(+) PE Y(+)
PGP(+/++) t(+) 5?>+ X+ R(?) tv+ b++(+++) DI(+) D G(++) e-(*) h!-- !r y(--)>+++++$


------END GEEK CODE BLOCK------



On 9 March 2011 07:35, erikmccaskey64 <erikmccaskey64@zoho.com> wrote:


it's a normal desktop machines iptables firewall:�




If i want to block udp on dport 80 on the output chain, then is this enough? i want to only allow tcp on it!

iptables -P OUTPUT DROPiptables -A OUTPUT -o $PUBIF --dport 80 -j ACCEPT




or i need this rule?iptables -P OUTPUT DROP

iptables -A OUTPUT -o $PUBIF -p tcp --dport 80 -j ACCEPT




the second one is the good one?


--

ubuntu-users mailing list

ubuntu-users@lists.ubuntu.com

Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users




--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 03-19-2011, 08:19 PM
Bill Davidsen
 
Default how to only allow tcp on dport 443 on the OUTPUT chain?

erikmccaskey64 wrote:
> it's a normal desktop machines iptables firewall:
>
> If i want to block udp on dport 80 on the output chain, then is this
> enough? i want to only allow tcp on it!
> iptables -P OUTPUT DROP
> iptables -A OUTPUT -o $PUBIF --dport 80 -j ACCEPT
>
> or i need this rule?
> iptables -P OUTPUT DROP
> iptables -A OUTPUT -o $PUBIF -p tcp --dport 80 -j ACCEPT
>
> the second one is the good one?
>
You don't want to do that, if you block everything on OUTPUT things like DHCP,
ARP, ICMP, etc, fail. You would need pages of ACCEPT rules.

iptables -A OUTPUT -p tcp ! --dport 80 -j REJECT

Would at least block only tcp, although I bet you will find that you want to do
mail and such. You are rapidly entering deep waters, I fear, but it's your machine.

--
Bill Davidsen <davidsen@tmr.com>
"We have more to fear from the bungling of the incompetent than from
the machinations of the wicked." - from Slashdot
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 03-19-2011, 09:03 PM
JD
 
Default how to only allow tcp on dport 443 on the OUTPUT chain?

On 03/19/2011 02:19 PM, Bill Davidsen wrote:
> erikmccaskey64 wrote:
>> it's a normal desktop machines iptables firewall:
>>
>> If i want to block udp on dport 80 on the output chain, then is this
>> enough? i want to only allow tcp on it!
>> iptables -P OUTPUT DROP
>> iptables -A OUTPUT -o $PUBIF --dport 80 -j ACCEPT
>>
>> or i need this rule?
>> iptables -P OUTPUT DROP
>> iptables -A OUTPUT -o $PUBIF -p tcp --dport 80 -j ACCEPT
>>
>> the second one is the good one?
>>
> You don't want to do that, if you block everything on OUTPUT things like DHCP,
> ARP, ICMP, etc, fail. You would need pages of ACCEPT rules.
>
> iptables -A OUTPUT -p tcp ! --dport 80 -j REJECT
>
> Would at least block only tcp, although I bet you will find that you want to do
> mail and such. You are rapidly entering deep waters, I fear, but it's your machine.
>
Blocking output on port 80 will render your web browsers largely useless,
because web browsers send connection requests to web servers on port 80
using the TCP protocol.

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 

Thread Tools




All times are GMT. The time now is 05:00 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org