On Mon, 2009-08-24 at 21:58 -0600, Wade Preston Shearer wrote: > # Allow all outgoing traffic > /sbin/iptables -P OUTPUT ACCEPT
Depending on the complexity of your network, you may not want to allow all outgoing connections. Filtering outgoing port 25 to prevent getting blacklisted if a compromised machine turns into a spam zombie. Ideally, only a handful of machines should be allowed to send email directly. All others should be required to go through an authorized server with some type of scanning or ACLs. > # Allow returning packets > /sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT > /sbin/iptables-save > /etc/sysconfig/iptables > chmod go-r /etc/sysconfig/iptables # Just to be safe chmod u=rw,go= /etc/sysconfig/iptables restorecon /etc/sysconfig/iptables > One example rule that I have seen is allowing all local traffic. > Does that mean the local network the server is within or traffic > inside the box? Only within the box, unless you've got some incorrect routing. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
