I was curious about this thread, as it seemed to me the rule set should have worked. However, I didn't have anything to add, so didn't post. So now, I tried it for myself and I think an OUTPUT rule to accept lo stuff is needed. Here is what I have and my source script:
Code:
doug@doug-desktop:~$ sudo iptables -v -x -n -L
Chain INPUT (policy ACCEPT 152 packets, 23766 bytes)
pkts bytes target prot opt in out source destination
355 19132 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
51 3048 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 387 packets, 99328 bytes)
pkts bytes target prot opt in out source destination
96 7248 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 106 udp dpt:443
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 106
55 5437 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 1000 multiport dports 80,443,5222
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 1000 multiport dports 80,443,5222
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 1000
Code:
#!/bin/sh
# The location of the iptables program
#
IPTABLES=/sbin/iptables
#Setting the EXTERNAL and INTERNAL interfaces and addresses for the network
#
EXTIF="eth0"
EXTIP="192.168.122.179"
EXTNET="192.168.122.0/24"
UNIVERSE="0.0.0.0/0"
#Clearing any previous configuration
#
echo " Clearing any existing rules and setting default policy to DROP.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
# Reset all IPTABLES counters
$IPTABLES -Z
# Secure Shell on port 22. I need this as I am doing everything via remote.
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 22 -j ACCEPT
# Hungry Man's INPUT ACCEPT rules are not needed, because the default is ACCEPT
$IPTABLES -A INPUT -m state --state INVALID,NEW -j REJECT --reject-with icmp-port-unreachable
# loopback interface is valid.
#
$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# I wonder who 106 is and what this is for?
$IPTABLES -A OUTPUT -p udp -m owner --uid-owner 106 -m udp --dport 443 -j ACCEPT
$IPTABLES -A OUTPUT -m owner --uid-owner 106 -j DROP
# Hungry Man rules in question.
$IPTABLES -A OUTPUT -m owner --uid-owner 1000 -p tcp -m multiport --dports 80,443,5222 -j ACCEPT
$IPTABLES -A OUTPUT -m owner --uid-owner 1000 -p udp -m multiport --dports 80,443,5222 -j ACCEPT
$IPTABLES -A OUTPUT -m owner --uid-owner 1000 -j DROP
echo test iptables rule set - Hungry Man - http://ubuntuforums.org/showthread.php?t=2173062 - done.
Bookmarks