let me explain what I did before;
# Only INPUT policy DROP, others are ACCEPT
sudo iptables -P INPUT DROP
sudo iptables -A INPUT -p tcp --sport 80 -j ACCEPT
I also try this; for these ports to 443 and 8080
sudo iptables -A INPUT -p tcp --sport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
Then I realized that, I should allow dns server too,
sudo iptables -A INPUT -p udp --sport 53 -j ACCEPT
sudo iptables -A INPUT -p tcp --sport 53 -j ACCEPT
Apply this rules but I can not connect internet,
But when I allow all udp port I can connect.
Do I forget something? or do wrong something?
Best Answer
How does your computer get its IP address? If it is via DHCP, then you need to allow UDP replies to port 68 (or from port 67, see later on):
If your objective is to just allow website browsing, then the connection would always be initiated from your end so you only need to allow the related traffic back in (in this example the assumption is that eth0 is your NIC name):
Now, you may or may not need to allow the local interface (depends on what you are doing with your computer):
In the end , you can combine some of these things and end up with:
I coded this on one of my test computers and it worked fine (the SSH port 22 stuff is for me, because I don't actually sit at that computer):
I made it start automatically via my
/etc/network/interfaces
file:Note that more typically, users will merely allow whatever related traffic back in, with a more generic rule (using the variables names of my script above):
EDIT:
Sometimes to help understand / debug adding some logging can help. For example:
then observe
/var/log/syslog
for the entries. Be careful with logging, so that you don't flood the log file.