I currently have this: $IPT -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT Code (markup): It works well, allows all requests out on port 80, however I want it to be more strict. Is there any way to modify that so it can ONLY connect to the dns i specify? (I could use IP if DNS is not an option) Example: Allow outgoing traffic to x.x.x.x on port 80. Also allow outgoing traffic to x.x.x.y on port 80. Thanks!
CSF makes this fairly easy Install CSF and add these to csf.allow file inbound add: tcp:in:d=80:s=xxx.xxx.xxx.xxx Code (markup): outbound add tcp:out:d=80:d=xxx.xxx.xxx.xxx Code (markup): tcp/udp : EITHER tcp OR udp protocol in/out : EITHER incoming OR outgoing connections s/d=port : EITHER source OR destination port number (use a _ for a port range, e.g. 2000_3000) s/d=ip : EITHER source OR destination IP address u/g=UID : EITHER UID or GID of source packet, implies outgoing connections, s/d=IP value is ignored Hope this helps
Got it, $IPT -A OUTPUT -p tcp --dport 80 -d x.x.x.x -m state --state NEW -j ACCEPT Code (markup): ($IPT = /sbin/iptables)
Yes. You can put a range in your rule. $IPT -A OUTPUT -p tcp --dport 80 -d -m iprange --src-range x.x.x.x-x.x.x.y -m state --state NEW -j ACCEPT Or just use multiple statements: $IPT -A OUTPUT -p tcp --dport 80 -d x.x.x.x -m state --state NEW -j ACCEPT $IPT -A OUTPUT -p tcp --dport 80 -d x.x.x.y -m state --state NEW -j ACCEPT If there's an entire subnet class just use: $IPT -A OUTPUT -p tcp --dport 80 -d x.x.x.0/24 -m state --state NEW -j ACCEPT You have to determine the correct subnet for what you're looking to allow. Also don't forget about ESTABLISHED.