"sv" == seth vidal skvidal@fedoraproject.org writes:
sv> Here's what I've used in the past. It allows connections for sv> certain ports/places and then drops everything else as the last sv> item.
sv> http://linux.duke.edu/~skvidal/misc/iptables-template
sv> it's pretty painless, really.
sv> If we want to add explicit outbound rules, too, that's fine, but sv> I'd advise enabling logging b/c that stuff is easy to get wrong. sv> :)
sv> This is just a sample but it's simple and straightforward.
The sample script accepts all non-syn TCP packets, whether they are related to an established connection or not. That is not necessarily a bad thing, I'm just pointing it out so people are aware of it.
/Benny