How can I block all traffic except web traffic?

After you apply the rules that heikogerlach showed you, here's a useful link to help you in the future so you understand what you're doing.

  • Quick HOWTO, Ch14: Linux Firewalls Using iptables
  • Documentation about the netfilter/iptables project
  • Netfilter IPTables Mini Howto

Basically, to answer the question you posed in a comment, you need this rule:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

so that incoming packets that are a response to a packet sent by your system will be allowed in. Otherwise this box won't be able to receive anything except to port 80.

NOTE: You also have to tell us something additional ... Do you want to block all access except incoming and outgoing web, or only incoming or only outgoing? What traffic do you want to allow?


Now you are allowed to send packets from your computer to another one with the destination port 80. You must allow responses from the remote computers and you want to receive errors, too.

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

You need the kernel module ip_conntrack for connection tracking:

modprobe ip_conntrack