![jitsi ports jitsi ports](https://xn--80aklci5ak.xn--p1ai/upload/iblock/708/7081a2ef8c8a97e4eb23d160e059ddb8.jpg)
A FORWARD ! -i lo -j LOG -log-prefix "DROP FORWARD " -log-ip-options -log-tcp-options A FORWARD -m state -i ens19 -state NEW -j DROP # prevent forwarding packets for connections initiated from the outside (spoofing) A FORWARD -m state -state ESTABLISHED,RELATED -j ACCEPT A FORWARD -m state -state INVALID -j DROP A FORWARD -m state -state INVALID -j LOG -log-prefix "DROP INVALID " -log-ip-options -log-tcp-options # FORWARD chain # Accept relate or stablished connections A OUTPUT -p icmp -icmp-type echo-request -j ACCEPT A OUTPUT -m state -d -state NEW -j ACCEPT** A OUTPUT -m state -d .68 -state NEW -j ACCEPT A OUTPUT -p tcp -m state -d .132 -dport 53 -state NEW -j ACCEPT A OUTPUT -p udp -m state -d .131 -dport 53 -state NEW -j ACCEPT # external DNS servers (only reachable, no recursion enabled) A OUTPUT -p udp -m state -dport 123 -state NEW -j ACCEPT A OUTPUT -p tcp -m state -dport 443 -state NEW -j ACCEPT A OUTPUT -p tcp -m state -dport 80 -state NEW -j ACCEPT A OUTPUT -p tcp -m state -dport 21 -state NEW -j ACCEPT
![jitsi ports jitsi ports](https://freundschafter.com/wp-content/uploads/2021/01/firewall.png)
# OUTPUT chain # ACCEPT rules for allowing connections out A OUTPUT -m state -state ESTABLISHED,RELATED -j ACCEPT A OUTPUT -m state -state INVALID -j DROP A OUTPUT -m state -state INVALID -j LOG -log-prefix "DROP INVALID " -log-ip-options -log-tcp-options A INPUT ! -i lo -j LOG -log-prefix "DROP INPUT " -log-ip-options -log-tcp-options # LOG the rest and drop by default input chain A INPUT -p udp -i ens18 -m state -sport 123 -state NEW -j ACCEPT A INPUT -p udp -m udp -m conntrack -dport 33434:33534 -ctstate NEW -j REJECT A INPUT -p icmp -m icmp -icmp-type echo-request -j ACCEPT A INPUT -m conntrack ! -i lo -ctstate RELATED,ESTABLISHED -j ACCEPT # INPUT chain # Accept relate or stablished connections The iptables rules are as follows: *filter The web access to that jitsi server is fine in the sense that the proxy takes care of it, but the packets to UDP ports 10000 and TCP 4443 respectively, I have not managed to handle them in the iptables rules. Now: we must access a jitsi server at the specific IP address. The clients of the LAN do not make any type of DNS query to the outside because all the web browsing is through the proxy and some other type of access to external service was not needed. I need help in the configuration of the following scenario: The web browsing of a small institutional network is done through a proxy server with authentication configured in a Debian as proxy / firewall (using iptables rules) and connected to a parent proxy.