On Fri, 2005-12-09 at 17:51 -0500, James Kosin wrote: > Iptables should be kept simple and to the point. > > (1) At the bottom (last line) DISALLOW everything. > (2) Insert above rule #1 anything you want to allow. Shouldn't that be the other way around? You've allowed various things, then disallowed everything (which logically should include what you've previously allowed). My default policy (first action) is to drop packets, then I open up holes for a few things I'm happy about. Works well for me... My script starts thus (see below), then I add rules below it: ## Flush any pre-existing rules: iptables --flush INPUT iptables --flush OUTPUT iptables --flush FORWARD iptables --flush iptables --table nat --flush iptables --delete-chain iptables --table nat --delete-chain ## Set default (policy) rules: iptables --policy INPUT DROP iptables --policy OUTPUT ACCEPT iptables --policy FORWARD ACCEPT Specific rules follow on from here. Some to explictly deny things I want to take precautions against, and some to allow things I want. -- Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists.
