On Sat, 10 Dec 2005, Tim wrote:
On Fri, 2005-12-09 at 17:51 -0500, James Kosin wrote:
Iptables should be kept simple and to the point.
(1) At the bottom (last line) DISALLOW everything.
(2) Insert above rule #1 anything you want to allow.
Shouldn't that be the other way around? You've allowed various things,
then disallowed everything (which logically should include what you've
previously allowed).
My default policy (first action) is to drop packets, then I open up
holes for a few things I'm happy about. Works well for me...
My script starts thus (see below), then I add rules below it:
## Flush any pre-existing rules:
iptables --flush INPUT
iptables --flush OUTPUT
iptables --flush FORWARD
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
## Set default (policy) rules:
iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD ACCEPT
Specific rules follow on from here. Some to explictly deny things I
want to take precautions against, and some to allow things I want.
This might be fine for a home machine, there are situations where policy
in should be allowed and accept rules then deny rules, this is important
if you run iptables on a high loaded server, you will vety quickly
/usr/local/sbin/iptables -F
/usr/local/sbin/iptables -t nat -F
/usr/local/sbin/iptables -P INPUT DROP
/usr/local/sbin/iptables -P OUTPUT ACCEPT
/usr/local/sbin/iptables -P FORWARD DROP
/usr/local/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j
ACCEPT
Is more than ample for most home users on single machine, else add in
forwarding rules and the masq stuff and thats it
--
Cheers
Res
