From: "Tim" <ignored_mailbox@xxxxxxxxxxxx>
On Fri, 2005-12-09 at 17:51 -0500, James Kosin wrote:
Iptables should be kept simple and to the point.
(1) At the bottom (last line) DISALLOW everything.
(2) Insert above rule #1 anything you want to allow.
Shouldn't that be the other way around? You've allowed various things,
then disallowed everything (which logically should include what you've
previously allowed).
My default policy (first action) is to drop packets, then I open up
holes for a few things I'm happy about. Works well for me...
My script starts thus (see below), then I add rules below it:
## Flush any pre-existing rules:
iptables --flush INPUT
iptables --flush OUTPUT
iptables --flush FORWARD
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
## Set default (policy) rules:
iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD ACCEPT
Specific rules follow on from here. Some to explictly deny things I
want to take precautions against, and some to allow things I want.
No.
This leads off my set of rules:
echo " Clearing any existing rules and setting default policy to DROP.."
$IPTABLES -F
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
THEN I worry about ALLOWING things through.
There is a catchall "it fell out the bottom, I'm dropping it anyway,
but let's report it, too" rule down at the bottom of each section.
This way the rules leave the machine open as close to zero time as
it's possible to manage.
{^_^}
