iptables support?

Res res at ausics.net
Sat Dec 10 05:35:42 UTC 2005

On Sat, 10 Dec 2005, Tim wrote:

> On Fri, 2005-12-09 at 17:51 -0500, James Kosin wrote:
>> Iptables should be kept simple and to the point.
>> (1)  At the bottom (last line) DISALLOW everything.
>> (2)  Insert above rule #1 anything you want to allow.
> Shouldn't that be the other way around?  You've allowed various things,
> then disallowed everything (which logically should include what you've
> previously allowed).
> My default policy (first action) is to drop packets, then I open up
> holes for a few things I'm happy about.  Works well for me...
> My script starts thus (see below), then I add rules below it:
> ## Flush any pre-existing rules:
> iptables --flush INPUT
> iptables --flush OUTPUT
> iptables --flush FORWARD
> iptables --flush
> iptables --table nat --flush
> iptables --delete-chain
> iptables --table nat --delete-chain
> ## Set default (policy) rules:
> iptables --policy INPUT DROP
> iptables --policy OUTPUT ACCEPT
> iptables --policy FORWARD ACCEPT
> Specific rules follow on from here.  Some to explictly deny things I
> want to take precautions against, and some to allow things I want.

This might be fine for a home machine, there are situations where policy 
in should be allowed and accept rules then deny rules, this is important 
if you run iptables on a high loaded server, you will vety quickly

/usr/local/sbin/iptables -F
/usr/local/sbin/iptables -t nat -F
/usr/local/sbin/iptables -P INPUT DROP
/usr/local/sbin/iptables -P OUTPUT ACCEPT
/usr/local/sbin/iptables -P FORWARD DROP
/usr/local/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j 

Is more than ample for most home users on single machine, else  add in 
forwarding rules and the masq stuff and thats it



More information about the fedora-list mailing list