iptables support?

[Res]

On Sat, 10 Dec 2005, Tim wrote:

> On Fri, 2005-12-09 at 17:51 -0500, James Kosin wrote:
>> Iptables should be kept simple and to the point.
>>
>> (1)  At the bottom (last line) DISALLOW everything.
>> (2)  Insert above rule #1 anything you want to allow.
>
> Shouldn't that be the other way around?  You've allowed various things,
> then disallowed everything (which logically should include what you've
> previously allowed).
>
> My default policy (first action) is to drop packets, then I open up
> holes for a few things I'm happy about.  Works well for me...
>
> My script starts thus (see below), then I add rules below it:
>
> ## Flush any pre-existing rules:
>
> iptables --flush INPUT
> iptables --flush OUTPUT
> iptables --flush FORWARD
>
> iptables --flush
> iptables --table nat --flush
>
> iptables --delete-chain
> iptables --table nat --delete-chain
>
>
> ## Set default (policy) rules:
>
> iptables --policy INPUT DROP
> iptables --policy OUTPUT ACCEPT
> iptables --policy FORWARD ACCEPT
>
>
> Specific rules follow on from here.  Some to explictly deny things I
> want to take precautions against, and some to allow things I want.


This might be fine for a home machine, there are situations where policy 
in should be allowed and accept rules then deny rules, this is important 
if you run iptables on a high loaded server, you will vety quickly


/usr/local/sbin/iptables -F
/usr/local/sbin/iptables -t nat -F
/usr/local/sbin/iptables -P INPUT DROP
/usr/local/sbin/iptables -P OUTPUT ACCEPT
/usr/local/sbin/iptables -P FORWARD DROP
/usr/local/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j 
ACCEPT

Is more than ample for most home users on single machine, else  add in 
forwarding rules and the masq stuff and thats it




>
>

-- 
Cheers
Res