iptables support?

[jdow]

From: "Tim" <ignored_mailbox at yahoo.com.au>

> On Fri, 2005-12-09 at 17:51 -0500, James Kosin wrote:
>> Iptables should be kept simple and to the point.
>> 
>> (1)  At the bottom (last line) DISALLOW everything.
>> (2)  Insert above rule #1 anything you want to allow.
> 
> Shouldn't that be the other way around?  You've allowed various things,
> then disallowed everything (which logically should include what you've
> previously allowed).
> 
> My default policy (first action) is to drop packets, then I open up
> holes for a few things I'm happy about.  Works well for me...
> 
> My script starts thus (see below), then I add rules below it:
> 
> ## Flush any pre-existing rules:
> 
> iptables --flush INPUT
> iptables --flush OUTPUT
> iptables --flush FORWARD
> 
> iptables --flush
> iptables --table nat --flush
> 
> iptables --delete-chain
> iptables --table nat --delete-chain
> 
> 
> ## Set default (policy) rules:
> 
> iptables --policy INPUT DROP
> iptables --policy OUTPUT ACCEPT
> iptables --policy FORWARD ACCEPT
> 
> 
> Specific rules follow on from here.  Some to explictly deny things I
> want to take precautions against, and some to allow things I want.

No.

This leads off my set of rules:
echo "  Clearing any existing rules and setting default policy to DROP.."
$IPTABLES -F
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F


THEN I worry about ALLOWING things through.

There is a catchall "it fell out the bottom, I'm dropping it anyway,
but let's report it, too" rule down at the bottom of each section.
This way the rules leave the machine open as close to zero time as
it's possible to manage.

{^_^}