[plug] iptables configuration : Accept for Drop by default

Alexander Hartner alex at j2anywhere.com
Thu Nov 1 20:19:48 WST 2012 

Thanks guys. Really helped me out with this one.


On 26/10/2012, at 1:42 PM, Alexander Hartner <alex at j2anywhere.com> wrote:

> Typically I would configure iptables to have a policy of DROP to prevent all access and then to allow specific port to go through:
> 
> # iptables -L -n
> Chain INPUT (policy DROP)
> target     prot opt source               destination         
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
> REJECT     all  --  0.0.0.0/0            127.0.0.0/8          reject-with icmp-port-unreachable
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
> ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
> ….
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8080
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
> REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
> 
> Chain FORWARD (policy DROP)
> target     prot opt source               destination         
> REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
> 
> Chain OUTPUT (policy DROP)
> target     prot opt source               destination         
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0        
> 
> However recently I encounter a system which has its policy set to ACCEPT
> 
> # iptables -L -n
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination         
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
> ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
>> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
> REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination         
> REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination       
> 
> 
> I was wondering if this system is secure at all and just badly misconfigured. For some reason it seems to kind of work as traffic is being blocked. Maybe I just don't understand this properly. Any pointers in the right direction would really help me out.
> 
> Thanks in advance
> Alex
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://lists.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.org.au
> PLUG Membership: http://www.plug.org.au/membership

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20121101/363ffb22/attachment.html>

More information about the plug mailing list