[plug] iptables configuration : Accept for Drop by default
Tim White
weirdit at gmail.com
Fri Oct 26 14:52:42 WST 2012
On 26/10/12 16:19, Tim Bowden wrote:
> On Fri, 2012-10-26 at 13:42 +0800, Alexander Hartner wrote:
>> Typically I would configure iptables to have a policy of DROP to
>> prevent all access and then to allow specific port to go through:
>>
>> # iptables -L -n
>> Chain INPUT (policy DROP)
>> target prot opt source destination
>> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> <snip>
>
> This ACCEPT line will catch all traffic, so no rule past this point will
> have any effect. Policy won't even matter. You're letting everything
> through.
>
>
Assuming that there aren't more details we aren't seeing. I've found
unless you run iptables with -v, you can be missing out on lots of
information!
IMHO, I'd like the policy set to DROP so that if somehow the last REJECT
rule is removed/changed, that it drops the packet. Although, when you
accidentally flush all the rules over ssh, you might wish it was set to
ACCEPT!
Tim
More information about the plug
mailing list