[plug] iptables configuration : Accept for Drop by default
Tim Bowden
tim.bowden at mapforge.com.au
Fri Oct 26 15:07:34 WST 2012
On Fri, 2012-10-26 at 16:52 +1000, Tim White wrote:
> On 26/10/12 16:19, Tim Bowden wrote:
> > On Fri, 2012-10-26 at 13:42 +0800, Alexander Hartner wrote:
> >> Typically I would configure iptables to have a policy of DROP to
> >> prevent all access and then to allow specific port to go through:
> >>
> >> # iptables -L -n
> >> Chain INPUT (policy DROP)
> >> target prot opt source destination
> >> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> > <snip>
> >
> > This ACCEPT line will catch all traffic, so no rule past this point will
> > have any effect. Policy won't even matter. You're letting everything
> > through.
> >
> >
> Assuming that there aren't more details we aren't seeing. I've found
> unless you run iptables with -v, you can be missing out on lots of
> information!
>
Very true. I have a script called ipl (iptables list)
#!/bin/bash
clear
iptables -nvL |more
Very handy.
> IMHO, I'd like the policy set to DROP so that if somehow the last REJECT
> rule is removed/changed, that it drops the packet. Although, when you
> accidentally flush all the rules over ssh, you might wish it was set to
> ACCEPT!
Been there, done that. Doesn't even take a full flush. One wrong
rule...
Can be *very* painful.
Tim
More information about the plug
mailing list