[plug] iptables configuration : Accept for Drop by default

Adrian Woodley Adrian at Diskworld.com.au
Mon Oct 29 10:17:28 WST 2012

I tend to agree with Tony; it doesn't really matter whether you use a 
REJECT policy or REJECT as the last rule in the chain. In general I use 
an explicit REJECT, so its obvious where the REJECTs are happening.

At the other end of the chain, the first rules I use split the traffic 
into distinct flows, ie:

-A INPUT -i ppp0 -j NETIN
-A INPUT -i eth0 -j LANIN
-A FORWARD -i ppp0 -o eth0 -j NETTOLAN
-A FORWARD -i eth0 -o ppp0 -j LANTONET

 From there the details of each chain can be specified. One big 
advantage of this system is that you can easily reuse the NETIN, LANIN, 
etc chains from machine to machine, only needing to adjust the "-i 
ppp0", etc to match the specific scenario (ie ppp vs ethernet WAN 
connection, eth interface vs bridge LAN, etc).

It's also pretty important to have a "-A INPUT -i lo -J ACCEPT" early 
on in your rules, especially if you're setting a REJECT policy. I also 
rely pretty heavily on "-A LANIN -m state --state ESTABLISHED -j 
ACCEPT". This allows traffic flows for TCP connection which are already 
allowed/trusted to pass early without having to traverse the rest of the 



On 2012-10-29 07:36, Tony Breeds wrote:
> On Fri, Oct 26, 2012 at 01:42:30PM +0800, Alexander Hartner wrote:
>> I was wondering if this system is secure at all and just badly
>> misconfigured. For some reason it seems to kind of work as traffic 
>> is
>> being blocked. Maybe I just don't understand this properly. Any
>> pointers in the right direction would really help me out.
> It's not a problem as the:
> "REJECT     all  --  
> reject-with icmp-host-prohibited"
> Will reject anything so the default will never need to be applied.
> It has the dubious advantage that if you do "iptables -F" you won't 
> get
> locked out of your machine.
> They look like a pretty default set of rules on a RHEL system.
> Yours Tony
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://lists.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.org.au
> PLUG Membership: http://www.plug.org.au/membership



More information about the plug mailing list