[plug] iptables configuration : Accept for Drop by default
Adrian Woodley
Adrian at Diskworld.com.au
Mon Oct 29 10:17:28 WST 2012
I tend to agree with Tony; it doesn't really matter whether you use a
REJECT policy or REJECT as the last rule in the chain. In general I use
an explicit REJECT, so its obvious where the REJECTs are happening.
At the other end of the chain, the first rules I use split the traffic
into distinct flows, ie:
-N NETIN
-N LANIN
-N NETTOLAN
-N LANTONET
-A INPUT -i ppp0 -j NETIN
-A INPUT -i eth0 -j LANIN
-A FORWARD -i ppp0 -o eth0 -j NETTOLAN
-A FORWARD -i eth0 -o ppp0 -j LANTONET
From there the details of each chain can be specified. One big
advantage of this system is that you can easily reuse the NETIN, LANIN,
etc chains from machine to machine, only needing to adjust the "-i
ppp0", etc to match the specific scenario (ie ppp vs ethernet WAN
connection, eth interface vs bridge LAN, etc).
It's also pretty important to have a "-A INPUT -i lo -J ACCEPT" early
on in your rules, especially if you're setting a REJECT policy. I also
rely pretty heavily on "-A LANIN -m state --state ESTABLISHED -j
ACCEPT". This allows traffic flows for TCP connection which are already
allowed/trusted to pass early without having to traverse the rest of the
chain.
Cheers,
Adrian
On 2012-10-29 07:36, Tony Breeds wrote:
> On Fri, Oct 26, 2012 at 01:42:30PM +0800, Alexander Hartner wrote:
>
>> I was wondering if this system is secure at all and just badly
>> misconfigured. For some reason it seems to kind of work as traffic
>> is
>> being blocked. Maybe I just don't understand this properly. Any
>> pointers in the right direction would really help me out.
>
> It's not a problem as the:
>
> "REJECT all -- 0.0.0.0/0 0.0.0.0/0
> reject-with icmp-host-prohibited"
>
> Will reject anything so the default will never need to be applied.
>
> It has the dubious advantage that if you do "iptables -F" you won't
> get
> locked out of your machine.
>
> They look like a pretty default set of rules on a RHEL system.
>
> Yours Tony
>
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://lists.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.org.au
> PLUG Membership: http://www.plug.org.au/membership
--
Regards,
Adrian
More information about the plug
mailing list