Linode Forum :: iptables firewall

Linode Forum https://forum.linode.com/

iptables firewall https://forum.linode.com/viewtopic.php?f=19&t=3972	Page 1 of 1

Author:

davejones [ Tue Mar 10, 2009 3:27 pm ]

Post subject:

iptables firewall

Hi. I'm new to linode and although I have been playing with GNU/Linux since circa 1992 I am by no means an expert.

I followed the iptables guide at http://www.linode.com/wiki/index.php/Ne ... to#Scripts and all went well. However, my iptables -nL looks like this, and I'm not sure if I'm good to go or not.

Code:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             anywhere            udp spt:domain dpts:1024:65535 
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:65535 dpt:22 state NEW 
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:65535 dpt:www state NEW 
ACCEPT     tcp  --  anywhere             anywhere            state RELATED,ESTABLISHED 
DROP       all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             anywhere            udp spts:1024:65535 dpt:domain 
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED multiport dports www,https multiport sports 1024:65535 
DROP       all  --  anywhere             anywhere

I'm basically worried about the `ACCEPT all' rules in the filter tables and I'm wondering if they are what they appears to be - and if so why?

Should I be worried?

Author:	jsr [ Tue Mar 10, 2009 3:40 pm ]
Post subject:	Re: iptables firewall
davejones wrote: Should I be worried? Probably not. If you are using the script from the wiki then that rule is accepting packets from loopback (your own machine). Run your iptables list with a "-v" so it shows the interfaces and packet counts so you can see if everything is hitting that first rule or not.

Author:	davejones [ Tue Mar 10, 2009 3:41 pm ]
Post subject:
Ah brilliant. Thanks for that explanation jsr!

Author:	fukawi2 [ Tue Mar 10, 2009 10:02 pm ]
Post subject:
The default policy for all your chains is ACCEPT, so the ACCEPT rules make no difference really You need to change your default policy to REJECT or DROP for the rules to actually matter: Code: iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP Forgive me if I'm telling you something you already know, but you didn't mention it in your post, so I figured I better say something...

Author:	jsr [ Tue Mar 10, 2009 11:14 pm ]
Post subject:
The final rule is to drop everything, which basically accomplishes the same thing as setting the default.

Author:	fukawi2 [ Tue Mar 10, 2009 11:20 pm ]
Post subject:
jsr wrote: The final rule is to drop everything, which basically accomplishes the same thing as setting the default. Ah, yes... Ignore me

Page 1 of 1	All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/