On Friday 23 May 2008 23:25:36 Joseph L. Casale wrote: > >Assuming eth0 is WAN, and eth1 is LAN (assuming 192.168.0.0/24)(please > > mind the word wrap): #Clear all rules and policies first: > >iptables -P INPUT ACCEPT > >iptables -P OUTPUT ACCEPT > >iptables -P FORWARD ACCEPT > >iptables -F > >iptables -t nat -F > > I misunderstand this, if the default policy is to accept, then how does > this work (I thought it was wise to make it Drop)? In terms of Cisco ACL's, > how does iptables work, does it simply continue processing until it sees > something explicitly denying if the default policy is ACCEPT, versus DROP, > will it continue processing until it sees something explicitly allowing? The reason we 'clear' all the policies and rules at the start is to make sure that there are no 'overlapping/contradicting' ones. So, if our iptables is 'brand new' from Centos with nothing in it, there's no need to clear them. But, it's good practice to clear them FIRST to avoid headache later or accidentally lockout. > >#Finally dropping all other traffic (positive list firewall): > >iptables -P INPUT DROP > >iptables -P OUTPUT DROP > >iptables -P FORWARD DROP > > So here you know restate the default policy? I thought you could only > define this once? Yes, we finally define the MOST strict one at the LAST of the rules. Why? Because if we define it in the START of the rule, we will be effectively lockout from our box :) (if we use ssh, or the Xwindow is hanging, etc). Actually I have written a small tutorial on iptables, but I haven't translated it into english. I'll let you know when it's done. Hopefully it will be useful for others. -- Fajar Priyanto | Reg'd Linux User #327841 | Linux tutorial http://linux2.arinet.org 08:30:55 up 19 min, 2.6.22-14-generic GNU/Linux Let's use OpenOffice. http://www.openoffice.org The real challenge of teaching is getting your students motivated to learn.
Attachment:
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos
