On Saturday 14 December 2002 04:09 am, Didier Hung Wan Luk wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi people, > > I was wondering whether I really need to include these rules if I am > already using a default rule of DROP for INPUT, OUTPUT and FORWARD > chains. > > Default rule:- > iptables -P INPUT DROP > iptables -P OUTPUT DROP > iptables -P FORWARD DROP > > Do I really need these rules? To protect me from these scans.. > > iptables -I FORWARD -p tcp --tcp-flags ALL ALL -j DROP > iptables -I INPUT -p tcp --tcp-flags ALL ALL -j DROP > > #nmap NULL-Packets drop > iptables -I FORWARD -p tcp --tcp-flags ALL NONE -j DROP > iptables -I INPUT -p tcp --tcp-flags ALL NONE -j DROP It depends on the construction of your ACCEPT rules, but probably yes. If a packet arrives that matches one of these, and it would also match an ACCEPT rule in the same chain, then removal of these rules will allow it through. These drops would need to be first, or at least very early, in your chain as well. j
