I would add an input established on that as well, makes it easier to do upgrades. iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT I wish everyone did implicit DROP's, it would make the web a safer place. :-) Ted On Wed, 2003-11-05 at 15:39, Antony Stone wrote: > On Wednesday 05 November 2003 8:19 pm, Leandro Takashi Hirano wrote: > > > Thanks Antony... > > > > Do you have a script or something where I can find protection rules? > > You tell us what protection you want and we can suggest some rules to do it. > > There's no single "magic ruleset" for netfilter / iptables which "protects > your network", otherwise every distribution would include it as standard. > > It depends what you want to do. > > A good starting point is: > > iptables -P INPUT DROP > iptables -P OUTPUT DROP > iptables -P FORWARD DROP > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A FORWARD -i $intIF -o $extIF -j ACCEPT > > That will allow nothing in or out of the firewall machine itself, and will > allow all access from your internal network to the Internet, blocking > everything except reply packets from the Internet to your network. > > I do not recommend that you simply implement the above rules before you > understand what they are designed to do. > > Check Oskar Andreasson's excellent tutorial for more information about this > sort of configuration, or any of the other documentation at > http://www.netfilter.org > > Antony.
