On Fri, 2003-11-07 at 07:26, Ted Kaczmarek wrote: > I would add an input established on that as well, makes it easier to do > upgrades. > > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT Hi Ted: If you have a moment, could you please explain (for the comparative IPT nitwits - including me) what that does? > > I wish everyone did implicit DROP's, it would make the web a safer > place. IBID Thanks > > :-) > > > > Ted > > > On Wed, 2003-11-05 at 15:39, Antony Stone wrote: > > On Wednesday 05 November 2003 8:19 pm, Leandro Takashi Hirano wrote: > > > > > Thanks Antony... > > > > > > Do you have a script or something where I can find protection rules? > > > > You tell us what protection you want and we can suggest some rules to do it. > > > > There's no single "magic ruleset" for netfilter / iptables which "protects > > your network", otherwise every distribution would include it as standard. > > > > It depends what you want to do. > > > > A good starting point is: > > > > iptables -P INPUT DROP > > iptables -P OUTPUT DROP > > iptables -P FORWARD DROP > > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > > iptables -A FORWARD -i $intIF -o $extIF -j ACCEPT > > > > That will allow nothing in or out of the firewall machine itself, and will > > allow all access from your internal network to the Internet, blocking > > everything except reply packets from the Internet to your network. > > > > I do not recommend that you simply implement the above rules before you > > understand what they are designed to do. > > > > Check Oskar Andreasson's excellent tutorial for more information about this > > sort of configuration, or any of the other documentation at > > http://www.netfilter.org > > > > Antony. > >
Attachment:
signature.asc
Description: This is a digitally signed message part
