> -----Original Message----- > From: Jason Williams [mailto:jwilliams@xxxxxxxxxxxxxxxxxxxx] > Sent: Tuesday, December 28, 2004 11:48 PM > To: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: Final IPTables script (hopefully) > > Hello everyone. > > Back from a much needed vacation today and started back at IPTables. After > reading up on a lot of documentation and taking some very good advice from > this list, here is what i have come up with, in hopes of getting it right, > to act as a personal firewall for my home network. > [...] > $IPTABLES -P INPUT DROP > $IPTABLES -P OUTPUT DROP > $IPTABLES -P FORWARD DROP [...] > $IPTABLES -A OUTPUT -j ACCEPT > [...] Looks pretty good...except you have the policy for OUTPUT set to DROP, but you are allowing all unmatched traffic on OUTPUT to pass through. If you want to allow all traffic outbound you may want to eliminate the line: $IPTABLES -A OUTPUT -j ACCEPT and change your OUTPUT policy to ACCEPT. If you want to really tighten the belt so to speak and leave the policy for OUTPUT to drop, you might want to consider using nmap, strace, and log all dropped packets for a while and set rules specifically for outbound traffic. I say looks good otherwise...if you plan on admining the box via remote interfaces make sure to leave yourself a way in :) ~Regards, Chris
