>iptables -P INPUT DROP >iptables -P FORWARD DROP >VS >iptables -P INPUT ACCEPT >iptables -P FORWARD ACCEPT >...(other stuff here)... >iptables -A INPUT -j DROP >iptables -A FORWARD -j DROP > >Which is preferred for security and why? Both equally work well. It's just a matter from which side you tackle the problem. Compare with 3d-engine editing: A Quake2 map starts with "air" and you got to add walls - that's like -P ACCEPT and -j REJECT/DROP An Unreal map starts with "everything filled" and you got to subtract rooms - like -P DROP and -j ACCEPT In fact, sometimes it is wise to alternate between the two methods within the same table. I've got this in some ruleset: -P INPUT DROP -p tcp -m multiport --dport someservices -j ACCEPT (denying all other traffic) -P OUTPUT ACCEPT -o $internal -j DROP (allowing all other interfaces) Just like Apache's "Order allow,deny" if you need another inspiration for comparison. Jan Engelhardt -- | Alphagate Systems, http://alphagate.hopto.org/
