Re: Configuration question for my first iptables setup

[Gáspár Lajos <swifty@xxxxxxxxxxx>]

Reid írta:
> I am brand new to iptables, and I want to setup a basic firewall for a dedicated web server. I'm
> accessing the server remotely, and already locked myself out once.
>
> I've come up with the configuration below, but feel like I don't know what I'm doing.  Does the
> following look reasonable? Am I overlooking anything major? Thank you for input.
>
>   
Nope.. This is NOT reasonable...
You have set the first rule in your INPUT chain to ACCEPT everything 
from anywhere... :D
The following rules will never get hit !!!

Try the "iptables -vnL" command to see it !!!

The last rule is also "useless" because your DEFAULT POLICY is DROP.

In the other hand without those two rules it seems ok... (Depending on 
what you want to achieve...) :D

Just to guide you:
1. I would enable the lo interface to ACCEPT everything...
2. Accept anything that ESTABLISHED or RELATED
3. I would group up the rules depending on the protocol...

Swifty
>   
> > iptables -L
> >     
> Chain INPUT (policy DROP)
> target     prot opt source               destination         
> ACCEPT     all  --  anywhere             anywhere            
> ACCEPT     tcp  --  anywhere             anywhere            tcp flags:ACK/ACK 
> ACCEPT     all  --  anywhere             anywhere            state ESTABLISHED 
> ACCEPT     all  --  anywhere             anywhere            state RELATED 
> ACCEPT     udp  --  anywhere             anywhere            udp spt:domain dpts:1024:65535 
> ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply 
> ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable 
> ACCEPT     icmp --  anywhere             anywhere            icmp source-quench 
> ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded 
> ACCEPT     icmp --  anywhere             anywhere            icmp parameter-problem 
> ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www 
> ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https 
> ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 
> ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:auth 
> ACCEPT     icmp --  anywhere             anywhere            icmp echo-request 
> ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:10000 
> DROP       tcp  --  anywhere             anywhere            tcp dpts:2049:2050 
> DROP       tcp  --  anywhere             anywhere            tcp dpts:x11:6063 
> DROP       tcp  --  anywhere             anywhere            tcp dpts:afs3-fileserver:7010 
> DROP       all  --  anywhere             anywhere            
>
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination         
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>   
>  
>
>
>       ____________________________________________________________________________________
> Shape Yahoo! in your own image.  Join our Network Research Panel today!   http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.asp?a=7 
>
>
>
>
>