Re: Iptables question(s)
Hi
This is not an answer to your problems :) but might help to make
your setup slightly more secure.
On Wed, Jul 18, 2001 at 07:45:44PM -0600, Stefan Srdic wrote:
[snip]
> # Load IPTables module (s)
>
> depmod -a
> modprobe ip_tables
>
> #Clear the table, delete user defined chains, prep for a new ruleset.
>
> iptables -F
> iptables -X
> iptables -P INPUT ACCEPT
> iptables -P FORWARD ACCEPT
> iptables -P OUTPUT ACCEPT
[snip]
At this point your box is wide open. If your network interfaces
are up at this point, you are not blocking anything. i.e. there
is a small window of opportunity for someone to do something
nasty.
You might consider doing this sort of thing:
# Set policy to DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# Clear out old rules
iptables -F
iptables -X
# Each line of the script up to here closes the firewall more
# than it was before the script started running.
# At this point, fw is completely closed.
# Specify the rules you want
iptables -A blah blah blah
[...]
# Right at the end, set policy to what you really want (or leave
# this out if you want your policy to be DROP anyway.)
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
Hope that helps.
--
Michael Wood | Tel: +27 21 762 0276 | http://www.kingsley.co.za/
wood@kingsley.co.za | Fax: +27 21 761 9930 | Kingsley Technologies
Reply to: