Re: Iptables question(s)
Michael Wood wrote:
> Hi
>
> This is not an answer to your problems :) but might help to make
> your setup slightly more secure.
>
> On Wed, Jul 18, 2001 at 07:45:44PM -0600, Stefan Srdic wrote:
> [snip]
> > # Load IPTables module (s)
> >
> > depmod -a
> > modprobe ip_tables
> >
> > #Clear the table, delete user defined chains, prep for a new ruleset.
> >
> > iptables -F
> > iptables -X
> > iptables -P INPUT ACCEPT
> > iptables -P FORWARD ACCEPT
> > iptables -P OUTPUT ACCEPT
> [snip]
>
> At this point your box is wide open. If your network interfaces
> are up at this point, you are not blocking anything. i.e. there
> is a small window of opportunity for someone to do something
> nasty.
>
> You might consider doing this sort of thing:
>
> # Set policy to DROP
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT DROP
>
> # Clear out old rules
> iptables -F
> iptables -X
>
> # Each line of the script up to here closes the firewall more
> # than it was before the script started running.
>
> # At this point, fw is completely closed.
>
> # Specify the rules you want
> iptables -A blah blah blah
> [...]
>
> # Right at the end, set policy to what you really want (or leave
> # this out if you want your policy to be DROP anyway.)
> iptables -P INPUT ACCEPT
> iptables -P FORWARD ACCEPT
> iptables -P OUTPUT ACCEPT
>
> Hope that helps.
>
> --
> Michael Wood | Tel: +27 21 762 0276 | http://www.kingsley.co.za/
> wood@kingsley.co.za | Fax: +27 21 761 9930 | Kingsley Technologies
>
>
Thanks for the tip, I'll implement it and test it this week end.
Stef
Reply to: