[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Ports to block?

On Friday 06 April 2001 00:09, Cherubini Enrico wrote:
> Ciao,
>  Thu, Apr 05, 2001 at 09:38:46PM +0100, Steve Ball wrote:
> > It is most secure to block everything and only open the ports that are
> > absolutely necessary.
> ok, this is clear. What's the way you ppl do that throught
> ipchains/iptables ? Is it better to use the ACCEPT policy and then DENY all
> or use the DENY policy and ACCEPT only ports needed ? I use the first
> 'cause so I can log all packet that are denied...
> # Start
> ipchains -P input ACCEPT
> ....
> ipchains -A input -j DENY -l
> # End

First DENY everything,

/sbin/ipchains -P input DENY
/sbin/ipchains -P output REJECT
/sbin/ipchains -P forward DENY

then you say what to accept, like

/sbin/ipchains -A input  -i eth0 -p tcp --source-port 1024:65535 -d 
/sbin/ipchains -A output -i eth0 -p tcp ! -y -s $IPADDRESS 80 
--destination-port 1024:65535 -j ACCEPT

This way your machine only can have connections that are accepted by 
ipchains. Think about it if you're only define DENY-rules and you forgot one. 
And second its easier to define the things to accept then to deny.


"How should I know if it works? That's what beta testers are for. I only 
coded it."
    -- Linus Torvalds

Reply to: