Re: IPTables configuration.

[Martin Rusko <rusko@sunsite.mine.nu>]

Hello,
maybe stupid question, but what role of this host, with a such iptables 
configuration it is? It is a host firewalling a network behind, or it is 
a standalone machine in Internet?

Also maybe "-v" commandline option could be helpfull. Just first rule, 
as we can see here:
<snip>
Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       tcp  --  anywhere             127.0.0.0/8
</snip>
will successfuly block all tcp traffic to local loopback (lo device), 
also from your own machine. Are you sure, you want/need this? ;-)

But with "-v" option we will see, that rules are binded to some network 
devices. So if your rule will be like this:
<snip>
target     prot opt source     in       out          destination
DROP       tcp  --  anywhere   eth0     -            127.0.0.0/8
</snip>
it will mean, that anyone, who will be sending packets to you from 
external network with destination address of loopback device will be 
stopped by your firewall. And your service (squid in default 
installation, for example), trusting to local machine won't be 
compromised. ;-)

So try:
# iptables -n -v -L -t filter
# iptables -n -v -L -t nat

I hope, this help.

           mARTin

Tore Nilsson wrote:
> Hello!
>
> Can someone review my iptables configuration and give suggestions?
> Btw. if I'd want to block someone completely using this configuration
> should I put them in "Parole" by using this command:
>
> iptables -A PAROLE -s [ip-number] -j DROP
>
> //Tore Nilsson
>
> here's my configuration. btw, it was made with Bastille:
>
> Chain INPUT (policy DROP)
> target     prot opt source               destination
> DROP       tcp  --  anywhere             127.0.0.0/8
> ACCEPT     all  --  anywhere             anywhere           state
> RELATED,ESTABLISHED

....