Re: iptables blocking rules
Hello David,
Am Die, 2004-01-13 um 23.24 schrieb David:
[...]
> Actually, the whole ruleset from firestarter seems a bit complex for my
> setup. Wouldn't it be pretty sufficient for a single-system setup to
> have something basically like this:
>
> set policy for INPUT & FORWARD to DROP ( leave OUTPUT to ACCEPT?)
> set INPUT ESTABLISHED,RELATED to ACCEPT
> < add some logging facilities >
> < allow some icmp requests, maybe? >
It is considered "good behavior" to at least allow ICMP pings.
Normally one can do a -p ICMP -j ACCEPT.
> Wouldn't that pretty well take care of it?
For simple setups this indeed is enough since no unrequested
(unrelated,unestablished) connections can be made from the outside.
Setting FORWARD to DROP is kinda overkill IMO since INPUT is already
blocking everything. No need to add special rules there.
Just make sure that you include the device you want to filter
(ie. -i eth0 for cable or -i ppp0 for dialup/DSL). This will make sure
that legitimate connections from your LAN (and of course lo) will be
allowed.
You can test your firewall on these sites:
https://grc.com/x/ne.dll?bh0bkyd2
http://www.dslreports.com/scan
HTH
--
Matthias Hentges
Cologne / Germany
[www.hentges.net] -> PGP welcome, HTML tolerated
ICQ: 97 26 97 4 -> No files, no URL's
My OS: Debian Woody. Geek by Nature, Linux by Choice
Reply to: