[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: iptables and networking

Hello,

Pol Hallen a écrit :
> 
> This is my full iptables config:
> 
> iptables -F
> iptables -t nat -F
> iptables -t mangle -F
> iptables -X

OK.

> iptables -P OUTPUT ACCEPT

Should be DROP as well.

> iptables -P FORWARD DROP
> iptables -P INPUT DROP

OK.

> iptables -A INPUT -f -j DROP

Useless. IPv4 connection tracking (needed by the 'state' match)
reassembles packets so iptables won't see any fragments.

> iptables -A INPUT -m state --state INVALID -j DROP

Useless if policy is already DROP and further rules accept only state
NEW, ESTABLISHED or RELATED.

> iptables -A OUTPUT -f -j DROP

See above.

> iptables -A OUTPUT -m state --state INVALID -j DROP

See above.

> iptables -A INPUT -i lo -j ACCEPT

OK.

> iptables -A OUTPUT -o lo -j ACCEPT

Useless if policy is left to ACCEPT.

> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

OK.

> iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Useless if policy is left to ACCEPT.
Reply to: