iptables

Stuart Jansen sjansen at buscaluz.org
Thu Oct 21 06:35:16 MDT 2010


On Thu, 2010-10-21 at 02:27 -0600, Wade Preston Shearer wrote:
> I'm not sure why there are duplicate lines there and I don't remember
> if I wrote it by hand or used a script when I put it together several
> years ago. Should the duplicate lines be removed?

Yeah, delete the repeats.

For clarity, I prefer icmp-type as names instead of numbers.

As long as you're already using one stateful rule, might as well make
the others stateful too. In other words replace:
-A INPUT -p tcp -m tcp --dport X -j ACCEPT
with
-A INPUT -p tcp -m state --state NEW -m tcp --dport X -j ACCEPT

I prefer to use REJECT with DROP as a backup in case of failure.

Order matters, your rules can be made a little more efficient by
rearranging them.

Here's what I would do based on your current rules:

*filter
:INPUT DROP [1783:108550]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [133532:10424922]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type echo-request -m limit --limit 5/sec -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m state --state -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state -m tcp --dport 7979 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited 
COMMIT



More information about the PLUG mailing list