Wade Preston Shearer wadeshearer.lists at me.com
Thu Oct 21 07:45:47 MDT 2010

On 21 Oct 2010, at 6:35, Stuart Jansen wrote:

> Yeah, delete the repeats.
> For clarity, I prefer icmp-type as names instead of numbers.
> As long as you're already using one stateful rule, might as well make
> the others stateful too. In other words replace:
> -A INPUT -p tcp -m tcp --dport X -j ACCEPT
> with
> -A INPUT -p tcp -m state --state NEW -m tcp --dport X -j ACCEPT
> I prefer to use REJECT with DROP as a backup in case of failure.
> Order matters, your rules can be made a little more efficient by
> rearranging them.
> Here's what I would do based on your current rules:
> *filter
> :INPUT DROP [1783:108550]
> :OUTPUT ACCEPT [133532:10424922]
> -A INPUT -i lo -j ACCEPT
> -A INPUT -p icmp -m icmp --icmp-type echo-request -m limit --limit 5/sec -j ACCEPT
> -A INPUT -p icmp -j ACCEPT
> -A INPUT -p tcp -m state --state -m tcp --dport 25 -j ACCEPT
> -A INPUT -p tcp -m state --state -m tcp --dport 80 -j ACCEPT
> -A INPUT -p tcp -m state --state -m tcp --dport 443 -j ACCEPT
> -A INPUT -p tcp -m state --state -m tcp --dport 7979 -j ACCEPT
> -A INPUT -j REJECT --reject-with icmp-host-prohibited 

Thank you, Stewart; that looks much better. I can almost read that now.

I dropped it in and tried to restart iptables but received an error:

Applying iptables firewall rules: iptables-restore v1.3.5: Bad state `-m'
Error occurred at line: 9

That's the first line with a port number. 

More information about the PLUG mailing list