[Iptables] DROP or ACCEPT table ?

Support for security such as Firewalls and securing linux
Post Reply
foobar47
Posts: 16
Joined: 2005/06/22 10:44:35

[Iptables] DROP or ACCEPT table ?

Post by foobar47 » 2005/06/22 11:24:13

Hi everybody,

first, sorry for my poor english.

I'm a newbee and try to understand how iptables work, of course, i already read a lot of article about this but I have a question and a problem about iptables' tables policies.

For me, you DROP all and ACCEPT what you want :

Chain INPUT (policy DROP)
Chain FORWARD(policy DROP)
Chain OUTPUT (policy DROP)

but when i do like this, i loose ssh connection and yum can't update...

here is my OUTPUT configuration :

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere 192.168.0.1 tcp dpt:smtp
[b][color=0000FF]ACCEPT tcp -- anywhere anywhere tcp dpt:http[/color][/b]
ACCEPT tcp -- anywhere 192.168.0.1 tcp dpt:22
ACCEPT icmp -- anywhere anywhere icmp any

port 80 is open, like ssh port !!! :-?

If i put ACCEPT to policie, it work better... but i had to add one more rule, something like :
[color=CC6633]DROP all -- anywhere anywhere[/color]
at the end, to be secured ?

Any suggestion are greatly appreciated...

:-)

foobar.

ixeous
Posts: 113
Joined: 2005/07/07 13:01:59

Re: [Iptables] DROP or ACCEPT table ?

Post by ixeous » 2005/07/18 04:13:05

If I understand your post properly, you are filter outbound traffic and not inbound traffic. Futher, you tell it to drop outbound traffic, but the first rule is to allow all traffic from anywhere to anywhere which defeats the purpose of the drop setting. Try setting up your rules as follows:

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all --
ACCPET all -- anywhere state RELATED,ESTABLISHED
ACCEPT anywhere

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination


I'm actually using an older version of iptables, but everything should be similar at worst. What these rules are effectively doing is

1) allows your pc to contact your pc for various services
2) allows connections initiated by your pc to be returned (this is the purpose of the "state RELATED,ESTABLISHED" portion)
3) allow connections from outside to be made to your local machine on the ports you choose (ssh for example)
4) prevents all forwarding. Unless your using the machine as a gateway, you don't want that
5) allows your computer to initate any outbound traffic.

A good tutorial for iptables is at http://iptables-tutorial.frozentux.net/iptables-tutorial.html

foobar47
Posts: 16
Joined: 2005/06/22 10:44:35

Re: [Iptables] DROP or ACCEPT table ?

Post by foobar47 » 2005/08/05 09:37:27

I really thank you !
nice link !
that's what i need !! ;)
thx

Post Reply

Return to “CentOS 4 - Security Support”