LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 02-06-2014, 10:11 PM   #1
byran cheung
Member
 
Registered: Sep 2013
Posts: 321

Rep: Reputation: Disabled
Best iptables policy


I would like to setup a iptables policy , the requirement is accept all service input from 192.168.2.2/24 only , and drop all incoming packet from other IP address , would advise if the below is the best policy or not ? if not , what is the best one ? thanks


iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -s 192.168.2.2/24 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -P INPUT DROP
 
Old 02-07-2014, 06:59 AM   #2
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,403

Rep: Reputation: Disabled
Quote:
Originally Posted by byran cheung View Post
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Allowing ESTALISHED and RELATED traffic from all sources means the system itself can communicate with all other hosts. Having a rule like this makes sense in just about any setup, unless one wants to limit/block the host's ability to initiate communications with certain other hosts.
Quote:
Originally Posted by byran cheung View Post
iptables -A INPUT -s 192.168.2.2/24 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
This rule allows NEW, ESTABLISHED and RELATED traffic from what appears to be an invalid network address. Also, ESTABLISHED and RELATED traffic has already been allowed by the first rule, so those matches are redundant and should be removed.
Quote:
Originally Posted by byran cheung View Post
iptables -P INPUT DROP
The policy is the catch-all rule for traffic not matching any other rules, and a DROP policy is a good idea in most scenarios. However, as you don't have a rule for internal traffic to the loopback interface, this policy could cause communication problems for internal processes. You should add a rule allowing all traffic to "-i lo".

Here's my suggestion for a revised version of the ruleset:
Code:
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 192.168.2.0/24 -m state --state NEW -j ACCEPT
iptables -P INPUT DROP
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables DEFAULT POLICY lappen Linux - Newbie 8 02-23-2011 04:55 AM
Iptables and implementing a policy sportsman667 Linux - Security 2 11-04-2007 06:30 AM
Iptables and implementing a policy sportsman667 Linux - Newbie 2 11-03-2007 05:35 PM
iptables says 'bad policy name' Tom Douglas Linux - Kernel 2 07-22-2007 04:42 PM
iptables: Bad policy name rioguia Linux - Security 10 01-10-2003 12:21 AM


All times are GMT -5. The time now is 05:57 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration