General iptables rules questions
I created a custom chain called LOGDROP which will log and drop packets. So I did the following, which gives an error of "iptables: Bad policy name". Can I not use the name of my custom chain there?
iptables -P INPUT LOGDROP iptables -P FORWARD LOGDROP iptables -P OUTPUT LOGDROP One of the articles I read suggested doing the following to allow full loopback access. Could anyone explain exactly what the following would allow me to do (like examples of commands or operations that would fail if I haven't enabled the following iptables rules in a setup were the default of everything is DROP). iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT In a device where there is only 1 Ethernet interface (i.e. eth0), is it best practice to put '-i eth0' in every rule or not? Advantages I can think of is increased security...? (Such as maybe if your host adds/enables another interface without you being aware of it.) How big of a disadvantage would be the performance, as iptables would need to match each packet against coming from or going to eth0. In a production server environment where there is only eth0, what's your take on adding '-eth0' to every rule? At http://www.thegeekstuff.com/2011/06/...ules-examples/ there are rules for allowing rsync from a given network. However, wouldn't rsync work whenever SSH is allowed by iptables? Unless I've made some mistake in my configuration, I found that rsync works even when the following isn't included, but rather when SSH is allowed... iptables -A INPUT -i eth0 -p tcp -s 192.168.101.0/24 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT |
Quote:
Quote:
Code:
-A INPUT -i lo -j LOG --log-prefix "IN_lo " Quote:
Code:
-A INPUT -i lo -j ACCEPT Quote:
|
Quote:
|
All times are GMT -5. The time now is 09:34 PM. |