[QUOTE]
Originally posted by TastyWheat
From what I can tell either command does pretty much the same thing. Someone correct me if I'm wrong.
Code:
> iptables -I INPUT -j DROP
> iptables -I INPUT -j REJECT
These will both work, the DROP target is going to cause connection attempts to hang until the full protocol timeout is reached while with REJECT, you'll get an instant connection refused response. Also keep in mind that you'll be blocking local traffic on the box, so things like sendmail and Xwindows may act broken when you use either of those rules. If that is undesireable, then just specify the external interfaces that you'd like to block traffic on, or just use:
iptables -I INPUT -i ! lo -j DROP
These have to be at the top of the list. Hence the '-I' switch. Apparently the rules are processed from the bottom up.
Actually it's from the top down, so if you added that rule it would be inserted at the top of the chain and would be the very first rule in that chain processed. Keep in mind that -A and -I do opposite things, so to get an idea of the order that you're rules are processed, take a look at the output of iptables -vnL.
To get rid of the top line the command is:
Code:
> iptables -D INPUT
That removes the rule at the top. So if you're going to write a script to do this it's probably not a good idea to use that command. It might remove something important.
A much better way is to just delete that rule specifically. With iptables if you use "iptables -D INPUT" it will blindly delete the very first rule, but if you specify that exact rule that you want to delete then you don't need to know where it is in the firewall:
iptables -D INPUT -j DROP
I noticed that I'm unable to ping my machine, probably due to one of the rules.
Yes, your rule is blocking all incoming traffic regardless of protocol, so ping won't work. You can either add a rule allowing icmp, or just customize your drop rule to block everything but icmp. Like so:
iptables -I INPUT -i ! lo -p ! icmp -j DROP
That is a little bit of an ugli hack though (you're allowiing all kinds of icmp types). A better solution would be to just use two scripts, one with your normal firewall rules and one with your blocking rules. Then you can run each script as needed and can make your blocking solution a little more flexible. Make sure to put rules flushing all chains at the top of each script otherwise rules from one script will be piled onto rules from the other. If you wanted to completely block the flow of traffic, then I'd probably recommend a script that just takes the interfaces down completely and then brings them back up as needed (like the service network stop command or ifdown script), but since you want ping then that wouldn't work here.
