iptables good practice - 2 questions
1) I've just read in another thread that iptables script should not be in root home directory. It should be in /etc. Why that? What's wrong with iptables script being in the /root directory?
2) iptables scripts should be run before any network interface comes up. How can I set the rules based source or destination address associated with a domain? (ex: iptables -A OUTPUT -d www.yahoo.com -p tcp --dport 80 -j DROP).
I could use the the IP instead of the domain name, but what can I do when I use dyndns and I always have a domain name which points to the IP which changes every day? If the network interface is down iptables canít make the dns request for that domain.
1) I don't really see a problem with this, other then the fact I personally don't like to clutter root's home directory with system configuration files. In general /etc is the "correct" place for system configuration files to live.
2) If you want to do it by domain then the only thing I can think of is a two stage iptables script system. Stage 1 drops everything incoming accept replies to outgoing requests.... then you bring up the interface... then the stage 2 script does all the specific dropping such as your www.yahoo.com rule. This will give a very small window during boot up where a user could get to www.yahoo.com, but it allows you to bring up your interfaces without having any window for external attacks. If this box is a router you could always bring up the local network routing rules in the second stage so that nobody could get through the box till all to the outside world until all your other rules were applied.
|All times are GMT -5. The time now is 10:29 PM.|