I have a box here acting as a router. Soon (probably in 1 week) I start using it for production (meaning I'll no longer use it only for my personnal use but that someone will pay me to host his website).
So eh... I'm pretty scare about it hehehe I just want to be CERTAIN I haven't forgot something in my iptables script. It is working well right now, but... just to be sure...

The script is at this adress : My Iptables Script , take a look and tell me what you think about it, if I forgot something important, if I'm totally paranoiac or just usefull tips.

NB: This script is made to run as a rc script, so it has a start and a stop function. Start refer to stop before doing anything.

NB2: elf.servebeer.com is NOT the box where this script is used. I say it to avoid lame to having fun with my "router".

Except "acceptable" weirdness like running SSH on ports not designated for SSH usage, the only thing I'd say is drop ICMP messages other than those you need for error control: type 3's (codes 0,1,3,6,7), and traceroute: type 11.

The way you made work of rejecting may not seem OK for people bent on having a "stealthed" fw, really is well done. If you want to "see" final chain "decisions" I'd suggest adding LOG target rules before the final "verdict". That makes for good ingress/egress filtering, and if you can parse it right it shoud be a good addition having some "early warning" capabilities wrt traffic "weirdness" and troubleshooting traffic in general.

Looks good IMHO.

Thank you for your reply, unSpawn.

Your humble opinion is very important to me since you are the modrator here

just question : about this : My notes tell me that ICMP type 1 and 7 are unassigned and that 6 is ICMP redirection... Is my notes too old or.. ?

And thanx for your idea about that rules before the defaut drop

AFAIK you should read it the other way around :-] A type 3 code 1 is unreachable: host and type 3 code 7 is unreachable: dest host unknown...