Quote:
Originally Posted by byran cheung
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
Allowing ESTALISHED and RELATED traffic from all sources means the system itself can communicate with all other hosts. Having a rule like this makes sense in just about any setup, unless one wants to limit/block the host's ability to initiate communications with certain other hosts.
Quote:
Originally Posted by byran cheung
iptables -A INPUT -s 192.168.2.2/24 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
|
This rule allows NEW, ESTABLISHED and RELATED traffic from what appears to be an invalid network address. Also, ESTABLISHED and RELATED traffic has already been allowed by the first rule, so those matches are redundant and should be removed.
Quote:
Originally Posted by byran cheung
iptables -P INPUT DROP
|
The policy is the catch-all rule for traffic not matching any other rules, and a DROP policy is a good idea in most scenarios. However, as you don't have a rule for internal traffic to the loopback interface, this policy could cause communication problems for internal processes. You should add a rule allowing all traffic to "-i lo".
Here's my suggestion for a revised version of the ruleset:
Code:
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 192.168.2.0/24 -m state --state NEW -j ACCEPT
iptables -P INPUT DROP