LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page iptables help
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-06-2005, 02:58 PM   #1
cashton2k
Member
 
Registered: May 2004
Posts: 46

Rep: Reputation: 15
iptables help

i know this may be a stupid question but i need to be absolutley sure.

i log in to my firewall using ssh if i use the following commands will i block myself out?

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

cheers for any help
 
Old 12-06-2005, 03:20 PM   #2
imitheos
Member
 
Registered: May 2005
Location: Greece
Posts: 441

Rep: Reputation: 141Reputation: 141
Quote:
Originally Posted by cashton2k
i know this may be a stupid question but i need to be absolutley sure.

i log in to my firewall using ssh if i use the following commands will i block myself out?

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

cheers for any help
"-P" option sets the default policy.
So, these 3 commands set the default policy for INPUT,OUTPUT,FORWARD chains to DROP.
In other words, nothing will work.(Yes, you will block yourself out)
You need to put other rules too.

have you read the iptables manpage ? It explains a lot of things.
Also visit http://iptables-tutorial.frozentux.net
 
Old 12-06-2005, 03:22 PM   #3
dimsh
Member
 
Registered: Aug 2005
Distribution: Debian, Ubuntu, Fedora
Posts: 74

Rep: Reputation: 15
in general, the first and second rule in iptables firewall should be

Quote:
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
also for the OUTPUT chain
Quote:
iptables -A OUTPUT -i lo -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
then you can specify the default policy you want (with -P) and will not block your self accessing SSH
 
Old 12-06-2005, 03:26 PM   #4
cashton2k
Member
 
Registered: May 2004
Posts: 46

Original Poster
Rep: Reputation: 15
cheers for help guys much appreciated, any idea on rules to allow RFC1918 filtering with iptables?
 
Old 12-19-2005, 06:52 PM   #5
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by cashton2k
any idea on rules to allow RFC1918 filtering with iptables?
something like this should get you started:
Code:
iptables -A INPUT -i $EXT_IFACE -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i $EXT_IFACE -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i $EXT_IFACE -s 10.0.0.0/8 -j DROP
(where $EXT_IFACE is your *Internet* interface...)


BTW, if you are asking about this because of packet spoofing, you should consider using the rp_filter kernel tweak, which makes the rules above kinda pointless AFAIK...

Code:
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
http://www.google.com/linux?&q=rp_filter

just my $0.02...
Last edited by win32sux; 12-19-2005 at 07:01 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
An error occured getting IPtables status from the command /etc/rc.d/init.d/iptables s CrazyMAzeY Linux - Newbie 10 08-12-2010 05:25 AM
Iptables - Couldn't load target `ACCPET':/lib/iptables/libipt_ACCPET.so: z00t Linux - Security 3 01-26-2004 02:24 AM
IPtables Log Analyzer from http://www.gege.org/iptables/ brainlego Linux - Software 0 08-11-2003 06:08 AM
iptables book wich one can you pll recomment to be an iptables expert? linuxownt Linux - General 2 06-26-2003 04:38 PM
My iptables script is /etc/sysconfig/iptables. How do i make this baby execute on boo ForumKid Linux - General 3 01-22-2002 07:36 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:21 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration