On October 10, 2003 04:50 pm, Brian Horncastle wrote:
> Hi,
>
> I wrote an IPTables script.  It seems to work fine when the default
> policies are set as follows:
> iptables -P INPUT ACCEPT
> iptables -P FORWARD ACCEPT
> iptables -P OUTPUT ACCEPT
>
> This obviously isn't the most secure way of doing things.  I would like to
> have the default policies set like this instead:
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT DROP
>
> As soon as I do this it breaks the rest of my script and nothing works
> properly.  Could anyone enlighten me on how I can keep the default policy
> drops and keep my script functional?
>
> Also, I would really appreciate any suggestions on more elegant ways of
> doing things with IP tables.  Any suggestions would be great.
>
> Thank you very much,
>
> Brian H.

Hi Brian,

Couple of things:

- Bringing down and up all your aliases doesn't really belong in this script 
and I'm not sure it will actually do anything if they're all static address 
anyway.  Shouldn't do any harm though.

- Why are you running "/etc/init.d/iptables stop" and "/etc/init.d/iptables 
start" when you just flush the rules a few lines later (probing for modules 
maybe)?  This also shouldn't do any harm but is inefficient and you could end 
up restoring some stale rules if they contained some user defined chains.

- In almost every rule block for each IP you have a couple of rules for dns 
like the following:

iptables -A PREROUTING -t nat -p tcp -m multiport --destination-port 53 -j 
DNAT --to 192.168.1.209
iptables -A PREROUTING -t nat -p udp -m multiport --destination-port 53 -i
-j DNAT --to 192.168.1.209

These rules are NOT unique and each subsequent rule further down the script 
will overwrite the previous one with the new --to IP.  To make these rules 
unique you need to add an argument for the destination IP (-d 60.30.135.xxx) 
to each rule.  I suspect this is the major reason your script isn't working 
as expected but haven't looked too closely to see if there are others.  It 
might be best to comment out all the rules for each host except one or two 
until you get things working right for those hosts first.  Good luck!

~Scott


Reply via email to