On October 10, 2003 04:50 pm, Brian Horncastle wrote: > Hi, > > I wrote an IPTables script. It seems to work fine when the default > policies are set as follows: > iptables -P INPUT ACCEPT > iptables -P FORWARD ACCEPT > iptables -P OUTPUT ACCEPT > > This obviously isn't the most secure way of doing things. I would like to > have the default policies set like this instead: > iptables -P INPUT DROP > iptables -P FORWARD DROP > iptables -P OUTPUT DROP > > As soon as I do this it breaks the rest of my script and nothing works > properly. Could anyone enlighten me on how I can keep the default policy > drops and keep my script functional? > > Also, I would really appreciate any suggestions on more elegant ways of > doing things with IP tables. Any suggestions would be great. > > Thank you very much, > > Brian H.
Hi Brian, Couple of things: - Bringing down and up all your aliases doesn't really belong in this script and I'm not sure it will actually do anything if they're all static address anyway. Shouldn't do any harm though. - Why are you running "/etc/init.d/iptables stop" and "/etc/init.d/iptables start" when you just flush the rules a few lines later (probing for modules maybe)? This also shouldn't do any harm but is inefficient and you could end up restoring some stale rules if they contained some user defined chains. - In almost every rule block for each IP you have a couple of rules for dns like the following: iptables -A PREROUTING -t nat -p tcp -m multiport --destination-port 53 -j DNAT --to 192.168.1.209 iptables -A PREROUTING -t nat -p udp -m multiport --destination-port 53 -i -j DNAT --to 192.168.1.209 These rules are NOT unique and each subsequent rule further down the script will overwrite the previous one with the new --to IP. To make these rules unique you need to add an argument for the destination IP (-d 60.30.135.xxx) to each rule. I suspect this is the major reason your script isn't working as expected but haven't looked too closely to see if there are others. It might be best to comment out all the rules for each host except one or two until you get things working right for those hosts first. Good luck! ~Scott
