Michael Wood wrote: > Hi > > This is not an answer to your problems :) but might help to make > your setup slightly more secure. > > On Wed, Jul 18, 2001 at 07:45:44PM -0600, Stefan Srdic wrote: > [snip] > > # Load IPTables module (s) > > > > depmod -a > > modprobe ip_tables > > > > #Clear the table, delete user defined chains, prep for a new ruleset. > > > > iptables -F > > iptables -X > > iptables -P INPUT ACCEPT > > iptables -P FORWARD ACCEPT > > iptables -P OUTPUT ACCEPT > [snip] > > At this point your box is wide open. If your network interfaces > are up at this point, you are not blocking anything. i.e. there > is a small window of opportunity for someone to do something > nasty. > > You might consider doing this sort of thing: > > # Set policy to DROP > iptables -P INPUT DROP > iptables -P FORWARD DROP > iptables -P OUTPUT DROP > > # Clear out old rules > iptables -F > iptables -X > > # Each line of the script up to here closes the firewall more > # than it was before the script started running. > > # At this point, fw is completely closed. > > # Specify the rules you want > iptables -A blah blah blah > [...] > > # Right at the end, set policy to what you really want (or leave > # this out if you want your policy to be DROP anyway.) > iptables -P INPUT ACCEPT > iptables -P FORWARD ACCEPT > iptables -P OUTPUT ACCEPT > > Hope that helps. > > -- > Michael Wood | Tel: +27 21 762 0276 | http://www.kingsley.co.za/ > [EMAIL PROTECTED] | Fax: +27 21 761 9930 | Kingsley Technologies > >
Thanks for the tip, I'll implement it and test it this week end. Stef
