On November 19, 2003 02:59 pm, Tiago Lima wrote:This script is a good idea but wouldn't it be better to block all traffic when you clear the iptables rules? From a security perspective, /all/ traffic should be stopped in the event of a security threat.
Sorry for this newbie question but what is the "best" way to start iptables
(and rules) on boot time?
hmmm. while i can't tell you the "best" way, i can tell you what i did. i wrote a startup script with the following contents. it may not have been the best route to go, but this way, i have a panic button if i need it ;-)
ebegin "Disabling firewall"
iptables --policy INPUT ACCEPT iptables --policy OUTPUT ACCEPT iptables --policy FORWARD ACCEPT
iptables -t filter --flush
iptables -t filter --delete-chain
eend $?
}
What I do in my scripts is write into the "stop" portion of the script rules to drop and log all inbound traffice and allow access to only one port (SSH) from one IP (my office network's firewall). There should also be some rate-limiting rules loaded, too, to prevent DoS attacks (including those that "flood" the syslog).
A descent script, with some explaination of the types of firewalls and how to configure Gentoo to use iptables, can be had at
http://www.gentoo.org/doc/en/gentoo-security.xml#doc_chap12
This is a pretty good script--I haven't used it yet as I have my own scripts and layout (which differs from their structure). I'm also implementing some features to make these types of scripts work "out of the box".
Hope this helps.
-- [EMAIL PROTECTED] mailing list
