On Sun, 3 Nov 2002 [EMAIL PROTECTED] wrote: > Hi CLUG, > > I added these iptables rules to my server/gateway but it makes traffic server go >VERY slow eg. mail, POP3, SSH. When I removed them it went ok. The idea of the >following rules is to allow incoming SMTP and HTTP server tarffic but block every >other incoming connection. >
I am unfortunately not an expert on this but: > iptables -A INPUT -s 0/0 -p icmp -i eth0 -j DROP Dropping everything on icmp looks like a bad idea to me Maybe you should allow 8 to/from your ISP and 3,4,11 & 12 > iptables -A INPUT -s 0/0 -i eth0 -p tcp --dport 80 -j ACCEPT > iptables -A INPUT -s 0/0 -i eth0 -p tcp --dport 25 -j ACCEPT > iptables -A INPUT -s 0/0 -i eth0 -p tcp -j DROP ... > iptables -A INPUT -s 0/0 -i eth0 -p ! tcp -j DROP I am still using ipchains (had no time to convert) but this one doesnt look too good to me. Aren't these response packets to your requests originating from the inside ? > Please help. You would save yourself much time probably if you would use something like GuardDog or a similar product. Also: many firewall examples use DENY/DROP for output denied traffic. It is much better to use REJECT. E.g. the default policy would be: input DENY forward REJECT output REJECT Cheers, -- Ryurick M. Hristev mailto:ryurick.hristev@;canterbury.ac.nz Computer Systems Manager University of Canterbury, Physics & Astronomy Dept., New Zealand
