On Monday 08 July 2002 5:34 pm, Jan Humme wrote: > On Monday 08 July 2002 17:22, Antony Stone wrote:
> > I'd prefer to see: > > iptables -P INPUT DROP > > iptables -P OUTPUT DROP > > iptables -P FORWARD DROP > > > > Then you add in the rules for the stuff your definitely know you want to > > allow. > > Certainly. > > What about default policies for the nat and mangle tables? Those should be ACCEPT, unless you're being sneaky/clever, and you definitely know what you are doing.. The reasons are simple: 1. The choice of whether to block or accept packets should be done in the filtering table - that's what it's for. The nat table is for address translation, and the mangle table is for packet mangling. Don't drop packets in the nat table; drop them in the filter table. 2. If you start setting default policies of anything except ACCEPT in the nat or mangle tables, it's very easy to stop all traffic through your firewall, and spend some time scratching your head trying to figure out why, because there are no rules in the filter table causing the behaviour you observe. Antony.
