On Monday 08 July 2002 19:01, Antony Stone wrote: > On Monday 08 July 2002 5:34 pm, Jan Humme wrote: > > On Monday 08 July 2002 17:22, Antony Stone wrote: > > > I'd prefer to see: > > > iptables -P INPUT DROP > > > iptables -P OUTPUT DROP > > > iptables -P FORWARD DROP > > > > > > Then you add in the rules for the stuff your definitely know you want > > > to allow. > > > > Certainly. > > > > What about default policies for the nat and mangle tables? > > Those should be ACCEPT, unless you're being sneaky/clever, and you > definitely know what you are doing.. > > The reasons are simple: > > 1. The choice of whether to block or accept packets should be done in the > filtering table - that's what it's for. The nat table is for address > translation, and the mangle table is for packet mangling. Don't drop > packets in the nat table; drop them in the filter table.
Makes perfect sense. > 2. If you start setting default policies of anything except ACCEPT in the > nat or mangle tables, it's very easy to stop all traffic through your > firewall, and spend some time scratching your head trying to figure out > why, because there are no rules in the filter table causing the behaviour > you observe. ..........as I already found out...............(!). Jan Humme.
