Implementing an iptables Firewall

As a general rule of thumb when talking about network security, you should deny all and allow some. This means that by default you should not allow any network traffic at all to a machine, and then enable only what is needed for the operation of your firewall/network/server.

I j ~ In the rest of the examples in this chapter, you must be logged in as root because

*.' — , you are changing memory belonging to the kernel through the iptables command, and that requires a privileged user.

To make this easier, netfilter provides a default policy for each chain (INPUT, OUTPUT, FORWARD). You can set this policy to drop all packets that do not trigger a rule (that is, are not explicitly allowed).

The Linux filtering code is always running, but by default, the policy for the chains is ACCEPT (see Listing 24-1).

LISTING 24-1

The Default Filtering Rules

Was this article helpful?

0 0

Post a comment