Discussion on:
10 iptables rules to help secure your Linux box

5
Comments
Add Your Opinion

Join the conversation!

Follow via:
RSS
Email Alert
Community Preferences
0 Votes
+ -
DROP first?
sonotsky 23rd Feb 2009
I'll admit that it's been a LOOOOONG time since I've hacked together my own iptables ruleset (I usually take the default rules that come with RHEL, and let BFD add rules automagically as needed), but I thought that iptables does a "first match" algorithm?

Thus, if you have a DROP rule, specifying the TCP protocol but no ports, it will deny unrelated packets from passing further down the chain.

As Jack says, this is a great rule for hosts (particularly workstations) that have no services for external consumption, but it shouldn't be the first rule on a server-class box.

Can anyone confirm please?
0 Votes
+ -
Confirmed
benny@... 23rd Feb 2009
You are correct. First rule applicable is applied. Drop should be after all execptions.
1 Vote
+ -
good idea for article but (sorry) not well done
speculatrix 25th Feb 2009
why so many "syn"s?

mostly just not needed - the accept related/established stateful control will handle all that.

why no icmp control?

you can't go blocking all icmp on input, you'll fsck things over!

why no policy? "iptables -P INPUT DROP"


sorry, but this is not a particularly impressive "10" list at all. sorry to be the bearer of bad tidings, but whilst the idea was good it was poorly executed.
0 Votes
+ -
firehol and fail2ban
bblackmoor@... 23rd Feb 2009
Rather than manually configure iptables (which is good to know how to do, but prone to errors and omissions), I generally use the firehol and fail2ban scripts to set up basic iptables protection.
0 Votes
+ -
fail2ban
pgit 23rd Feb 2009
Sometimes you have to tweak the default fail2ban frequency downward in order to keep it working. Must be some of the script kiddies are unleashing bots that are aware of the default rate fail2ban ships with.

I've seen the poor server spitting out "password incorrect" messages perpetually, despite fail2ban running. Just enough of a pause to avoid triggering the target.
Keyboard Shortcuts:
Prev
Next
Toggle
Join the conversation
Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]

Join the TechRepublic Community and join the conversation! Signing-up is free and quick, Do it now, we want to hear your opinion.

Join Login

Keep Up with TechRepublic

Discover more newsletters

Follow us however you choose!

Media Gallery

View All

Hot Discussions

Start a Discussion
View All

Hot Questions

Ask a Question