Tuesday, February 24, 2009


The first thing most people should do is set the default policy for each inbound chain to DROP:

# iptables -P INPUT DROP
# iptables -P FORWARD DROP

When everything is denied, you can start allowing things. The first thing to allow is any traffic for sessions which are already established:

# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
So as not to break any applications that communicate using the loopback address, it is usually wise to add a rule like this:

# iptables -A INPUT -s -d -i lo -j ACCEPT
The next thing to do would be to allow access to specific services running on your machine. If, for example, you wanted to run a web server on your machine, you would use a rule similar to this:

# iptables -A INPUT -p tcp --dport 80 -i ppp0 -j ACCEPT

This will allow access from any machine to port 80 on your machine via the ppp0 interface. You may want to restrict access to this service so that only certain machines can access it. This rule allows access to your web service from

# iptables -A INPUT -p tcp -s --dport 80 -i ppp0 -j ACCEPT

Allowing ICMP traffic can be useful for diagnostic purposes. To do this, you would use a rule like this:

# iptables -A INPUT -p icmp -j ACCEPT

Most people will also want to set up Network Address Translation (NAT) on their gateway machine, so that other machines on their network can access the Internet through it. You would use the following rule to do this:

# iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

You will also need to enable IP forwarding. You can do this temporarily, using the following command:

# echo 1 > /proc/sys/net/ipv4/ip_forward

No comments:

Post a Comment