|
ACCEPT RulesOnly now can you add in all your ACCEPT rules. After you have finished with those rules, you will want to add in your default catch all DROP and LOG rule. Remember the cardinal rule, "unless allow, deny." This rule, which is put in at the end of all your rules, accomplishes that. iptables -N FINAL_DROP iptables -A OUTPUT -j FINAL_DROP iptables -A INPUT -j FINAL_DROP iptables -A FORWARD -j FINAL_DROP iptables -A FINAL_DROP -m limit --limit 1/second \ -j LOG --log-level info --log-prefix "Final DROP "\ --log-tcp-sequence --log-tcp-options \ --log-ip-options iptables -A FINAL_DROP -j DROP And finally, IP forwarding can be turned back on. We always like to turn forwarding off while we are loading new rules because sometimes you can get into a race condition where bad packets might slip through before your rules are fully in place. echo 1 > /proc/sys/net/ipv4/ip_forward |
|