iptables basic concepts

iptables basic concepts

[Alejandro Cabrera Obed]

Hi everybody !!!
I have seen a pair of iptables scripts in order to learn the technique and I
noted that there's no a unique order in the construction of the ruleset. I'm
new at this matter so I have to ask you this 2 short questions:

1) What option is the best: at first I set the default policies in the
chains and later I flush all the existing firewall rules or viceversa ???

2) Is it a good practice to start the iptables firewalling rules from the
rc.local script or is it better from the /etc/init.d/iptables script ??? (I
use RH 9 and I start iptables from rc.local)

Thanks a lot, byeeeee

Alejandro

RE: iptables basic concepts

[Rob Sterenborg]

> 1) What option is the best: at first I set the default 
> policies in the chains and later I flush all the existing 
> firewall rules or viceversa ???
> 
> 2) Is it a good practice to start the iptables firewalling 
> rules from the rc.local script or is it better from the 
> /etc/init.d/iptables script ??? (I use RH 9 and I start 
> iptables from rc.local)

I'd :
- stop kernel forwarding,
- set the default policy (to DROP),
- flush the chains (even if you think they're empty ; it won't hurt),
- create the rules I need,
- if needed, start kernel forwarding,
- let the script start from /etc/init.d/iptables, or whatever the script is
called.

The reason for the last step is that you want the iptables script started as
quick as possible, so that there is (virtually) no time to hack the machine
before the rules are loaded. Best would be to start the script first and
then start the network so that the network isn't up before the rules are
loaded.
If you start it from /etc/rc.d/rc.local the script is started at the very
end of the startup sequence and then the network is already started for some
time.


Gr,
Rob