Patch for iptables (Linux firewall)
Stefan Sperling
stsp at stsp.name
Wed Oct 24 11:15:39 CEST 2007
On Tue, Oct 16, 2007 at 11:51:28PM +0000, Ewan Meadows wrote:
> Here's a patch to enable iptables in the DLDI builds. I felt a bit
> insecure when I realised you don't even need to enter a password to
> login via busybox telnetd.
IPs can be spoofed though, but OK, it makes it harder
to get in.
For real security use iptabels to block anything but
an openvpn connection (which you already ported,
thanks again for that :)
I have some questions and comments regarding the example file:
Index: user/iptables/iptables.conf.example
===================================================================
--- user/iptables/iptables.conf.example (revision 0)
+++ user/iptables/iptables.conf.example (revision 0)
@@ -0,0 +1,13 @@
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [9:558]
What do these do? Do they set the default policy?
What are the numbers in the brackets?
Could you add a comment to the example file that explains all this?
If they set the default policy, why not use REJECT for INPUT
and FORWARD instead of ACCEPT?
If not, where do you allow outbound traffic?
+#Allow all from localhost
+-A INPUT -s 127.0.0.1 -j ACCEPT
That's fine.
+#Allow all from trusted IP
+-A INPUT -s 10.8.0.2 -j ACCEPT
This should be commented! Who knows what 10.8.0.2 is
in other environments.
+#Allow already established connections
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
Great.
+#Reject everything else
+-A INPUT -j REJECT --reject-with icmp-port-unreachable
+COMMIT
Great as well.
--
stefan
http://stsp.name PGP Key: 0xF59D25F0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://mailman.dslinux.in-berlin.de/pipermail/dslinux-devel-dslinux.in-berlin.de/attachments/20071024/36bb4b64/attachment.pgp
More information about the dslinux-devel
mailing list