Patch for iptables (Linux firewall)

Stefan Sperling stsp at
Wed Oct 24 11:15:39 CEST 2007

On Tue, Oct 16, 2007 at 11:51:28PM +0000, Ewan Meadows wrote:
> Here's a patch to enable iptables in the DLDI builds.  I felt a bit
> insecure when I realised you don't even need to enter a password to
> login via busybox telnetd.

IPs can be spoofed though, but OK, it makes it harder
to get in.

For real security use iptabels to block anything but
an openvpn connection (which you already ported,
thanks again for that :)

I have some questions and comments regarding the example file:

  Index: user/iptables/iptables.conf.example
  --- user/iptables/iptables.conf.example (revision 0)
  +++ user/iptables/iptables.conf.example (revision 0)
  @@ -0,0 +1,13 @@
  +:INPUT ACCEPT [0:0]
  +:OUTPUT ACCEPT [9:558]

What do these do? Do they set the default policy?
What are the numbers in the brackets?
Could you add a comment to the example file that explains all this?

If they set the default policy, why not use REJECT for INPUT
and FORWARD instead of ACCEPT?
If not, where do you allow outbound traffic?

  +#Allow all from localhost
  +-A INPUT -s -j ACCEPT

That's fine.

  +#Allow all from trusted IP
  +-A INPUT -s -j ACCEPT

This should be commented! Who knows what is
in other environments.

  +#Allow already established connections


  +#Reject everything else
  +-A INPUT -j REJECT --reject-with icmp-port-unreachable

Great as well.

stefan                                         PGP Key: 0xF59D25F0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : 

More information about the dslinux-devel mailing list