Patch for iptables (Linux firewall)

Luis Javier Merino ljmerino at gmail.com
Sun Oct 28 03:15:12 CET 2007 

On 10/24/07, Stefan Sperling <stsp at stsp.name> wrote:
>   Index: user/iptables/iptables.conf.example
>   ===================================================================
>   --- user/iptables/iptables.conf.example (revision 0)
>   +++ user/iptables/iptables.conf.example (revision 0)
>   @@ -0,0 +1,13 @@
>   +*filter
>
>   +:INPUT ACCEPT [0:0]
>   +:FORWARD ACCEPT [0:0]
>   +:OUTPUT ACCEPT [9:558]
>
> What do these do? Do they set the default policy?
> What are the numbers in the brackets?

They are the default policy. Probably could use DROP there. The
numbers are packet and byte counters, to avoid losing them between
iptables-save iptables-restore

 +#Allow already established connections
 +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

This rule should probably go first, since it most likely matches most
of the traffic.


 +#Reject everything else
 +-A INPUT -j REJECT --reject-with icmp-port-unreachable

If you don't care about immediate error reporting to the other side,
this could be just DROP.


On 10/24/07, Ewan Meadows <ewan.meadows at gmail.com> wrote:
> TBH I'm a bit useless at configuring iptables.  I just generated a
> file that worked for me and chucked it in as an example file. If it
> has problems feel free to fix them.  It may slow down networking a
> tad, so could people check for this as well please.

The example is good. It's simple and useful.

> > IPs can be spoofed though, but OK, it makes it harder
> > to get in.
> Isn't there something that can be turned on through /proc and in the
> kernel to get around this?

You're problably thinking about rp_filter, which is for routers. It
checks that packets come from the NIC where they are supposed to come
(in a symmetric routing scenario), so a host on the net connected to
NIC A doen't pretend to be a host on the net of NIC B.


On 10/25/07, Malcolm <malcolm.parsons at gmail.com> wrote:
> You can open a TCP connection without receiving the ACK if you can reliably
> guess the initial sequence number contained in the ACK.

Or if you are on the way back, via ARP spoofing, STP spoofing, router
hijacking, etc...

> Linux uses a good random number generator, so we're probably safe.

Indeed. Michael Zalewsky had a comparison between ISN generators and
Linux's one was apparently safe (you can never say 100% safe).

Ewan, thanks for this.

More information about the dslinux-devel mailing list