On Fri, 16 Jan 2009, Frank Chiulli wrote:
Mike,
First let me say that the examples are a great addition to the page.
I was looking at the iptables sample configuration and had some
questions. I compared your suggested configuration to my current
configuration (Fedora 10). With the exception of the lines with
'--tcp-flags' in your sample configuration, they're pretty close. I
don't have those yet. The first three lines that start with '-A' in
your sample are the same as mine except the order is different. Does
the order make a difference?
Here are the lines from my file:
-A INPUT -m state --state ESTABLISHED,RELATED -j accept
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
Here are yours:
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
The order isn't that important though I should really have
established,related come first. The main reason for this is because
IPTables runs like a list, any already approved content doesn't have to
get checked against much of the list but instead is automatically
approved.
This has security implications but for most setups its a good policy.
I'll actually move that up now and refresh that page soon.
-Mike