iptables question

Tom H tomh0665 at gmail.com
Wed Aug 18 20:06:13 UTC 2010


On Tue, Aug 17, 2010 at 9:31 PM, Genes MailLists <lists at sapience.com> wrote:
> On 08/17/2010 02:08 AM, Tom H wrote:
>  #! /bin/sh
>> IPTABLES="/sbin/iptables"
>> $IPTABLES --table filter --policy INPUT ACCEPT
>> $IPTABLES --table filter --policy FORWARD ACCEPT
>> $IPTABLES --table filter --policy OUTPUT ACCEPT
>
>   Not saying I'm commenting on the wisdom of the rules one way or
> another - just asking - Does one really want default policy of accept on
> all of these ?

I've seen some flame wars on this topic... :)

I was just posting the iptables commands needed to result in the
"iptables -L" output that the firewall GUI of the OP had created.

Unless you add some rules for OUTPUT, you have to have it default to ACCEPT.

Since this is a desktop with a GUI, it doesn't matter whether FORWARD
defaults to ACCEPT or DROP.

Although I prefer and use DROP for INPUT, the reasoning of the GUI
developer/maintainer must be that having "$IPTABLES --append INPUT
--jump DROP" as the last INPUT rule makes the ACCEPT default safe.


More information about the users mailing list