A Simple Question

Jan Engelhardt jengelh at linux01.gwdg.de
Thu Aug 11 07:54:56 CEST 2005


>iptables -P INPUT DROP
>iptables -P FORWARD DROP
>VS
>iptables -P INPUT ACCEPT
>iptables -P FORWARD ACCEPT
>...(other stuff here)...
>iptables -A INPUT -j DROP
>iptables -A FORWARD -j DROP
>
>Which is preferred for security and why?

Both equally work well. It's just a matter from which side you tackle the 
problem. Compare with 3d-engine editing:

A Quake2 map starts with "air" and you got to add walls -
  that's like -P ACCEPT and -j REJECT/DROP

An Unreal map starts with "everything filled" and you got to subtract rooms -
  like -P DROP and -j ACCEPT

In fact, sometimes it is wise to alternate between the two methods within the 
same table. I've got this in some ruleset:

-P INPUT DROP
-p tcp -m multiport --dport someservices -j ACCEPT
(denying all other traffic)

-P OUTPUT ACCEPT
-o $internal -j DROP
(allowing all other interfaces)


Just like Apache's "Order allow,deny" if you need another inspiration for 
comparison.


Jan Engelhardt
-- 
| Alphagate Systems, http://alphagate.hopto.org/



More information about the netfilter mailing list