Walter Dnes wrote:
On Fri, Dec 28, 2012 at 01:07:11AM -0500, Michael Orlitzky wrote
On 12/27/2012 10:59 PM, Walter Dnes wrote:
Here's my revised "Paranoia Plus" ruleset. Any comments? Because I'm
behind a NAT-ing ADSL router/modem, many of my rules rarely see hits.
However, I do have a backup dialup connection in case of problems, so
most of my rules don't specify the network interface. A couple of
notes...
I did a bunch of inline comments below as I was trying to understand the
rules. At the end I give the tl;dr, but maybe the inline comments are
useful too.
Thanks. My ruleset has accumulated years of cruft. I should really
sit down and rewrite the thing from square 1. I have one comment. You
show what appears to be a bash script for setting up the rules. I work
with the contents of file /var/lib/iptables/rules-save instead.
Calling iptables repeatedly from a shell script is not advisable. A
better approach is described by Jan Engelhardt in his "Towards the
perfect ruleset" document:
http://inai.de/documents/Perfect_Ruleset.pdf
The method of working with /var/lib/iptables/rules-save is very similar
to that which he describes.
Cheers,
--Kerin