Hi all,
Ok, I'm setting up a new server, and I'd like to rethink my iptables rules.
I'd like to start with something fairly simple:
1. Allow connections from anywhere ONLY to certain ports
ie, for encrypted IMAP/SMTP connections from users
2. Allow connections from only certain IP addresses to certain ports
ie, for limiting SSH access
3. DROP ALL other connection attempts
ie, I don't want to see these disallowed attempts in the logs
In order to keep my rules more manageable, I have a commented text file
that I manually edit whenever modifying my rules, then I do an
'iptables-restore < /path/to/iptables-rules' to update them.
My first question is about a trick I learned some time ago (but don't
remember where)...
For the ports for which I want to allow only restricted access, I have
something like:
#######################
# bgn exceptions blocks
#######################
:f_22_I - [0:0]
:f_25_I - [0:0]
:f_22_O - [0:0]
:f_25_O - [0:0]
Am I correct that the above are what are called 'chains' in iptables speak?
#
### allow connections only from the following IP's
#
## SSH
#
# my local admin hosts
-A f_22_I -s ###.###.###.### -j ACCEPT
-A f_22_I -s ###.###.###.### -j ACCEPT
-A f_22_I -s ###.###.###.### -j ACCEPT
-A f_22_I -s ###.###.###.### -j ACCEPT
-A f_22_I -s ###.###.###.### -j ACCEPT
#
# external hosts
-A f_22_I -s ###.###.###.### -j ACCEPT
-A f_22_I -s ###.###.###.### -j ACCEPT
And am I also correct that the above adds each rule to the named chain
in order, and that the order is significant?
So, if I wanted to add a last rule to that chain that DROPs all other
connection attempts, it would be just:
-A f_22_I -j DROP
?
Then... assuming that I have all of the specific rules after these set
up to allow just the traffic I want, and I wanted to add a final rule
that just silently DROPped all other inbound connection attempts, it
would be:
-A INPUT -j DROP
?
Thanks...