jepoy <[EMAIL PROTECTED]> writes: > hi; > ive made my dns working, im now on the process of protecting it. is my > iptables correct ? > i just want only port 53 to be open and close all ports. > > *filter
> # rules for our firewall > -A INPUT -i lo -p all -j ACCEPT > -A OUTPUT -o lo -p all -j ACCEPT > -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT > -A INPUT -p tcp --tcp-option ! 2 -j REJECT --reject-with tcp-reset A DROP would be preferred in some environments, as REJECTs often betray your network. > # open ports for dns service > -A INPUT -p tcp -i eth0 --dport 53 -j ACCEPT > -A INPUT -p udp -i eth0 --dport 53 -j ACCEPT > # drop all other inbound connections > -P INPUT DROPCOMMIT A DROP outbound policy is also helpful, as you ought to know what services, ports and programs that you want (and trust) enough to connect to the internet. This is what I do in my homebox, setting INPUT, FORWARD and OUTPUT to DROP and explicitly specifying which ports or protocols to ACCEPT or DROP. LOGging is also very helpful, as it enables you to determine blocked connections. -- ZAK B. ELEP <[EMAIL PROTECTED]> -- Registered Linux User #327585 1024D/FA53851D 1486 7957 454D E529 E4F1 F75E 5787 B1FD FA53 851D -- Running Debian Gnus/Emacs testing/unstable. GPG signed mail preferred.
pgpWHshihOJ5f.pgp
Description: PGP signature
-- Philippine Linux Users' Group (PLUG) Mailing List [email protected] (#PLUG @ irc.free.net.ph) Official Website: http://plug.linux.org.ph Searchable Archives: http://marc.free.net.ph . To leave, go to http://lists.q-linux.com/mailman/listinfo/plug . Are you a Linux newbie? To join the newbie list, go to http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
