On Thu, 2010-10-21 at 02:27 -0600, Wade Preston Shearer wrote: > I'm not sure why there are duplicate lines there and I don't remember > if I wrote it by hand or used a script when I put it together several > years ago. Should the duplicate lines be removed?
Yeah, delete the repeats. For clarity, I prefer icmp-type as names instead of numbers. As long as you're already using one stateful rule, might as well make the others stateful too. In other words replace: -A INPUT -p tcp -m tcp --dport X -j ACCEPT with -A INPUT -p tcp -m state --state NEW -m tcp --dport X -j ACCEPT I prefer to use REJECT with DROP as a backup in case of failure. Order matters, your rules can be made a little more efficient by rearranging them. Here's what I would do based on your current rules: *filter :INPUT DROP [1783:108550] :FORWARD DROP [0:0] :OUTPUT ACCEPT [133532:10424922] -A INPUT -i lo -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type echo-request -m limit --limit 5/sec -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m state --state -m tcp --dport 25 -j ACCEPT -A INPUT -p tcp -m state --state -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m state --state -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m state --state -m tcp --dport 7979 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
