On 21 Oct 2010, at 6:35, Stuart Jansen wrote: > Yeah, delete the repeats. > > For clarity, I prefer icmp-type as names instead of numbers. > > As long as you're already using one stateful rule, might as well make > the others stateful too. In other words replace: > -A INPUT -p tcp -m tcp --dport X -j ACCEPT > with > -A INPUT -p tcp -m state --state NEW -m tcp --dport X -j ACCEPT > > I prefer to use REJECT with DROP as a backup in case of failure. > > Order matters, your rules can be made a little more efficient by > rearranging them. > > Here's what I would do based on your current rules: > > *filter > :INPUT DROP [1783:108550] > :FORWARD DROP [0:0] > :OUTPUT ACCEPT [133532:10424922] > -A INPUT -i lo -j ACCEPT > -A INPUT -p icmp -m icmp --icmp-type echo-request -m limit --limit 5/sec -j > ACCEPT > -A INPUT -p icmp -j ACCEPT > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > -A INPUT -p tcp -m state --state -m tcp --dport 25 -j ACCEPT > -A INPUT -p tcp -m state --state -m tcp --dport 80 -j ACCEPT > -A INPUT -p tcp -m state --state -m tcp --dport 443 -j ACCEPT > -A INPUT -p tcp -m state --state -m tcp --dport 7979 -j ACCEPT > -A INPUT -j REJECT --reject-with icmp-host-prohibited > COMMIT
Thank you, Stewart; that looks much better. I can almost read that now. I dropped it in and tried to restart iptables but received an error: Applying iptables firewall rules: iptables-restore v1.3.5: Bad state `-m' Error occurred at line: 9 That's the first line with a port number. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
