Change the Policy to Drop
If you type "iptables -L" in the Root Terminal, you will notice it says, "Chain INPUT (Policy ACCEPT)," "Chain FORWARD (Policy ACCEPT)" and "Chain OUTPUT (Policy ACCEPT)." This means if something is not covered by any of the rules, Iptables will accept it. This is alright now, because it is a very simple firewall. If more rules are added, and it becomes more complicated, sooner or later something may be overlooked, and anything overlooked will be accepted. The computer will be more secure if you change the policy to drop, so anything overlooked will be dropped.
If this is done as it is, the computer will not be able to access the internet, because there are no rules in OUTPUT, so all output will be dropped.
Add a rule so OUTPUT will work. Insert this rule between the last INPUT rule and the "iptables-save" line.
This tells Iptables to add a rule accepting OUTPUT.
You should now have:
Copy and paste this to the Root Terminal.
These new rules will now be saved and used every time the computer is turned on, because the "iptables-save" line is included. If you want to make a temporary change, but have the computer revert to the previous set up next time it is turned on, leave out the "iptables-save" line.
Now let's change the policy to DROP.
Type the following:
If you now type:
You will notice it says "Chain INPUT (Policy DROP)," "Chain FORWARD (Policy DROP)" and "Chain OUTPUT (Policy DROP)."
This setup will function the same as the previous one. However, as more rules are added, and it gets more complicated, anything overlooked will be dropped, making the computer more secure.
© Copyright Guy Shipard 2008 - 2009