-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On (24/02/05 16:49), Sean O Sullivan didst pronounce:
>> I have very little experience with iptables, and from what I can tell
> the following *should* work ( in the way I want it to :) )
> If any of you have suggestions/improvements please do tell.
<snip rest of script>
> #Block Rest of traffic
> iptables -A OUTPUT -i eth1 -j REJECT
>Instead of doing something like this as the last rule, I'd use
iptables -P OUTPUT REJECT at the top of the script. It sets the policy
of the OUTPUT chain to REJECT. It's just easier for any updates you need
to make in future -- it removes the chance of a previous REJECT rule
blocking a following ACCEPT rule. Eg. if you needed access to a port
other than SSH and HTTP on the INPUT chain, and you added
iptables -A INPUT -s 0/0 -i eth1 --dport 23 -j ACCEPT
at the end of your script (or anywhere after the REJECT rule for INPUT)
then it wouldn't work, and you could be left pulling your hair out over
something simple.
This is particularly useful if the ruleset is large to begin with, or
will possibly get larger in future.
- --
Chat ya later,
John.
- --
BOFH excuse #1: clock speed
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCHgy6QBw+ZtKOvTIRAoxrAJ9Wzc74xzYvGSmqRJfBg1HkwpN5bACfZrff
thHjh8xPO0UjYLh8kcQobeE=
=lQQG
-----END PGP SIGNATURE-----
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
