Re: Notes about your routing


vapor, you are on the right track. I will strongly disagree with others who say the default should not be DENY. It will be the LAST rule in the chain and thus should be DENY.

But, when you set your tables up you may want to do it like so:

# Flush all the previous rules

/sbin/iptables -F INPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F OUTPUT

# Disable all routing until rules are in place

/sbin/iptables -P INPUT DENY
/sbin/iptables -P FORWARD DENY
/sbin/iptables -P OUTPUT DENY

# Now, add the FORWARD rules

/sbin/iptables -A FORWARD … becomes rule 2
/sbin/iptables -A FORWARD … becomes rule 1

#NOTE, each time you add a rule, it becomes the first one in the chain, so the DENY rule is indeed the default rule (3)

# Lastly, allow the INPUT and OUTPUT traffic

/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P OUTPUT ACCEPT

This is certainly not complete or an exhaustive description, you may want to look at: