13,420
edits
Changes
no edit summary
Usually when setting policy rules with iptables, a general "overall" policy is set (default policy chain). A good way to think about setting policies is to have a safety net to take some sort of action to prevent un-handled packets from passing through the firewall by mistake.After the default policy is set-up, then specific exceptions to the default policy can be added to control specific network traffic.
An example would be to set a default policy for incoming network traffic (INPUT chain) to DROP everything, and then set an exception certain exceptions (like ssh connections). Note the following table below for policy setting examples.<br><br>'''Policy Setting Examples:'''<br>
:'''Policy Setting Examples:'''<br><table width="100%" cellpadding="10" cellspacing="0" border="1"><tr><td width="30%">'''iptables -P INPUT DROP'''</td><td>Drops all incoming packets regardless of protocol (eg. tcp, udp, icmp), port numbers (eg. 22, 80) or source or destination IP Addresses. Setting a default rule to DROP all incoming traffic would make it easier to specify a few exceptions.</td></tr><tr><td>'''iptables -P INPUT ACCEPT'''</td><td>Accepts all incoming packets regardless of protocol (eg. tcp, udp, icmp), port numbers (eg. 22, 80) or source or destination IP Addresses. It would seem that setting a default rule to ACCEPT all incoming traffic would require A LOT of exceptions to help "lock-down" the server for protection! It really depends on the server set-up and what the Linux system administrator wants to accomplish.</td></tr></table><br><br>
:'''Perform the following steps:'''