[CentOS] IPTables help

Fri May 23 16:25:36 UTC 2008
Joseph L. Casale <JCasale at activenetwerx.com>

Fajar,
I really appreciate all the detailed help here! I have some questions.

>Hi JLC,
>There are 2 ways to implement firewall: negative list and positive list. Looks like you want a very strict one that is positive list.
>
>Assuming eth0 is WAN, and eth1 is LAN (assuming 192.168.0.0/24)(please mind the word wrap):
>#Clear all rules and policies first:
>iptables -P INPUT ACCEPT
>iptables -P OUTPUT ACCEPT
>iptables -P FORWARD ACCEPT
>iptables -F
>iptables -t nat -F

I misunderstand this, if the default policy is to accept, then how does this
work (I thought it was wise to make it Drop)? In terms of Cisco ACL's, how does
iptables work, does it simply continue processing until it sees something explicitly
denying if the default policy is ACCEPT, versus DROP, will it continue processing until
it sees something explicitly allowing?

>#Finally dropping all other traffic (positive list firewall):
>iptables -P INPUT DROP
>iptables -P OUTPUT DROP
>iptables -P FORWARD DROP

So here you know restate the default policy? I thought you could only define this once?

>If for some reason you want to clear the iptables, run this command:
>iptables -P INPUT ACCEPT
>iptables -P OUTPUT ACCEPT
>iptables -P FORWARD ACCEPT
>iptables -F

Does this -F not reset the above stated policy?

>iptables -t nat -F
>service iptables save


Thanks so much!
jlc