IPTables question.

[PowerMacG5]

I have been using IPTables for a while now, and have a script based off of the IP-MASQUERADE HOWTO from TLDP. I have recently come across a script from http://projectfiles.com/firewall, and tried it out. It makes it easy to configure, but the only gripe I have about it, is that the default OUTPUT Policy is ACCEPT. When I try to change it to DROP or REJECT, It does not work. I just lose Internet connectivity. Does anybody know why? And, is there a reason they chose to make the default Policy to ACCEPT?

 

[mindwarp]

Obviously if you change your output policy or DROP or REJECT and do not have appropriate rules to allow the traffic that you require to get through, you will "lose internet connectivity".

If you are going to drop by default you need to explicitly specify which traffic can pass through.

 

[PowerMacG5]

Do you think it is necessary for the OUTPUT chains default policy to be DROP, or can it be ACCEPT, while still remaining secure? I want to use this new script, but its more like a program, with configuration options. It isn't a normal shell script, in the sense that you just have multiple commands on seperate lines. It is a program, in which you set some paramaters, and it will generate a rule for it. Basically, I set a few things, and it works. I like this because I can change allowed ports, networks, and the like in a few seconds, rather than writing a new line of code. So, do you think a network would remain secure, while having the default OUPTUT policy set to ACCEPT?

 

[FUBAR]

As long as you exercise diligence on what you have on your computers, you'll be fine with a default output accept. If your incoming rules insure you won't get hacked by random ports you may have open, then you watch the services you expose for problems, you're doing as good as you can do.

Setting output to reject would only stop hack attacks coming from your computer(s), well, along with stopping any legitimate traffic from leaving as well.

 

[gaidin123]

It honestly depends on what kind of network you have behind the firewall. If this is a home network I'd probably set the default policy to accept. If this is protecting a locked down corporate network with a lot of sensitive information I'd definitely set the default policy to deny.

Normally with a firewall you want to reject everything and make exceptions to allow traffic rather than the other way around. But a normal firewall protects people outside from getting in...

Gaidin