iptables.rules check

**spynappels** · June 30th, 2010

Hi, I wonder if one of the knowledgeable bods could just check my iptables.rules file to confirm that this would not lock me out completely if I flushed iptables?

Code:

# Generated by iptables-save v1.3.8 on Wed Jun 30 09:27:01 2010
*mangle
:PREROUTING ACCEPT [693580:80935179]
:INPUT ACCEPT [693534:80929158]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [600675:160083835]
:POSTROUTING ACCEPT [600675:160083835]
COMMIT
# Completed on Wed Jun 30 09:27:01 2010
# Generated by iptables-save v1.3.8 on Wed Jun 30 09:27:01 2010
*nat
:PREROUTING ACCEPT [109155:11254124]
:POSTROUTING ACCEPT [2862:209097]
:OUTPUT ACCEPT [2862:209097]
COMMIT
# Completed on Wed Jun 30 09:27:01 2010
# Generated by iptables-save v1.3.8 on Wed Jun 30 09:27:01 2010
*filter
:INPUT ACCEPT [104497:11005055]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [600677:160084088]
-A INPUT -i tun0 -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT 
-A INPUT -i eth0 -m state --state ESTABLISHED -j ACCEPT 
-A INPUT -i eth0 -m state --state RELATED -j ACCEPT
-A INPUT -i eth0 -j DROP 
COMMIT
# Completed on Wed Jun 30 09:27:01 2010

I edited it manually to change the Default Input rule to ACCEPT and add the -A INPUT -i eth0 -j DROP rule to drop all traffic that does not match the rules above it.

Is that correct?

**CharlesA** · June 30th, 2010

As long as the default policy isn't set to DROP, you will be ok if/when you flush the rules.

If you are connecting via SSH, don't forget to add an exception to allow that.

Also, it helps to use iptables-apply since it's made for applying rules remotely.

**spynappels** · June 30th, 2010

Hi CharlesA,

Thanks for that. All SSH is done through the VPN tunnel and so I purposely want to deny SSH from the public interface.

If I save this rules file and create a script as said in the IPTables How-To, does it matter if it is applied before say the VPN tun0 adaptor comes up? other wise I'd have to run the script once the VPN tunnel is up and not before, but I am not sure if I can do this using the /etc/network/if-pre-up.d script method, or have to use the network interfaces method and add the script call to the tun0 interface rather than the eth0 interface.

Thanks for your help so far.

**CharlesA** · June 30th, 2010

I don't know about that.

This is what my interfaces file looks like, not sure if it helps you or not.

Code:

# The primary network interface
auto eth0
iface eth0 inet static
        address 192.168.1.2
        netmask 255.255.255.0
        network 192.168.1.0
        broadcast 192.168.1.255
        gateway 192.168.1.1
        dns-nameservers 192.168.1.1
        dns-search asgard.lcl
        post-up iptables-restore < /etc/iptables.up.rules
        # dns-* options are implemented by the resolvconf package, if installed