As Doug says, the rule
Code:
-A INPUT -j REJECT --reject-with icmp-host-prohibited
must come at the end of all INPUT statements. Order matters greatly in iptables. Also if you want to block forwarding there are other options. This uses an iptables "policy."
Code:
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m udp --sport 123 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5000 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
I don't see much reason to control the OUTPUT chain so I just use ACCEPT. I'm actually unclear on why you have those OUTPUT directives at all.
By default, packet forwarding across interfaces is disabled in Ubuntu, so the FORWARD policy is redundant. For details, read the discussion in the file /etc/sysctl.conf concerning the "net.ipv4.ip_forward=1" directive.
Bookmarks