On 2010 July 12 Monday, Martin Halford wrote:
> I decided on firewalling and it doesn't seem to have had any adverse
> effects!
>
> ip6tables -vL
>
> Chain INPUT (policy ACCEPT 88 packets, 8659 bytes)
> pkts bytes target prot opt in out source
> destination
> 6 576 DROP all any any anywhere
> anywhere
There's nothing wrong with what you've done -- and in the absence of other
rules is functionally the same as what I am about to say, but a better
practice is to set the policy of each chain to "DROP" (at least for INPUT and
FORWARD chains) and then explicitly set what you will ACCEPT (this is true for
ip4 and ip6).
# flush any existing rules
ip6tables -F -X
# set policy
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -L
Chain INPUT (policy DROP)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
Since the DROP isn't implemented with a rule, you don't have to worry about
inserting your ACCEPT rules before it, you can simply append and the policy
will take care of the DROP. For example:
ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
This saves you the trouble of working out what number you should be passing to
a '-I' command.
Andy
--
Dr Andy Parkins
andyparkins@???
