Συντάκτης: Martin Halford Ημερομηνία: Προς: users Αντικείμενο: Re: [bitfolk] ip6tables
On 12/07/10 13:50, Andy Parkins wrote: > There's nothing wrong with what you've done -- and in the absence of other
> rules is functionally the same as what I am about to say, but a better
> practice is to set the policy of each chain to "DROP" (at least for INPUT and
> FORWARD chains) and then explicitly set what you will ACCEPT (this is true for
> ip4 and ip6).
>
> # flush any existing rules
> ip6tables -F -X
> # set policy
> ip6tables -P INPUT DROP
> ip6tables -P FORWARD DROP
>
> ip6tables -L
> Chain INPUT (policy DROP)
> target prot opt source destination
>
> Chain FORWARD (policy DROP)
> target prot opt source destination
>
> Since the DROP isn't implemented with a rule, you don't have to worry about
> inserting your ACCEPT rules before it, you can simply append and the policy
> will take care of the DROP. For example:
>
> ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
>
> This saves you the trouble of working out what number you should be passing to
> a '-I' command.
>
> Andy,
Thank you - I'll change both my iptables and ip6tables rules as you
recommend above. This was how I had it set up on my previous VPS, but I
went to a different guide this time.
