iptables question

n1nj4

I started reading this book http://www.amazon.com/gp/product/0321194438/sr=8-6/qid=1153240615/ref=sr_1_6/002-0766688-0380035?ie=UTF8
and in the firewall chapter the author gives you a sample iptables script to start with for a firewall, it's something like this:

#! /bin/bash

#flush any existing rules
iptables -F FORWARD
iptables -F INPUT
iptables -F OUTPUT

#drop all traffic
iptables -P FORWARD DROP
iptables -A INPUT DROP

#accept fragmented packets
iptables -A FORWARD -f -j ACCEPT

#accept http traffic from pre-existing connections
iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.0/24 --dport 80 --tcp-flags SYN,ACK SYN,ACK -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.0/24 --sport 80 --tcp-flags SYN,ACK SYN,ACK -j ACCEPT

#allow outgoing http connections
iptables -A FORWARD -m multiport -p tcp -i eth0 -d 0.0.0.0 --dport 80 --syn -j ACCEPT

#allow incoming udp for dns resolution and allow outbound connections
iptables -A FORWARD -m multiport -p udp -i eth0 -d 192.168.0.0/24 --dport 53 -j ACCEPT
iptables -A FORWARD -m multiport -p udp -i eth0 -d 192.168.0.0/24 --sport 53 -j ACCEPT
iptables -A FORWARD -m multiport -p udp -i eth0 -d 0.0.0.0 --dport 53 -j ACCEPT
iptables -A FORWARD -m multiport -p udp -i eth0 -d 0.0.0.0 --sport 53 -j ACCEPT

Does this seem correct to anyone? All other info I've read suggests putting your deny rules and the end or else nothing will get through. I realize iptables is a complex tool and things can be accomplish in different ways but is this just totally wrong or what?

agustinchernitsky

Hello,

Well, the line:

#drop all traffic
iptables -P FORWARD DROP
iptables -A INPUT DROP

Is changing the FORWARD policy to drop (nothing gets forwarded unless specified) and it drops everything incomming to the box.

You use the forward rule in this case to filter traffic passing thru the box.