Is it useful to set the policies to DROP for all tables in Iptables?
Clash Royale CLAN TAG#URR8PPP
I use iptables to secure my server. The default policies for all chains in the filter table have been set to DROP
# iptables -t filter -L | grep -i (policy
Chain INPUT (policy DROP)
Chain FORWARD (policy DROP)
Chain OUTPUT (policy DROP)
I wonder if it is useful to also set the policies to DROP for mangle, raw and security tables (not nat table because it does not work)
in order to more secure the server ?
And of course duplicate the access rules for each tables setted to DROP
security iptables hardening
asked Dec 13 at 22:06
Zetam
31
add a comment |
I use iptables to secure my server. The default policies for all chains in the filter table have been set to DROP
# iptables -t filter -L | grep -i (policy
Chain INPUT (policy DROP)
Chain FORWARD (policy DROP)
Chain OUTPUT (policy DROP)
I wonder if it is useful to also set the policies to DROP for mangle, raw and security tables (not nat table because it does not work)
in order to more secure the server ?
And of course duplicate the access rules for each tables setted to DROP
security iptables hardening
asked Dec 13 at 22:06
Zetam
31
Drop is not better than reject and if you use either you can lock yourself out if you flush the tables. I just use accept and last rule is reject. See chiark.greenend.org.uk/~peterb/network/drop-vs-reject .
– Panther
Dec 14 at 4:59
add a comment |
I use iptables to secure my server. The default policies for all chains in the filter table have been set to DROP
# iptables -t filter -L | grep -i (policy
Chain INPUT (policy DROP)
Chain FORWARD (policy DROP)
Chain OUTPUT (policy DROP)
I wonder if it is useful to also set the policies to DROP for mangle, raw and security tables (not nat table because it does not work)
in order to more secure the server ?
And of course duplicate the access rules for each tables setted to DROP
security iptables hardening
asked Dec 13 at 22:06
Zetam
31
I use iptables to secure my server. The default policies for all chains in the filter table have been set to DROP
# iptables -t filter -L | grep -i (policy
Chain INPUT (policy DROP)
Chain FORWARD (policy DROP)
Chain OUTPUT (policy DROP)
I wonder if it is useful to also set the policies to DROP for mangle, raw and security tables (not nat table because it does not work)
in order to more secure the server ?
And of course duplicate the access rules for each tables setted to DROP
security iptables hardening
security iptables hardening
asked Dec 13 at 22:06
Zetam
31
asked Dec 13 at 22:06
Zetam
31
asked Dec 13 at 22:06
Zetam
31
asked Dec 13 at 22:06
Zetam
31
asked Dec 13 at 22:06
Zetam
31
31
Drop is not better than reject and if you use either you can lock yourself out if you flush the tables. I just use accept and last rule is reject. See chiark.greenend.org.uk/~peterb/network/drop-vs-reject .
– Panther
Dec 14 at 4:59
add a comment |
Drop is not better than reject and if you use either you can lock yourself out if you flush the tables. I just use accept and last rule is reject. See chiark.greenend.org.uk/~peterb/network/drop-vs-reject .
– Panther
Dec 14 at 4:59
Drop is not better than reject and if you use either you can lock yourself out if you flush the tables. I just use accept and last rule is reject. See chiark.greenend.org.uk/~peterb/network/drop-vs-reject .
– Panther
Dec 14 at 4:59
Drop is not better than reject and if you use either you can lock yourself out if you flush the tables. I just use accept and last rule is reject. See chiark.greenend.org.uk/~peterb/network/drop-vs-reject .
– Panther
Dec 14 at 4:59
add a comment |
1 Answer
1
active
oldest
votes
No, you shouldn't set these policies on the other tables to DROP, these tables are not meant to filter.
You may want to try it on a local machine, where you have local access even if you block the network.
answered Dec 13 at 22:45
RalfFriedl
5,3033925
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f487876%2fis-it-useful-to-set-the-policies-to-drop-for-all-tables-in-iptables%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
No, you shouldn't set these policies on the other tables to DROP, these tables are not meant to filter.
You may want to try it on a local machine, where you have local access even if you block the network.
answered Dec 13 at 22:45
RalfFriedl
5,3033925
add a comment |
No, you shouldn't set these policies on the other tables to DROP, these tables are not meant to filter.
You may want to try it on a local machine, where you have local access even if you block the network.
answered Dec 13 at 22:45
RalfFriedl
5,3033925
add a comment |
No, you shouldn't set these policies on the other tables to DROP, these tables are not meant to filter.
You may want to try it on a local machine, where you have local access even if you block the network.
answered Dec 13 at 22:45
RalfFriedl
5,3033925
No, you shouldn't set these policies on the other tables to DROP, these tables are not meant to filter.
You may want to try it on a local machine, where you have local access even if you block the network.
answered Dec 13 at 22:45
RalfFriedl
5,3033925
answered Dec 13 at 22:45
RalfFriedl
5,3033925
answered Dec 13 at 22:45
RalfFriedl
5,3033925
answered Dec 13 at 22:45
RalfFriedl
5,3033925
5,3033925
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f487876%2fis-it-useful-to-set-the-policies-to-drop-for-all-tables-in-iptables%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Drop is not better than reject and if you use either you can lock yourself out if you flush the tables. I just use accept and last rule is reject. See chiark.greenend.org.uk/~peterb/network/drop-vs-reject .
– Panther
Dec 14 at 4:59