Discussion:
[iptables] drop or accept policy for outgoing connections.
Daniel Curtis
2013-06-22 09:50:24 UTC
Permalink
Hi

I have a question about iptables and rules for OUTPUT
chain. If I have a typical desktop without any services
like SSH, Samba etc. it is better to use something like?;

iptables -P DROP
iptables -A OUTPUT -o eth0 -j ACCEPT

or it does not matter and it could be a simple one rule;

iptables -P OUTPUT ACCEPT

I'm asking because I'm curious. And frankly I've always been.

Best regards.
David Dejaeghere
2013-06-22 10:51:47 UTC
Permalink
Your first example should be:

iptables -P OUTPUT DROP
iptables -A OUTPUT -o eth0 -j ACCEPT

The difference between both is simply that in the first example you only
allow outbound traffic going through your eth0 device.
If you would have multiple network devices you would still be dropping
outbound traffic from the other devices.

Your second example allows outgoing traffic by default no matter what
interface. If you had multiple devices you could specify to drop those with
iptables -A OUTPUT -o eth1 -j drop

So it really depends on what you prefer. But if you just want to allow
outgoing traffic starting from you desktop just use your second example.

Kind Regards,

David
Post by Daniel Curtis
Hi
I have a question about iptables and rules for OUTPUT
chain. If I have a typical desktop without any services
like SSH, Samba etc. it is better to use something like?;
iptables -P DROP
iptables -A OUTPUT -o eth0 -j ACCEPT
or it does not matter and it could be a simple one rule;
iptables -P OUTPUT ACCEPT
I'm asking because I'm curious. And frankly I've always been.
Best regards.
Pascal Hambourg
2013-06-22 10:53:13 UTC
Permalink
Hello,
Post by Daniel Curtis
I have a question about iptables and rules for OUTPUT
chain. If I have a typical desktop without any services
like SSH, Samba etc. it is better to use something like?;
iptables -P DROP
iptables -A OUTPUT -o eth0 -j ACCEPT
or it does not matter and it could be a simple one rule;
iptables -P OUTPUT ACCEPT
These two sets of commands do different things and cannot be compared
simply.
"Better" suggests optimization, and optimization requires a criterion.
What is the objective criterion you wish to optimize ?
--
To UNSUBSCRIBE, email to debian-firewall-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Archive: http://lists.debian.org/***@plouf.fr.eu.org
Daniel Curtis
2013-06-22 18:40:48 UTC
Permalink
Hi, David. Thank you for correcting a rule for OUTPUT chain.
I mean that I forgot to add ... -P OUTPUT ... policy. I have only
one network device - router. Is that what you mean by writing
*network devices*?
So, according to your opinion, I have to use the second rule, right?
(iptables -P OUTPUT ACCEPT). I'm using the only one interface - eth0.

Pascal, what is the criterion, to optimize? Frankly, I don't know,
because it is a typical desktop. So, I think it does not need some
special criteria, right? Or maybe I'm wrong. What would you do
in my place? (so stupid question, sorry).

Best regards.

Continue reading on narkive:
Loading...