13,420
edits
Changes
no edit summary
=== Part 2: Setting a Default Policy / Setting Policy Exceptions (iptables) ===
Usually when setting policy rules with iptables, a general "overall" policy is set (default policy chain). A good way to think about setting policies is to have a safety net to take some sort of action to prevent un-handled packets from passing through the firewall by mistake.After the default policy is set-up, and then set policy rules in other chains which act as specific exceptions to the default policy. A general policy would apply can be added to ALL types of packets (tcp, udp, icmp) and all communication port numbers (80, 22, etc)control specific network traffic.
Note the following table below for policy setting examples. '''Policy Setting Examples:'''
<table width="100%" cellpadding="10" cellspacing="0" border="1">
<tr>
<td width="30%">'''iptables -P INPUT DROP'''</td><td>Set default policy to drop Drops all incoming connections for ALL protocolspackets regardless of protocol (eg. tcp, ALL communication portsudp, ALL icmp), port numbers (eg. 22, 80) or source or destination IP addressesAddresses. Setting a default rule to DROP all incoming traffic would make it easier to specify a few exceptions.</td>
</tr><tr>
<td>'''iptables -P OUTPUT DROPINPUT ACCEPT'''</td><td>Set Accepts all incoming packets regardless of protocol (eg. tcp, udp, icmp), port numbers (eg. 22, 80) or source or destination IP Addresses. It would seem that setting a default policy rule to drop ACCEPT all outgoing connections incoming traffic would require A LOT of exceptions to help "lock-down" the server for ALL protocols, ALL communication ports, ALL IP addressesprotection! It really depends on the server set-up and what the Linux system administrator wants to accomplish.</td>
</tr>
</table>