[lug] Restoring my iptables
Jed S. Baer
blug at jbaer.cotse.net
Tue May 11 19:02:07 MDT 2021
After the last Ubuntu re-install, I thought I had managed to lose my saved
iptables configuration. I've been running rdiff-back on important stuff for
years, but apparently, I had saved the config somewhere where it wasn't
getting backup up - still a mystery to me.
So today though I should button that up, and looked briefly at ufw, and
then decided I'd run the locate command one more time (I didn't before?)
and huzzah, found a backup I'd made of /etc prior to some other upgrade.
And now I'm wondering why I did what I did. Most of it, it's easy to
recall, like opening ports for Samba. But I'm wondering why I did the DROP
rule for only tcp. Maybe I wanted to be able to ping my machine from
another? Maybe at one time, that mattered; maybe it will again.
Anyways, here's what I'm doing now:
*filter
:INPUT ACCEPT [19927:1623720]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [21103:1725403]
-A INPUT -i enp+ -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i enp+ -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP
At one time, I probably found something that explained why to do it this
way, but now I don't know why I would drop only TCP packets which have SYN
set, and RST and ACK unset.
I think I want to drop everything that doesn't match the first rule. I'll
note that setting policy to DROP and then adding an ACCEPT rule like the
first resulted in things such as apt-get install not working. As in:
https://upcloud.com/community/tutorials/configure-iptables-ubuntu/
except I didn't add any other ACCEPT rules, since I'm thinking I can just
rely on the connstate ACCEPT, and add other rules only for explicit things
I turn on, maybe if I enable sshd or samba again.
Or maybe I should just go with ufw?
--
All operating systems suck, but Linux just sucks less
- Linus Torvalds
More information about the LUG
mailing list