Iptables

Kevin Day thekevinday at gmail.com
Sun Aug 14 12:07:35 PDT 2011


On 8/13/11, Robert Connolly <robert at linuxfromscratch.org> wrote:
> Hello.
>
> I have an idea for implementing Iptables in HLFS, giving users and daemons
> the
> least privileges possible.
>
> Basically Iptables rules are written for each network application or daemon,
> with a default deny policy. So when /bin/ping gets installed, an iptables
> policy for ping is added to allow outgoing pings. Same goes for ftp(1), web
> browsers, or daemons like sshd.
>
> Each network application would have it's own iptables file, in
> /etc/iptables,
> such as /etc/iptables/clients/ping.sh, /etc/iptables/clients/web.sh, or
> /etc/iptables/servers/sshd.sh.
>
> Does this make sense, or is there a better way to do this?
>
> robert
>
>

That makes sense. I would suggest creating a custom outbound & inbound
chains for these purposes (such as 'INPUT-CLIENTS', 'OUTPUT-CLIENTS',
'INPUT-SERVERS', 'OUTPUT-SERVERS', etc..). Unless of course you think
this is overkill. LinuxFromScratch projects are, in part, about
learning so keeping it simple might be the better approach.

-- 
Kevin Day



More information about the hlfs-dev mailing list