surfer@emailengine.net
2014-Jul-15 20:05 UTC
/stoppedrules leaves INPUT from net <- ACCEPT after shorewall stop
I'm defining my stoppedrules I set up a simple one to only allow SSH/VPN access from my HomeIPs /stoppedrules #ACTION SOURCE DEST PROTO DEST SOURCE # PORT(S) PORT(S) ACCEPT EXT_IF:my.home.ip.x/29 $FW tcp 22 ACCEPT EXT_IF:my.home.ip.x/29 $FW tcp,udp 1194 1194 After restart systemctl start shorewall-lite.service systemctl stop shorewall-lite.service iptables -L -n Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- my.home.ip.x/29 0.0.0.0/0 multiport dports 22 ACCEPT tcp -- my.home.ip.x/29 0.0.0.0/0 tcp spt:1194 dpt:1194 ACCEPT udp -- my.home.ip.x/29 0.0.0.0/0 udp spt:1194 dpt:1194 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy DROP) target prot opt source destination I notice INPUT from the entire net is allowed ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 I thought all traffic OTHER than what's explictily enabled in stoppedrules is implicitly denied. I want to (keep) open ONLY traffic for SSH/VPN. Did I misunderstand or misconfigure? Jerry ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds