Configuration question for my first iptables setup

I am brand new to iptables, and I want to setup a basic
firewall for a dedicated web server. I'm
accessing the server remotely, and already locked myself out
once.

I've come up with the configuration below, but feel like I
don't know what I'm doing.  Does the
following look reasonable? Am I overlooking anything major?
Thank you for input.


> iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination        

ACCEPT     all  --  anywhere             anywhere           

ACCEPT     tcp  --  anywhere             anywhere           
tcp flags:ACK/ACK 
ACCEPT     all  --  anywhere             anywhere           
state ESTABLISHED 
ACCEPT     all  --  anywhere             anywhere           
state RELATED 
ACCEPT     udp  --  anywhere             anywhere           
udp spt:domain dpts:1024:65535 
ACCEPT     icmp --  anywhere             anywhere           
icmp echo-reply 
ACCEPT     icmp --  anywhere             anywhere           
icmp destination-unreachable 
ACCEPT     icmp --  anywhere             anywhere           
icmp source-quench 
ACCEPT     icmp --  anywhere             anywhere           
icmp time-exceeded 
ACCEPT     icmp --  anywhere             anywhere           
icmp parameter-problem 
ACCEPT     tcp  --  anywhere             anywhere           
tcp dpt:www 
ACCEPT     tcp  --  anywhere             anywhere           
tcp dpt:https 
ACCEPT     tcp  --  anywhere             anywhere           
tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             anywhere           
tcp dpt:auth 
ACCEPT     icmp --  anywhere             anywhere           
icmp echo-request 
ACCEPT     tcp  --  anywhere             anywhere           
tcp dpt:10000 
DROP       tcp  --  anywhere             anywhere           
tcp dpts:2049:2050 
DROP       tcp  --  anywhere             anywhere           
tcp dpts11:60
63 
DROP       tcp  --  anywhere             anywhere           
tcp dpts:afs3-fileserver:7010 
DROP       all  --  anywhere             anywhere           


Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        


Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
>
 


     
____________________________________________________________
________________________
Shape Yahoo! in your own image.  Join our Network Research
Panel today!   http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.a
sp?a=7 

Reid írta:
> I am brand new to iptables, and I want to setup a basic
firewall for a dedicated web server. I'm
> accessing the server remotely, and already locked
myself out once.
>
> I've come up with the configuration below, but feel
like I don't know what I'm doing.  Does the
> following look reasonable? Am I overlooking anything
major? Thank you for input.
>
>   
Nope.. This is NOT reasonable...
You have set the first rule in your INPUT chain to ACCEPT
everything 
from anywhere... 
The following rules will never get hit !!!

Try the "iptables -vnL" command to see it !!!

The last rule is also "useless" because your
DEFAULT POLICY is DROP.

In the other hand without those two rules it seems ok...
(Depending on 
what you want to achieve...) 

Just to guide you:
1. I would enable the lo interface to ACCEPT everything...
2. Accept anything that ESTABLISHED or RELATED
3. I would group up the rules depending on the protocol...

Swifty
>   
>> iptables -L
>>     
> Chain INPUT (policy DROP)
> target     prot opt source               destination   
     
> ACCEPT     all  --  anywhere             anywhere      
     
> ACCEPT     tcp  --  anywhere             anywhere      
     tcp flags:ACK/ACK 
> ACCEPT     all  --  anywhere             anywhere      
     state ESTABLISHED 
> ACCEPT     all  --  anywhere             anywhere      
     state RELATED 
> ACCEPT     udp  --  anywhere             anywhere      
     udp spt:domain dpts:1024:65535 
> ACCEPT     icmp --  anywhere             anywhere      
     icmp echo-reply 
> ACCEPT     icmp --  anywhere             anywhere      
     icmp destination-unreachable 
> ACCEPT     icmp --  anywhere             anywhere      
     icmp source-quench 
> ACCEPT     icmp --  anywhere             anywhere      
     icmp time-exceeded 
> ACCEPT     icmp --  anywhere             anywhere      
     icmp parameter-problem 
> ACCEPT     tcp  --  anywhere             anywhere      
     tcp dpt:www 
> ACCEPT     tcp  --  anywhere             anywhere      
     tcp dpt:https 
> ACCEPT     tcp  --  anywhere             anywhere      
     tcp dpt:ssh 
> ACCEPT     tcp  --  anywhere             anywhere      
     tcp dpt:auth 
> ACCEPT     icmp --  anywhere             anywhere      
     icmp echo-request 
> ACCEPT     tcp  --  anywhere             anywhere      
     tcp dpt:10000 
> DROP       tcp  --  anywhere             anywhere      
     tcp dpts:2049:2050 
> DROP       tcp  --  anywhere             anywhere      
     tcp dpts11:60
63 
> DROP       tcp  --  anywhere             anywhere      
     tcp dpts:afs3-fileserver:7010 
> DROP       all  --  anywhere             anywhere      
     
>
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination   
     
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>   
>  
>
>
>      
____________________________________________________________
________________________
> Shape Yahoo! in your own image.  Join our Network
Research Panel today!   http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.a
sp?a=7 
>
>
>
>
>