The current iptables doesn't contain an example ruleset for /var/lib/iptables/rules-save. I'd suggest to add such an example. Attached is a proposed example (it's a fairly secure ruleset that should work for most machines), I'd like to know how you think about it.
Created attachment 39645 [details] Proposed example ruleset
Created attachment 40667 [details] Better documented version.
how portable is this across versions ? i dont really want to keep updating this thing every time a new version comes out
most of that is pretty stock and portable, with the exception of the last lines that use -m stealth, which is only in hardened-sources (and in the iptables upstream patch-o-matic).
is there any real point in documenting all of it considering iptables save/restore will just overwrite it ? :)
spanky: do we still need this bug? The one other problem with this rule-set in re-reviewing it, is if you forgot to start a service and try to connect to it, you get added to the banned hosts, and then after you do start the service, you have to wait to get out of the banned hosts list. I suggest close with WONTFIX.
just doesnt really work