LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   General iptables rules questions (https://www.linuxquestions.org/questions/linux-newbie-8/general-iptables-rules-questions-910438/)

veeruk101 10-27-2011 06:05 AM
General iptables rules questions
 
I created a custom chain called LOGDROP which will log and drop packets. So I did the following, which gives an error of "iptables: Bad policy name". Can I not use the name of my custom chain there?

iptables -P INPUT LOGDROP
iptables -P FORWARD LOGDROP
iptables -P OUTPUT LOGDROP


One of the articles I read suggested doing the following to allow full loopback access. Could anyone explain exactly what the following would allow me to do (like examples of commands or operations that would fail if I haven't enabled the following iptables rules in a setup were the default of everything is DROP).

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT


In a device where there is only 1 Ethernet interface (i.e. eth0), is it best practice to put '-i eth0' in every rule or not? Advantages I can think of is increased security...? (Such as maybe if your host adds/enables another interface without you being aware of it.) How big of a disadvantage would be the performance, as iptables would need to match each packet against coming from or going to eth0. In a production server environment where there is only eth0, what's your take on adding '-eth0' to every rule?


At http://www.thegeekstuff.com/2011/06/...ules-examples/ there are rules for allowing rsync from a given network. However, wouldn't rsync work whenever SSH is allowed by iptables? Unless I've made some mistake in my configuration, I found that rsync works even when the following isn't included, but rather when SSH is allowed...

iptables -A INPUT -i eth0 -p tcp -s 192.168.101.0/24 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT

unSpawn 10-27-2011 06:40 AM
Quote:
Originally Posted by veeruk101 (Post 4509676)
Can I not use the name of my custom chain there?
Shortest answer: no.


Quote:
Originally Posted by veeruk101 (Post 4509676)
examples of commands or operations that would fail if I haven't enabled the following iptables rules in a setup were the default of everything is DROP
I'd say test it and see for yourself. Enabling logging is the simplest, easiest way to troubleshoot traffic problems:
Code:
-A INPUT -i lo -j LOG --log-prefix "IN_lo "
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j LOG --log-prefix "OUT_lo "
-A OUTPUT -o lo -j ACCEPT

Quote:
Originally Posted by veeruk101 (Post 4509676)
In a device where there is only 1 Ethernet interface (i.e. eth0), is it best practice to put '-i eth0' in every rule or not?
AFAIK there's no best practice for single ethernet device machines. Depending on your chain policy you could easily
Code:
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j CHAINNAME
-A CHAINNAME --filter:something -j DROP
-A CHAINNAME --filter:somethingelse -j ACCEPT # etc, etc

Quote:
Originally Posted by veeruk101 (Post 4509676)
there are rules for allowing rsync from a given network. However, wouldn't rsync work whenever SSH is allowed by iptables? Unless I've made some mistake in my configuration, I found that rsync works even when the following isn't included, but rather when SSH is allowed...
I haven't read that page but yes, Rsync does work well over SSH.

salasi 10-27-2011 07:47 AM
Quote:
Originally Posted by veeruk101 (Post 4509676)
I created a custom chain called LOGDROP which will log and drop packets. So I did the following, which gives an error of "iptables: Bad policy name". Can I not use the name of my custom chain there?
Only inbuilt chains have policies; allowed policies are DROP and ACCEPT. This isn't really a limitation as you can always create the effect of DROP or ACCEPT manually.


All times are GMT -5. The time now is 09:34 PM.