LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-27-2011, 07:05 AM   #1
veeruk101
Member
 
Registered: Mar 2005
Distribution: Ubuntu 12.04 LTS
Posts: 249

Rep: Reputation: 16
General iptables rules questions


I created a custom chain called LOGDROP which will log and drop packets. So I did the following, which gives an error of "iptables: Bad policy name". Can I not use the name of my custom chain there?

iptables -P INPUT LOGDROP
iptables -P FORWARD LOGDROP
iptables -P OUTPUT LOGDROP


One of the articles I read suggested doing the following to allow full loopback access. Could anyone explain exactly what the following would allow me to do (like examples of commands or operations that would fail if I haven't enabled the following iptables rules in a setup were the default of everything is DROP).

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT


In a device where there is only 1 Ethernet interface (i.e. eth0), is it best practice to put '-i eth0' in every rule or not? Advantages I can think of is increased security...? (Such as maybe if your host adds/enables another interface without you being aware of it.) How big of a disadvantage would be the performance, as iptables would need to match each packet against coming from or going to eth0. In a production server environment where there is only eth0, what's your take on adding '-eth0' to every rule?


At http://www.thegeekstuff.com/2011/06/...ules-examples/ there are rules for allowing rsync from a given network. However, wouldn't rsync work whenever SSH is allowed by iptables? Unless I've made some mistake in my configuration, I found that rsync works even when the following isn't included, but rather when SSH is allowed...

iptables -A INPUT -i eth0 -p tcp -s 192.168.101.0/24 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT

Last edited by veeruk101; 10-27-2011 at 07:32 AM.
 
Old 10-27-2011, 07:40 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530
Quote:
Originally Posted by veeruk101 View Post
Can I not use the name of my custom chain there?
Shortest answer: no.


Quote:
Originally Posted by veeruk101 View Post
examples of commands or operations that would fail if I haven't enabled the following iptables rules in a setup were the default of everything is DROP
I'd say test it and see for yourself. Enabling logging is the simplest, easiest way to troubleshoot traffic problems:
Code:
-A INPUT -i lo -j LOG --log-prefix "IN_lo "
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j LOG --log-prefix "OUT_lo "
-A OUTPUT -o lo -j ACCEPT

Quote:
Originally Posted by veeruk101 View Post
In a device where there is only 1 Ethernet interface (i.e. eth0), is it best practice to put '-i eth0' in every rule or not?
AFAIK there's no best practice for single ethernet device machines. Depending on your chain policy you could easily
Code:
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j CHAINNAME
-A CHAINNAME --filter:something -j DROP
-A CHAINNAME --filter:somethingelse -j ACCEPT # etc, etc

Quote:
Originally Posted by veeruk101 View Post
there are rules for allowing rsync from a given network. However, wouldn't rsync work whenever SSH is allowed by iptables? Unless I've made some mistake in my configuration, I found that rsync works even when the following isn't included, but rather when SSH is allowed...
I haven't read that page but yes, Rsync does work well over SSH.

Last edited by unSpawn; 10-27-2011 at 07:44 AM. Reason: //Reflect OP editing post.
 
Old 10-27-2011, 08:47 AM   #3
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,052

Rep: Reputation: 881Reputation: 881Reputation: 881Reputation: 881Reputation: 881Reputation: 881Reputation: 881
Quote:
Originally Posted by veeruk101 View Post
I created a custom chain called LOGDROP which will log and drop packets. So I did the following, which gives an error of "iptables: Bad policy name". Can I not use the name of my custom chain there?
Only inbuilt chains have policies; allowed policies are DROP and ACCEPT. This isn't really a limitation as you can always create the effect of DROP or ACCEPT manually.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables rules toredo Linux - Security 2 11-29-2010 08:10 PM
Restore iptables Rules that have been saved with iptables-save tiuz Linux - Security 4 08-14-2010 06:50 PM
[SOLVED] IPtables rules what do they mean ?? jonaskellens Linux - Newbie 6 09-05-2009 05:34 AM
iptables 1.27a still loading rules after installing iptables 1.3.0 yawe_frek Linux - Software 1 06-07-2007 10:50 PM
IPTABLES - rules in /etc/sysconfig/iptables The_JinJ Linux - Newbie 6 11-20-2004 02:40 AM


All times are GMT -5. The time now is 09:10 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration