[SOLVED] IPtables rules what do they mean ??

jonaskellens · 09-04-2009, 06:34 AM

Can someone tell me just what these rules do ??

Code:

Table: filter
Chain INPUT (policy DROP)
num  target     prot opt source               destination         
1    LOCALINPUT  all  --  0.0.0.0/0            0.0.0.0/0           
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
3    ACCEPT     udp  --  194.60.207.52        0.0.0.0/0           udp spts:1024:65535 dpt:53 
4    ACCEPT     tcp  --  194.60.207.52        0.0.0.0/0           tcp spts:1024:65535 dpt:53 
5    ACCEPT     udp  --  194.60.207.52        0.0.0.0/0           udp spt:53 dpts:1024:65535 
6    ACCEPT     tcp  --  194.60.207.52        0.0.0.0/0           tcp spt:53 dpts:1024:65535 
7    ACCEPT     udp  --  194.60.207.52        0.0.0.0/0           udp spt:53 dpt:53 
8    INVALID    tcp  --  0.0.0.0/0            0.0.0.0/0           
9    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED

acid_kewpie · 09-04-2009, 06:56 AM

not a great output, use "iptables -L -n -v" instead for clearer output but with a little added guesswork...

1) Send everything on an unshown interface to a "LOCALINPUT" target, presumably lo
2) Accept everything on an unshown interface (lo again? clashes with above...??)
3) Accept incoming UDP DNS requests from that IP
4) Accept incoming TCP DNS requests from that IP
5) Accept incoming UDP DNS responses from that IP
6) Accept incoming TCP DNS responses from that IP
7) Accept UDP DNS replications from that IP
8) Send all borked TCP packets to the INVALID table
9) Accept everything that is already known and passed.

JulianTosh · 09-04-2009, 07:21 AM

use '--line-numbers' too so you can easily reference specific lines. good for instructing on inserts and deletes 8^)

jonaskellens · 09-05-2009, 04:02 AM

Code:

bash-3.2# /sbin/iptables -L -n -v --line-numbers
Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1     7180 1273K LOCALINPUT  all  --  !lo    *       0.0.0.0/0            0.0.0.0/0           
2        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
3        0     0 ACCEPT     udp  --  !lo    *       194.60.207.52        0.0.0.0/0           udp spts:1024:65535 dpt:53 
4        0     0 ACCEPT     tcp  --  !lo    *       194.60.207.52        0.0.0.0/0           tcp spts:1024:65535 dpt:53 
5      421 68045 ACCEPT     udp  --  !lo    *       194.60.207.52        0.0.0.0/0           udp spt:53 dpts:1024:65535 
6        0     0 ACCEPT     tcp  --  !lo    *       194.60.207.52        0.0.0.0/0           tcp spt:53 dpts:1024:65535 
7        0     0 ACCEPT     udp  --  !lo    *       194.60.207.52        0.0.0.0/0           udp spt:53 dpt:53 
8      903  120K INVALID    tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           
9     6055 1091K ACCEPT     all  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED

I don't need to worry about rule 9 (ACCEPT ALL if not local loop) ??

I don't know this IP-address 194.60.207.52, could it be a gateway ?? (if you say it has something with DNS-requests)

JulianTosh · 09-05-2009, 04:31 AM

Was that all the output? There should at the least be a chain called LOCALINPUT that's missing.

the 194.* address appears to be a DNS server due to the ports the rule is matching. check /etc/resolv.conf to see if the IP is listed there.

RELATED, ESTABLISHED rules are generally safe and very efficient (should be at the top of the chains so they action quicker), so no, you shouldn't worry about it. It means the traffic has already been matched and ACCEPTed somewhere else.

jonaskellens · 09-05-2009, 04:33 AM

Quote:

Originally Posted by Admiral Beotch

Was that all the output? There should at the least be a chain called LOCALINPUT that's missing.

There is more output, but I did not list all of it in this thread.

Indeed the IP-address is the address of the nameserver in resolv.conf...

Thanks for the explanation.

JulianTosh · 09-05-2009, 04:34 AM

cool. np. thread solved?