LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 09-04-2009, 06:34 AM   #1
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Rep: Reputation: 33
IPtables rules what do they mean ??


Can someone tell me just what these rules do ??
Code:
Table: filter
Chain INPUT (policy DROP)
num  target     prot opt source               destination         
1    LOCALINPUT  all  --  0.0.0.0/0            0.0.0.0/0           
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
3    ACCEPT     udp  --  194.60.207.52        0.0.0.0/0           udp spts:1024:65535 dpt:53 
4    ACCEPT     tcp  --  194.60.207.52        0.0.0.0/0           tcp spts:1024:65535 dpt:53 
5    ACCEPT     udp  --  194.60.207.52        0.0.0.0/0           udp spt:53 dpts:1024:65535 
6    ACCEPT     tcp  --  194.60.207.52        0.0.0.0/0           tcp spt:53 dpts:1024:65535 
7    ACCEPT     udp  --  194.60.207.52        0.0.0.0/0           udp spt:53 dpt:53 
8    INVALID    tcp  --  0.0.0.0/0            0.0.0.0/0           
9    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
 
Old 09-04-2009, 06:56 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
not a great output, use "iptables -L -n -v" instead for clearer output but with a little added guesswork...

1) Send everything on an unshown interface to a "LOCALINPUT" target, presumably lo
2) Accept everything on an unshown interface (lo again? clashes with above...??)
3) Accept incoming UDP DNS requests from that IP
4) Accept incoming TCP DNS requests from that IP
5) Accept incoming UDP DNS responses from that IP
6) Accept incoming TCP DNS responses from that IP
7) Accept UDP DNS replications from that IP
8) Send all borked TCP packets to the INVALID table
9) Accept everything that is already known and passed.
 
Old 09-04-2009, 07:21 AM   #3
JulianTosh
Member
 
Registered: Sep 2007
Location: Las Vegas, NV
Distribution: Fedora / CentOS
Posts: 674
Blog Entries: 3

Rep: Reputation: 90
use '--line-numbers' too so you can easily reference specific lines. good for instructing on inserts and deletes 8^)
 
Old 09-05-2009, 04:02 AM   #4
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
Code:
bash-3.2# /sbin/iptables -L -n -v --line-numbers
Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1     7180 1273K LOCALINPUT  all  --  !lo    *       0.0.0.0/0            0.0.0.0/0           
2        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
3        0     0 ACCEPT     udp  --  !lo    *       194.60.207.52        0.0.0.0/0           udp spts:1024:65535 dpt:53 
4        0     0 ACCEPT     tcp  --  !lo    *       194.60.207.52        0.0.0.0/0           tcp spts:1024:65535 dpt:53 
5      421 68045 ACCEPT     udp  --  !lo    *       194.60.207.52        0.0.0.0/0           udp spt:53 dpts:1024:65535 
6        0     0 ACCEPT     tcp  --  !lo    *       194.60.207.52        0.0.0.0/0           tcp spt:53 dpts:1024:65535 
7        0     0 ACCEPT     udp  --  !lo    *       194.60.207.52        0.0.0.0/0           udp spt:53 dpt:53 
8      903  120K INVALID    tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           
9     6055 1091K ACCEPT     all  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
I don't need to worry about rule 9 (ACCEPT ALL if not local loop) ??

I don't know this IP-address 194.60.207.52, could it be a gateway ?? (if you say it has something with DNS-requests)
 
Old 09-05-2009, 04:31 AM   #5
JulianTosh
Member
 
Registered: Sep 2007
Location: Las Vegas, NV
Distribution: Fedora / CentOS
Posts: 674
Blog Entries: 3

Rep: Reputation: 90
Was that all the output? There should at the least be a chain called LOCALINPUT that's missing.

the 194.* address appears to be a DNS server due to the ports the rule is matching. check /etc/resolv.conf to see if the IP is listed there.

RELATED, ESTABLISHED rules are generally safe and very efficient (should be at the top of the chains so they action quicker), so no, you shouldn't worry about it. It means the traffic has already been matched and ACCEPTed somewhere else.
 
Old 09-05-2009, 04:33 AM   #6
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
Quote:
Originally Posted by Admiral Beotch View Post
Was that all the output? There should at the least be a chain called LOCALINPUT that's missing.
There is more output, but I did not list all of it in this thread.

Indeed the IP-address is the address of the nameserver in resolv.conf...

Thanks for the explanation.
 
Old 09-05-2009, 04:34 AM   #7
JulianTosh
Member
 
Registered: Sep 2007
Location: Las Vegas, NV
Distribution: Fedora / CentOS
Posts: 674
Blog Entries: 3

Rep: Reputation: 90
cool. np. thread solved?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Help in iptables rules jlmiller Linux - Networking 5 02-16-2008 10:34 AM
iptables 1.27a still loading rules after installing iptables 1.3.0 yawe_frek Linux - Software 1 06-07-2007 09:50 PM
need help with iptables rules asimov Linux - Security 2 07-19-2006 02:44 PM
IPTABLES - rules in /etc/sysconfig/iptables The_JinJ Linux - Newbie 6 11-20-2004 01:40 AM
IPTables rules dkny01 Linux - Networking 6 10-23-2003 12:52 AM


All times are GMT -5. The time now is 08:17 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration