[SOLVED] If iptables default policy is DROP, does that stop all traffic?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
... then leave every other(!) case to be dealt-with by an all-encompassing "default rule," which, at the moment, is ... ACCEPT.
Not really. The last rule in the INPUT chain is a REJECT rule for all packets that make it that far in the chain.
Go ahead and set the default policy to DROP. It will make no difference since no packets ever fall through the chain, but it will keep the auditors happy.
Not really. The last rule in the INPUT chain is a REJECT rule for all packets that make it that far in the chain.
Go ahead and set the default policy to DROP. It will make no difference since no packets ever fall through the chain, but it will keep the auditors happy.
Without(!) publicly confronting your assessment in this case, "I'm not sure that I interpret these rules in the same way that you do," and I'm also not so sure why the auditors would be saying the things that they are, if that were true.
... freely acknowledging(!!) that perhaps I do not fully understand the meaning of --reject-with icmp-host-prohibited.
Therefore, I anxiously await your clarification (and enlightenment) on this matter. (And I graciously yield whatever statements I may have made heretofore, as having obviously been wrong.)
Quite early on in the process of creating our rule-set, we set up the default policies. We set up the default policies on the different chains with a fairly simple command, as described below.
iptables [-P {chain} {policy}]
The default policy is used every time the packets do not match a rule in the chain. For example, let's say we get a packet that matches no single rule in our whole rule-set. If this happens, we must decide what should happen to the packet in question, and this is where the default policy comes into the picture. The default policy is used on all packets that does not match with any other
Do be cautious with what default policy you set on chains in other tables since they are simply not made for filtering, and it may lead to very strange behaviors.
Some websites said to edit /etc/sysconfig/iptables directly, which doesn't look like a good idea to me...
reject sends feedback that it has been rejected and shows a fingerprint the server exists whereas drop is silent and no reason is sent so no server exists. At least thats the simple answer between reject and drop.
Without(!) publicly confronting your assessment in this case, "I'm not sure that I interpret these rules in the same way that you do," and I'm also not so sure why the auditors would be saying the things that they are, if that were true.
... freely acknowledging(!!) that perhaps I do not fully understand the meaning of --reject-with icmp-host-prohibited.
The important part of that rule is "-j REJECT", which causes the packet to be rejected. The "--reject-with icmp-host-prohibited" just causes the icmp reject packet to have a code other than the default "port-unreachable".
REJECT is a terminating target. Once a rule with a terminating target (ACCEPT and DROP are others) triggers, no further processing occurs in that step. Since this rule has no match conditions, it matches every packet that reaches it. No packet will ever fall through to the DROP policy.
drop is silent and no reason is sent so no server exists.
That "so no server exists" is a common misconception. The lack of response means that the server does exist and is trying not to be seen. If the server truly did not exist, then the upstream router would have sent back a "No route to host" response.
The important part of that rule is "-j REJECT", which causes the packet to be rejected. The "--reject-with icmp-host-prohibited" just causes the icmp reject packet to have a code other than the default "port-unreachable".
REJECT is a terminating target. Once a rule with a terminating target (ACCEPT and DROP are others) triggers, no further processing occurs in that step. Since this rule has no match conditions, it matches every packet that reaches it. No packet will ever fall through to the DROP policy.
Interesting. Thank you.
Therefore, I wonder if the auditors specifically wished for the packets to be dropped, with no explanation being offered to the sender, rather than rejected.
Exactly. I'd be willing to make a small wager that you could put a "-j ACCEPT" rule at the end of the chain to accept all packets not explicitly dropped or rejected, and the auditors would still be happy as long as the (meaningless) default policy was DROP.
It strikes me ... and, it strikes me as quite sensible ... that the auditors would not wish for an intruder a script-kiddie's "bot" to even be aware that a computer even existed at that IP-address. (Drop the packet, and there is no clue. Reject it, and there is.) For much the same reason, many computers are rigged-up not to respond to a "ping."
The first thing that any "bot" will do is to scan a wide range of IP's looking for targets. A little bit of camouflage works well in avoiding bombs.
Last edited by sundialsvcs; 03-31-2016 at 07:54 AM.
It does cut down on the noise a bit, and the ICMP REJECT packets do reveal something about the nature of the machine that sends them. There are some advantages to DROP vs. REJECT. It's just not as "stealthy" as many people believe -- more like "hiding" something by painting it flat black.
It strikes me ... and, it strikes me as quite sensible ... that the auditors would not wish for an intruder a script-kiddie's "bot" to even be aware that a computer even existed at that IP-address. (Drop the packet, and there is no clue. Reject it, and there is.) For much the same reason, many computers are rigged-up not to respond to a "ping."
The first thing that any "bot" will do is to scan a wide range of IP's looking for targets. A little bit of camouflage works well in avoiding bombs.
It's not really camouflage at all and it does penalize legitimate users. If you do have an axe to grind over a specific IP address then you can always tarpit it with the iptables extension of the same name. Otherwise, it is better to use REJECT than DROP. The original poster seems to have it right and the auditors not so much. I think rknichols would probably win the small wager offered.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
