LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 01-24-2016, 03:17 AM   #1
andreiv
LQ Newbie
 
Registered: Sep 2014
Posts: 7

Rep: Reputation: Disabled
iptables basic question


I used iptables before (to open basic ports) but never had time to really understand how it works.
So today I installed a minimal CentOS 6.7 on a VM and tried to understand how the basic default iptables rules work. But something puzzles me. The default policy for input traffic in ACCEPT.
Yet, a few lines below, there is an explicit port opening for SSH.Why?
If I comment out that line, ssh doesn't work, ok course.
Here is some info:
[root@localhost ~]# netstat -plnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1471/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1305/master
tcp 0 0 :::22 :::* LISTEN 1471/sshd

[root@localhost ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

iptables config file:
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

So, the question, in short, is:
If I remove this line:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
SSH doesn't allow connections anymore. Why?
Since default input policy is set : :INPUT ACCEPT [0:0]
 
Old 01-24-2016, 07:27 PM   #2
michaelk
Moderator
 
Registered: Aug 2002
Posts: 25,498

Rep: Reputation: 5841Reputation: 5841Reputation: 5841Reputation: 5841Reputation: 5841Reputation: 5841Reputation: 5841Reputation: 5841Reputation: 5841Reputation: 5841Reputation: 5841
In simple terms iptables rules are evaluated in order as seen.

If the policy is accept then all traffic is passed.
A specific rule allows traffic on a port that meets the desired condition.
And the last line (-A INPUT -j REJECT --reject-with icmp-host-prohibited) means drop whatever remaining traffic gets to this point. So therefore if you comment out ssh then it will be dropped by the last line.
 
Old 01-25-2016, 12:29 AM   #3
andreiv
LQ Newbie
 
Registered: Sep 2014
Posts: 7

Original Poster
Rep: Reputation: Disabled
Yes, this is what I also understood, that it is a filtering system and each packet is evaluated against the filters, if a filter matches, is it applied, if not, it moves to the one below.
But when I run the command below:
[root@localhost ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

There is the line "ACCEPT all -- anywhere anywhere" just above the ssh line. So shouldn't this line match any packet and let it through? This is what I don't understand.

The default INPUT policy is set to ACCEPT, as you can see in the config file. Doesn't that mean "Accept all unless prohibited somewhere explicitly"? So why the need to explicitly allow SSH?

Sorry for the many questions but I want to understand as well as I can how iptables work in case I get into any firewall issues...

Last edited by andreiv; 01-25-2016 at 12:30 AM.
 
Old 01-25-2016, 10:09 AM   #4
michaelk
Moderator
 
Registered: Aug 2002
Posts: 25,498

Rep: Reputation: 5841Reputation: 5841Reputation: 5841Reputation: 5841Reputation: 5841Reputation: 5841Reputation: 5841Reputation: 5841Reputation: 5841Reputation: 5841Reputation: 5841
Not a firewall expert by any means...

Looks like you posted a default Red Hat/CentOS firewall rule set. The ACCEPT all -- anywhere anywhere is not in the /etc/sysconfig/iptables saved rules so I am not exactly sure where it comes from. Actually the policy is applied after all the rules. Since the last rule is reject all it does not matter.

Ignoring the ICMP and accept all rules.
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED -> Basically accepts traffic that was first generated by you i.e. accessing a web page via Firefox.
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh -> Accepts ssh traffic that was initiated from another computer.
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited -> Reject everything else.

http://www.netfilter.org/documentation/
 
Old 01-25-2016, 11:06 AM   #5
andreiv
LQ Newbie
 
Registered: Sep 2014
Posts: 7

Original Poster
Rep: Reputation: Disabled
Yes, that is the default CentOS 6.7 iptables file as generated by anaconda during setup. I did not change anything.
I think that "ACCEPT all -- anywhere anywhere" comes from the ":INPUT ACCEPT" statement. But indeed it seems to be applied at the end, after the "-A INPUT -j REJECT --reject-with icmp-host-prohibited" statement.
Then what would be the difference between ":INPUT ACCEPT" and ":INPUT DROP"? Because the effect of ":INPUT ACCEPT" seems to take place only at the end.
Maybe of you use ":INPUT DROP" you don't need to explicitly drop everything else at the end...
I don't know, just a thought.
 
Old 01-25-2016, 11:36 AM   #6
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: Rocky Linux
Posts: 4,764

Rep: Reputation: 2209Reputation: 2209Reputation: 2209Reputation: 2209Reputation: 2209Reputation: 2209Reputation: 2209Reputation: 2209Reputation: 2209Reputation: 2209Reputation: 2209
You need to include the "-v" option in that "iptables -L" command. Without that, the interface qualifier is not shown, and it is often critical. You will almost certainly find that the mysterious "ACCEPT all -- anywhere anywhere" rule is only for packets coming from the "lo" loopback interface.
 
1 members found this post helpful.
Old 01-25-2016, 12:00 PM   #7
andreiv
LQ Newbie
 
Registered: Sep 2014
Posts: 7

Original Poster
Rep: Reputation: Disabled
Yes, that was it. Thank you for solving the mystery.
 
Old 01-25-2016, 01:11 PM   #8
michaelk
Moderator
 
Registered: Aug 2002
Posts: 25,498

Rep: Reputation: 5841Reputation: 5841Reputation: 5841Reputation: 5841Reputation: 5841Reputation: 5841Reputation: 5841Reputation: 5841Reputation: 5841Reputation: 5841Reputation: 5841
Lightbulb

Thanks for helping pull my brains from behind...
 
Old 01-25-2016, 01:34 PM   #9
brebs
Member
 
Registered: May 2013
Posts: 89

Rep: Reputation: Disabled
"iptables -L" is just a summary, with essential details and order omitted.

If you want to actually understand your rules, then you have to look at the output of "iptables-save".
 
Old 01-25-2016, 04:20 PM   #10
andreiv
LQ Newbie
 
Registered: Sep 2014
Posts: 7

Original Poster
Rep: Reputation: Disabled
If someone else lands here asking the same question as I did, the iptables basics are very well explained here:

https://wiki.centos.org/HowTos/Network/IPTables

I just found the link. Very clear and detailed explanations.

Last edited by andreiv; 01-25-2016 at 05:09 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Basic iptables question kbnuts Linux - Newbie 2 10-14-2014 07:00 AM
Basic question regarding squid nd iptables Net_Spy Linux - Newbie 1 09-25-2010 01:31 AM
iptables basic question Fordor Linux - Networking 5 10-12-2005 06:30 PM
very basic question about labels in iptables celadoreuk Linux - Networking 0 10-05-2004 11:50 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 02:14 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration