LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 03-23-2014, 11:50 AM   #1
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 713

Rep: Reputation: Disabled
Understanding iptables


I configured iptables to allow ports 80 and 443 for a webserver as well as 10000 for webmin using "iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT", etc. Please let me know if I correctly interpret the following iptables output.

Inputs
  • First three lines allow ports 10,000, 443, and 80 using the TCP protocol. Why do these lines describe "out" and "destination if these are inputs?
  • Line 4 means it will accept a response from a request.
  • What does Line 5 mean?
  • Line 6 means it will allow internal communication? Please elaborate.
  • Line 7 allows port 22 using TCP protocol.
  • Line 8 means if you get here, reject everything.

The forward section has to do with using Linux as a router, and it currently is set up not to do so.

The output section has no rules, and thus the server is allowed to output whatever it wants.

Thank you for your feedback.

Code:
[root@localhost ~]# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:ndmp
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:https
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:http
  177 14254 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere    
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere    
    1    52 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:ssh
  121 23018 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 89 packets, 13360 bytes)
 pkts bytes target     prot opt in     out     source               destination 
[root@localhost ~]#
 
Old 03-23-2014, 12:52 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,360
Blog Entries: 55

Rep: Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547
Quote:
Originally Posted by NotionCommotion View Post
I configured iptables to allow ports 80 and 443 for a webserver as well as 10000 for webmin using "iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT", etc.
As part of a multi-layered defence strategy you must expose as little as possible and especially not admin interfaces like Webmin. Ensure Webmin uses SSL, give it a separate iptables rule and allow only traffic from your management IP (ranges). "iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT" actually means a few things: no table specified: use the "filter" table (most block rules are better off in the "raw" table, using ipset and -j NOTRACK), make it the first rule of the INPUT chain (this almost never is a good thing as performance / rule order-wise you'd want the spot for the loopback interface, followed by INVALID / ESTABLISHED traffic, etc). Netfilter allows you to track a connections state and act on it. Doing otherwise isn't that good for performance.


Quote:
Originally Posted by NotionCommotion View Post
Code:
[root@localhost ~]# iptables -L -v
Please avoid posting interpreted data and potentially incomplete rule sets: instead post output of
Code:
iptables-save
Easier to read and correct.
 
Old 03-23-2014, 01:09 PM   #3
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,469

Rep: Reputation: Disabled
Quote:
Originally Posted by NotionCommotion View Post
First three lines allow ports 10,000, 443, and 80 using the TCP protocol. Why do these lines describe "out" and "destination if these are inputs?
Every rule can have a number of match criteria, such as the interface the packet is entering or exiting (the "in" and "out" matches) as well as the source and destination address, protocol type, and so on.

iptables -L -v produces a fixed set of columns for each row, including "in" and "out" (which is why using iptables-save is a good idea). If your rule doesn't include an interface or a destination address match criteria, that's the same as saying "any interface" or "any destination address".

Quote:
Originally Posted by NotionCommotion View Post
Line 4 means it will accept a response from a request.
That's correct. The ESTABLISHED state matches responses to previous requests and open TCP connections, while RELATED matches ICMP errors and secondary data streams (provided iptables knows how to interpret the protocol in question).

Quote:
Originally Posted by NotionCommotion View Post
What does Line 5 mean?
It allows all incoming ICMP packets. "Ping" replies and error messages related to other traffic (like various "unreachable" messages) are already implicitly allowed by the RELATED state match, but this rule will also allow other packets, like incoming Echo Requests.

Quote:
Originally Posted by NotionCommotion View Post
Line 6 means it will allow internal communication? Please elaborate.
Processes on the system itself may communicate using the loopback ("lo") interface. No external system can ever send packets to this interface, and packets from lo can never go out on the wire, so blocking it with a firewall rule makes little sense (and may cause all sorts of breakage).

It's considered a "best practice" to have a rule allowing traffic to/from lo at or very near the top of any firewall ruleset.

Quote:
Originally Posted by NotionCommotion View Post
Line 7 allows port 22 using TCP protocol.
Correct, it allows incoming packets to the SSH daemon.

Quote:
Originally Posted by NotionCommotion View Post
Line 8 means if you get here, reject everything.
Correct.

Last edited by Ser Olmy; 03-23-2014 at 01:11 PM.
 
Old 03-23-2014, 01:39 PM   #4
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 713

Original Poster
Rep: Reputation: Disabled
Thank you Ser Olmy, that was very helpful.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables log understanding help Azrael84 Linux - Security 10 07-08-2013 06:48 AM
I Need Help Understanding IPTables Bhuvana77 Linux - Networking 3 07-22-2010 07:25 AM
Understanding iptables veeruk101 Linux - Networking 4 07-25-2007 03:58 PM
understanding iptables gr00ve Linux - Networking 1 11-01-2004 01:47 PM
Understanding iptables Buckyjunior Linux - Networking 3 03-07-2004 07:18 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 09:01 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration