converting IP tables to a chart

sportsman667 · 11-06-2007, 06:56 PM

Hello,
I am trying to convert my IP tables into a chart-like format to better understand what is going on. Only problem is im not sure if the table I have created is set up correctly. Could someone take a look at this and either varify it for me or tell me where I have made a possible mistake.

Thanks again,
Thomas

MY IP TABLES: (permit all outgoing connections (including response packets), incoming ICMP, incoming ssh, and incoming finger connections. Reject all other packets.)
# iptables -F
# iptables -A INPUT -i 1o -j ACCEPT
# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
# iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 79 -j ACCEPT
# iptables -A INPUT -p icmp -j ACCEPT
# iptables -A INPUT -j REJECT

MY CHART:

direction source protocols source port destination port Action
OUTGOING INTERNAL Any Any Any ACCEPT
OUTGOING INTERNAL TCP >1023 22 ACCEPT
INCOMING EXTERNAL TCP 22 >1023 ACCEPT
OUTGOING INTERNAL TCP >1023 79 ACCEPT
INCOMING EXTERNAL TCP 79 >1023 ACCEPT
INCOMING EXTERNAL ICMP Any Any ACCEPT
EITHER ANY Any Any Any Deny

Simon Bridge · 11-06-2007, 07:15 PM

iptables -L

will give you a chart

You seem to have a default ACCEPT policy ...
... don't do this - instead, set up a drop policy on all chains. Then explicitly accept what you plan to. Then your input chains will work as expected if you remove the last one and you need to add all an output accept-all line.

win32sux · 11-06-2007, 08:22 PM

And even more charty (chartier?) output can be obtained with:

Code:

iptables -nvL --line-numbers

Simon Bridge · 11-06-2007, 09:13 PM

Also spotted typo:

Quote:

# iptables -A INPUT -i 1o -j ACCEPT

# iptables -A INPUT -i lo -j ACCEPT