How Iptables works

Half_Elf · 07-04-2002, 02:35 AM

I have few questions about how iptables works.
I writed some iptables script but I just discover (myself) a real security hole in my own firewall script. Because of that I have some questions

Here are my questions:
1-I want to know.. what exactly iptables do if he doesn't find a suitable rules? I think he is allowing the trafic, but can I change this? Can I add an option to block all "not ruled" incoming trafic?

2-If 2 rules say the same things but do not "do" the same thing with the trafic, what will happen?
Example:
-A INPUT -s 0/0 -d 0/0 -p --dport 9999 -j ACCEPT
and
-A INPUT -s 0/0 -d 0/0 -p --dport 9999 -j DROP

Will Iptables drop the trafic or will it "stop checking" after the first matching rules ?

3-Depending of the answer of the last question.... Can I accept and log connection with two line like this :
-A INPUT -s 0/0 -d 0/0 -p --dport 9999 -j ACCEPT
and
-A INPUT -s 0/0 -d 0/0 -p --dport 9999 -j LOG
or do I need to do something else?

Thanx

DavidPhillips · 07-04-2002, 11:00 AM

The first rule will be used, you should always put the accept rules first then the drop or deny rule for everything else
The logging is usually placed in between the accept rule and the drop rule,
the packets that get past the accept rule will be logged and then dropped.

It is not really a great idea to log everything so it makes sense to log the dropped or denied packets for sercurity reasons.

If you really want to log accepted packets then you should be able to put the log rule first.

Half_Elf · 07-04-2002, 04:25 PM

Ahhhh thanks

Can I log some rules in a files instead of these annoying dmesg progs??

DavidPhillips · 07-05-2002, 01:48 AM

it is setup in /etc/syslog.conf

it goes to kern priority level 4

I think most systems will see it in /var/log/messages or the console

tarballedtux · 07-10-2002, 06:24 PM

Just to answer your first question. If there is no suitable rule found then IPTABLES reverts to the policy rule. When you do a IPTABLES -L command the name of the chain followed by the policy is displayed (ex INPUT(DROP) ) means that if no rules match an incoming packet then the packet is dropped.
To set policies just put these three lines at the beginning of your firewall script.

IPTABLES -P INPUT DROP
IPTABLES -P OUTPUT DROP
IPTABLES -P FORWARD DROP

That should tighten your box slightly

Half_Elf · 07-11-2002, 09:03 PM

hum Thanx, I will play with these new rules