LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-10-2004, 09:50 PM   #16
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 50

From the man pages
[color=blue]iptables [-t table] -I chain [rulenum] rule-specification [options][/blue]
The -I options allows you to insert a rule. Suppose you have rule 2 and rule 3 and you think your new rule should come after 2 but before 3, you can use

iptables -I INPUT 3 xxxxxx
Quote:
I still don't follow what the numbers represent and how they work
Those numbers are just statistics - counters. they are the number of packets and bytes that have passed throught the chain.
You can reset these counters with the -Z option.
try this
1. do an iptables-save. note the counter values - the ones in [ : ]
2. zero the counters
iptables -t filter -Z
iptables -t nat -Z
iptables -t mangle -Z
3. iptables-save again - into another file

Now compare the counter values. These values provide statistics and in no way affect your rules.

Please let us know if you are looking for something specific about these counters.
 
Old 08-10-2004, 10:06 PM   #17
Obie
Member
 
Registered: Apr 2004
Distribution: Red Hat
Posts: 290

Original Poster
Rep: Reputation: 30
ppuru,

Thanks. When you mean Rule 2 and Rule 3, are you referring to the line number within say the INPUT chain? As for the counters, how relevant are they to security?

I also noticed that my pre-configured chains have the policy DROP. When do they change from policy ACCEPT to policy DROP and vice versa?

Mandrake 10 came pre-defined with several firewall rules. Is it safe to delete them all and start from scratch since there are pre-defined chains apart from the common INPUT, OUTPUT and FORWARD? Is there a way to save both the rules and chains just to be on the safe side?

Last edited by Obie; 08-10-2004 at 10:07 PM.
 
Old 08-10-2004, 10:17 PM   #18
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 50
Quote:
Thanks. When you mean Rule 2 and Rule 3, are you referring to the line number within say the INPUT chain? As for the counters, how relevant are they to security?
It can be the INPUT chain or any other chain that you specify e.g.
iptables -I OUTPUT 3 xxx will insert the rule at position 3 of the OUTPUT chain

Quote:
Mandrake 10 came pre-defined with several firewall rules. Is it safe to delete them all and start from scratch since there are pre-defined chains apart from the common INPUT, OUTPUT and FORWARD? Is there a way to save both the rules and chains just to be on the safe side?
Pointing you back to my first response to this thread.
http://www.linuxquestions.org/questi...53#post1099553
Mandrake being a RedHat/Fedora based distro, too saves iptables rules at /etc/sysconfig/iptables. So you can simply rename the existing set of rules and start afresh.
To save your new rules you can issue the command service iptables save. You can still use the iptables-save command if you wish so.
 
Old 08-10-2004, 10:23 PM   #19
Obie
Member
 
Registered: Apr 2004
Distribution: Red Hat
Posts: 290

Original Poster
Rep: Reputation: 30
ppuru,

Thanks. Would you be able to help me understand the policy ACCEPT and DROP beside each chain e.g. Chain INPUT (policy DROP)
 
Old 08-10-2004, 10:44 PM   #20
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 50
Wouldn't call myself an expert on netfilters ... will still try to help you out.

From the man page
Quote:
-P, --policy chain target
Set the policy for the chain to the given target. See the sec-
tion TARGETS for the legal targets. Only built-in (non-user-
defined) chains can have policies, and neither built-in nor
user-defined chains can be policy targets.
You can treat this as your default firewall policy -
DROP any traffic that you have not explicitly allowed in your rules. This is the best stance.

With default ACCEPT policy, you are accepting all traffic that you have not explicitly rejected/denied in your other rules.
 
Old 08-11-2004, 04:06 PM   #21
Obie
Member
 
Registered: Apr 2004
Distribution: Red Hat
Posts: 290

Original Poster
Rep: Reputation: 30
ppuru,

That makes sense. Most of the guides out there don't explain the difference and how it works apart from creating rules for specific chains.
 
Old 08-11-2004, 09:06 PM   #22
Obie
Member
 
Registered: Apr 2004
Distribution: Red Hat
Posts: 290

Original Poster
Rep: Reputation: 30
Just one more question to your reply ppuru

-----------------------------------------
#quote
You can treat this as your default firewall policy -
DROP any traffic that you have not explicitly allowed in your rules. This is the best stance.

With default ACCEPT policy, you are accepting all traffic that you have not explicitly rejected/denied in your other rules.
-----------------------------------------

Now if I don't write any rules under Chain INPUT (policy DROP), will it drop everything incoming packet?
 
Old 08-11-2004, 11:19 PM   #23
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 50
Quote:
if I don't write any rules under Chain INPUT (policy DROP), will it drop everything incoming packet?
True, a default INPUT DROP with no additional rules INPUT rules to accept specific traffic will block all incoming traffic (including the traffic from your local interface lo).
 
Old 08-12-2004, 01:32 AM   #24
barisdemiray
Member
 
Registered: Sep 2003
Location: Ankara/Turkey
Distribution: Slackware
Posts: 155

Rep: Reputation: 30
Quote:
Originally posted by ppuru
True, a default INPUT DROP with no additional rules INPUT rules to accept specific traffic will block all incoming traffic (including the traffic from your local interface lo).
Only a bit more explanation :-) When a packet arrives, it will be checked against the rules respectively. If it matches with first one then jump to first one's target, if it matches with second one then jump to second one's target... And if there is no matching rule then `do the global policy'. So if you haven't any rule in your chain, directly, global policy will be the packets fate. You can assume the case you have a global policy and no rule, as you have only one rule as

Code:
iptables -A INPUT -j DROP
 
Old 08-12-2004, 02:37 AM   #25
Obie
Member
 
Registered: Apr 2004
Distribution: Red Hat
Posts: 290

Original Poster
Rep: Reputation: 30
-------------------------------------------
quote: barisdemiray
Only a bit more explanation :-) When a packet arrives, it will be checked against the rules respectively. If it matches with first one then jump to first one's target, if it matches with second one then jump to second one's target... And if there is no matching rule then `do the global policy'. So if you haven't any rule in your chain, directly, global policy will be the packets fate. You can assume the case you have a global policy and no rule, as you have only one rule as
-------------------------------------------

You mentioned assume, and I am guessing that the global policy would be to drop every packet that comes through via INPUT for example as the Chain policy is e.g. Chain INPUT (policy DROP)

Just a another question, now when it says for example Chain common (1 reference) what does that mean? Having looked at the default rules in my iptables it seems to have its own pre-configured chains. I suppose you won't know what common does but what does the numerical value of 1 reference refer to?

By the way ppuru, mandrake does not have a folder called /etc/sysconfig/iptables akin to Red Hat/Fedora.

Last edited by Obie; 08-12-2004 at 02:38 AM.
 
Old 08-12-2004, 02:46 AM   #26
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 50
Quote:
By the way ppuru, mandrake does not have a folder called /etc/sysconfig/iptables akin to Red Hat/Fedora.
Check in the iptables script (should be in /etc/init.d) and look where Mandrake saves the rules .
 
Old 08-12-2004, 02:52 AM   #27
Obie
Member
 
Registered: Apr 2004
Distribution: Red Hat
Posts: 290

Original Poster
Rep: Reputation: 30
ppuru, thanks. would you be able to help with my previous questions on "reference"?
 
Old 08-12-2004, 03:33 AM   #28
barisdemiray
Member
 
Registered: Sep 2003
Location: Ankara/Turkey
Distribution: Slackware
Posts: 155

Rep: Reputation: 30
Quote:
Originally posted by Obie

Just a another question, now when it says for example Chain common (1 reference) what does that mean? Having looked at the default rules in my iptables it seems to have its own pre-configured chains. I suppose you won't know what common does but what does the numerical value of 1 reference refer to?
That means the chain named as `common' is target of a rule. Look at the commands output below:

Code:
[root@labris1 log]# iptables -N example
[root@labris1 log]# iptables -A example -j LOG
[root@labris1 log]# iptables -A INPUT -j example
[root@labris1 log]# iptables -L example
Chain example (1 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere           LOG level warning
[root@labris1 log]# iptables -X example
iptables: Can't delete chain with references left
[root@labris1 log]#
When `common' chain is target of three rule, reference count will be 3.
 
Old 08-12-2004, 03:29 PM   #29
Obie
Member
 
Registered: Apr 2004
Distribution: Red Hat
Posts: 290

Original Poster
Rep: Reputation: 30
Thank you all for your help. I do have a couple more queries.

I flushed all my rules within iptables and have the following listed as local policy

Chain INPUT (policy DROP)
target prot opt source destination

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy DROP)
target prot opt source destination

1) What does "opt" refer to?

2) Say for example I wish to allow icmp(ping) requests from my box, I would use the following command iptables -A OUTPUT -p icmp -s 192.168.0.1 -d 192.168.0.2 -j ACCEPT. This would allow me to send out icmp packets. What I am attempting to comprehend is that I also noticed I require an INPUT rule. Is this because (A) I must allow the packet to return with a reply (B) completely something else. Also would this be the case for every OUTPUT rule I create? How does it affect INPUT rules?

3) My next questions is on --sport and --dport. Suppose I wish to allow port my pc to access web pages which commonly utilises Port 80. How as far as my OUTPUT rule is concerned do I use --sport or --dport and also what rule do I need for INPUT

4) When do I use FOWARD and How do I use it? From what I have read so far, it when you wish to send packets to another interface on your PC assuming that I have 2.

5) How do I log every packet dropped , rejected and accepted and where are the logs kept? Would it be in /var/log/syslog? Can I have separate files for the different target policies and if so how do I do so?

6) Is it possible to comment on each rule I create and if so how?
 
Old 08-12-2004, 04:23 PM   #30
barisdemiray
Member
 
Registered: Sep 2003
Location: Ankara/Turkey
Distribution: Slackware
Posts: 155

Rep: Reputation: 30
Quote:
Originally posted by Obie Thank you all for your help. I do have a couple more queries.

I flushed all my rules within iptables and have the following listed as local policy

Chain INPUT (policy DROP)
target prot opt source destination

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy DROP)
target prot opt source destination
Quote:
1) What does "opt" refer to?
Hmm.. No idea..

Quote:
2) Say for example I wish to allow icmp(ping) requests from my box, I would use the following command iptables -A OUTPUT -p icmp -s 192.168.0.1 -d 192.168.0.2 -j ACCEPT. This would allow me to send out icmp packets. What I am attempting to comprehend is that I also noticed I require an INPUT rule. Is this because (A) I must allow the packet to return with a reply (B) completely something else. Also would this be the case for every OUTPUT rule I create? How does it affect INPUT rules?
True, echo-request (ping) causes an echo-reply (pong).. You need to allow some of your ICMP traffic But if you're blocking icmp-echo-request packets in INPUT chain, then no need to block icmp-echo-reply in OUTPUT chain because they simply will not be created :-)

Since net traffic is bidirectional, you need to allow both INPUT and OUTPUT. You cannot you connect www.yahoo.com if you can send request packets (allow in OUTPUT) but cannot get replies (deny in INPUT) from that address..

Quote:
3) My next questions is on --sport and --dport. Suppose I wish to allow port my pc to access web pages which commonly utilises Port 80. How as far as my OUTPUT rule is concerned do I use --sport or --dport and also what rule do I need for INPUT
Allow your web traffic with --dport 80 in OUTPUT chain or --source www.etc.com in your INPUT chain.. You send to port 80, but can get the resulting reply from another port..

Quote:
4) When do I use FOWARD and How do I use it? From what I have read so far, it when you wish to send packets to another interface on your PC assuming that I have 2.
If you're configuring a firewall on a gateway for example, then you use FORWARD chain. They transmit a packet from internal network to outer network (internet for example) or vice-versa and these packets goes through the gateway computer. They do not pass through INPUT and OUTPUT chains, they come from wire, checked against the rules in FORWARD chain and goes off wire (i skipped mangle and nat tables :-))

Quote:
5) How do I log every packet dropped , rejected and accepted and where are the logs kept? Would it be in /var/log/syslog? Can I have separate files for the different target policies and if so how do I do so?
You can use the LOG target..

Code:
iptables -j LOG --help
A sample from my rc.firewall

Code:
iptables -A INPUT -p tcp --destination-port 22 -j LOG --log-prefix \
                  'FIREWALL: SSH req. rejected ' --log-level emerg
iptables -A INPUT -p tcp --destination-port 22 -j DROP
Quote:
6) Is it possible to comment on each rule I create and if so how?
That would be good but i don't know any way for this. May be in rc.firewall file but not visible in `iptables -L' command's output for example.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
An error occured getting IPtables status from the command /etc/rc.d/init.d/iptables s CrazyMAzeY Linux - Newbie 10 08-12-2010 05:25 AM
Iptables - Couldn't load target `ACCPET':/lib/iptables/libipt_ACCPET.so: z00t Linux - Security 3 01-26-2004 02:24 AM
IPtables Log Analyzer from http://www.gege.org/iptables/ brainlego Linux - Software 0 08-11-2003 06:08 AM
iptables book wich one can you pll recomment to be an iptables expert? linuxownt Linux - General 2 06-26-2003 04:38 PM
My iptables script is /etc/sysconfig/iptables. How do i make this baby execute on boo ForumKid Linux - General 3 01-22-2002 07:36 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:37 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration