iptables maybe dumb question

fabmejia · 12-11-2007, 11:25 AM

Hello fellows,

I have a doubt

about the exact meaning and use of these initial lines in my /etc/sysconfig/iptables file:

# Generated by iptables-save v1.2.8 on Wed Apr 4 16:02:16 2007

*filter

:INPUT ACCEPT [172:6880]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [813:77074]

after these lines i have all my other set of rules, which I understand more or less, but I'll like to know the exact meaning of those initial lines.

Thankyou.

win32sux · 12-11-2007, 11:56 AM

Quote:

Originally Posted by fabmejia

I have a doubt

about the exact meaning and use of these initial lines in my /etc/sysconfig/iptables file:

# Generated by iptables-save v1.2.8 on Wed Apr 4 16:02:16 2007

*filter

:INPUT ACCEPT [172:6880]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [813:77074]

The first line indicates the date the config was created. The second line indicates the name of the table in which the chains that follow are located. The third, fourth, and fifth lines indicate chain names, the policies which are set on them, and the packet and byte count for each.

fabmejia · 12-11-2007, 04:01 PM

Thanks, and these policies indicates that iptables is accepting everything or to the contrary rejecting everything?.
Because i know that the rest of the rules that follows in my rule set are opening ports and some ip addresses; as I understand that first the firewall closes everything and then we begin to open only the necessary holes to get the work done...

win32sux · 12-11-2007, 08:21 PM

Quote:

Originally Posted by fabmejia

Thanks, and these policies indicates that iptables is accepting everything or to the contrary rejecting everything?.
Because i know that the rest of the rules that follows in my rule set are opening ports and some ip addresses; as I understand that first the firewall closes everything and then we begin to open only the necessary holes to get the work done...

Yes, that config indicates all your policies are set to ACCEPT. Ideally you'd want them to be set to DROP, but some people prefer to use a DROP rule at the end of their chains instead of setting the policy itself to DROP.

salasi · 12-12-2007, 03:39 AM

Just to make it completely clear; Policies are defaults for that chain. In other words, they specify what happens if nothing earlier in the chain does something that stops the packet falling through to the end of the chain.

So all packets that are in some way different from all the cases that you specifically thought about in designing the firewall will fall through to the default and that might be bad.

As win32sux suggests, the most secure thing is to arrange that chains drop by default. You could make a secure (well, up to a point) system that used accept-by-default, but its easier to get wrong. And its very easy to alter something that breaks your initial security when making modifications.

So drop-by-default is recommended for anything other than quick 'n dirty firewalls.

fabmejia · 12-12-2007, 08:06 AM

Thankyou, thats exactly the clarification I was looking for. I asked because I have readded the manual pages and the documentation, but that particular part of the rule set was not clearly understandable. Thanks again.