Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a doubt about the exact meaning and use of these initial lines in my /etc/sysconfig/iptables file:
# Generated by iptables-save v1.2.8 on Wed Apr 4 16:02:16 2007
*filter
:INPUT ACCEPT [172:6880]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [813:77074]
The first line indicates the date the config was created. The second line indicates the name of the table in which the chains that follow are located. The third, fourth, and fifth lines indicate chain names, the policies which are set on them, and the packet and byte count for each.
Distribution: Linux Mint 15 X64, Mageia 2, Red Hat Enterprise, Centos 6.x
Posts: 20
Original Poster
Rep:
Thanks, and these policies indicates that iptables is accepting everything or to the contrary rejecting everything?.
Because i know that the rest of the rules that follows in my rule set are opening ports and some ip addresses; as I understand that first the firewall closes everything and then we begin to open only the necessary holes to get the work done...
Thanks, and these policies indicates that iptables is accepting everything or to the contrary rejecting everything?.
Because i know that the rest of the rules that follows in my rule set are opening ports and some ip addresses; as I understand that first the firewall closes everything and then we begin to open only the necessary holes to get the work done...
Yes, that config indicates all your policies are set to ACCEPT. Ideally you'd want them to be set to DROP, but some people prefer to use a DROP rule at the end of their chains instead of setting the policy itself to DROP.
Just to make it completely clear; Policies are defaults for that chain. In other words, they specify what happens if nothing earlier in the chain does something that stops the packet falling through to the end of the chain.
So all packets that are in some way different from all the cases that you specifically thought about in designing the firewall will fall through to the default and that might be bad.
As win32sux suggests, the most secure thing is to arrange that chains drop by default. You could make a secure (well, up to a point) system that used accept-by-default, but its easier to get wrong. And its very easy to alter something that breaks your initial security when making modifications.
So drop-by-default is recommended for anything other than quick 'n dirty firewalls.
Distribution: Linux Mint 15 X64, Mageia 2, Red Hat Enterprise, Centos 6.x
Posts: 20
Original Poster
Rep:
Thankyou, thats exactly the clarification I was looking for. I asked because I have readded the manual pages and the documentation, but that particular part of the rule set was not clearly understandable. Thanks again.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.