Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
03-20-2006, 08:45 AM
|
#1
|
|
Member
Registered: Sep 2005
Location: Vienna, Austria
Distribution: Mint 13
Posts: 524
Rep: 
|
iptables: not understanding a specific line.
Hi!
I got to see an ipables'configuration and coundn't understand the following line:
Quote:
|
REJECT all -- anywhere anywhere reject-with
|
Could anyone explain me what it means?
Thanks. |
|
|
|
|
03-20-2006, 01:35 PM
|
#2
|
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
it's your basic REJECT rule... it would be much clearer if you would look at (or post) the actual rule from your iptables script...
Last edited by win32sux; 03-20-2006 at 01:36 PM.
|
|
|
|
|
03-20-2006, 03:24 PM
|
#3
|
|
Member
Registered: Sep 2005
Location: Vienna, Austria
Distribution: Mint 13
Posts: 524
Original Poster
Rep:
|
Quote:
|
Originally Posted by win32sux
it's your basic REJECT rule... it would be much clearer if you would look at (or post) the actual rule from your iptables script...
|
Hier is my iptables
Quote:
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:8000
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
|
Is
Quote:
|
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
|
like policy REJECT, or is there a difference?
And what does mean actually?
Thanks. |
|
|
|
|
03-20-2006, 07:51 PM
|
#4
|
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
|
Originally Posted by xpucto
Is like policy REJECT, or is there a difference?
|
there is a difference... basically you don't wanna use a "catch-all" rule at the end of the chain, you wanna instead set the right policy for the chain, because that's what the policies are there for... so practically speaking, you should set your INPUT policy to DROP (i suggest DROP instead of REJECT) and remove that REJECT rule...
Quote:
|
And what does RH-Firewall-1-INPUT mean actually?
|
it's a user-created chain... according to what you posted, it's referenced twice... looks like once from the INPUT chain and once from the FORWARD chain...
the setup is not so clear by what you posted, try adding the "-v" option the "iptables -L" command to get a better view: and also:
Code:
iptables -L -v -t nat
is this box a gateway/firewall/router or is it a regular client PC?? |
|
|
|
|
03-21-2006, 07:18 AM
|
#5
|
|
Member
Registered: Sep 2005
Location: Vienna, Austria
Distribution: Mint 13
Posts: 524
Original Poster
Rep:
|
Quote:
sudo /sbin/iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
27M 5358M RH-Firewall-1-INPUT all -- any any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 RH-Firewall-1-INPUT all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 53M packets, 60G bytes)
pkts bytes target prot opt in out source destination
Chain RH-Firewall-1-INPUT (2 references)
pkts bytes target prot opt in out source destination
958K 318M ACCEPT all -- lo any anywhere anywhere
11582 1379K ACCEPT icmp -- any any anywhere anywhere icmp any
0 0 ACCEPT ipv6-crypt-- any any anywhere anywhere
0 0 ACCEPT ipv6-auth-- any any anywhere anywhere
11 1141 ACCEPT udp -- any any anywhere 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:ipp
26M 5004M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
258K 13M ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:http
35 1912 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:8000
12 648 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:https
4284 256K ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh
266 14010 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:smtp
373K 22M REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
|
Quote:
sudo /sbin/iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
|
What does it tell us new? The firewall is for a webserver.
I still didn't understand the meaning and function of . If it's a user-created chain, where may I read what's in it? |
|
|
|
|
03-21-2006, 03:14 PM
|
#6
|
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
|
Originally Posted by xpucto
If it's a user-created chain, where may I read what's in it?
|
it's this part of what you posted:
Code:
Chain RH-Firewall-1-INPUT (2 references)
pkts bytes target prot opt in out source destination
958K 318M ACCEPT all -- lo any anywhere anywhere
11582 1379K ACCEPT icmp -- any any anywhere anywhere icmp any
0 0 ACCEPT ipv6-crypt-- any any anywhere anywhere
0 0 ACCEPT ipv6-auth-- any any anywhere anywhere
11 1141 ACCEPT udp -- any any anywhere 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:ipp
26M 5004M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
258K 13M ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:http
35 1912 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:8000
12 648 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:https
4284 256K ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh
266 14010 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:smtp
373K 22M REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
|
|
|
|
All times are GMT -5. The time now is 05:12 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
