Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
03-02-2006, 01:20 AM
|
#1
|
|
LQ Newbie
Registered: Jan 2006
Location: Hong Kong
Distribution: Fedora 4
Posts: 22
Rep: 
|
iptables question
When i using "iptables -L -n" to show the iptables rules.
i see following details:
Quote:
[people@localhost ~]$ iptables -L -n
Chain FORWARD (policy DROP)
target prot opt source destination
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 192.168.0.100 0.0.0.0/0 tcp dpt:139
ACCEPT tcp -- 192.168.0.100 0.0.0.0/0 tcp dpt:138
ACCEPT tcp -- 192.168.0.100 0.0.0.0/0 tcp dpt:137
ACCEPT tcp -- 192.168.0.100 0.0.0.0/0 tcp dpt:136
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
|
Why the OUTPUT and INPUT first rule is
"ACCEPT all -- 0.0.0.0/0 0.0.0.0/0" ?
If the first rule accept all input, this firewall setting is right or wrong? |
|
|
|
|
03-02-2006, 02:24 AM
|
#2
|
|
Member
Registered: Feb 2006
Location: Vietnam
Distribution: FC , RH , SuSE
Posts: 106
Rep:
|
Quote:
Why the OUTPUT and INPUT first rule is
"ACCEPT all -- 0.0.0.0/0 0.0.0.0/0" ?
|
It means that your system accepts all by default.
Quote:
|
If the first rule accept all input, this firewall setting is right or wrong?
|
Not right and not wrong . In this case , your "firewall" just seems to be not available . But you can modify it then . |
|
|
|
|
03-02-2006, 08:19 PM
|
#3
|
|
LQ Newbie
Registered: Jan 2006
Location: Hong Kong
Distribution: Fedora 4
Posts: 22
Original Poster
Rep:
|
Quote:
|
Originally Posted by nguyennh
It means that your system accepts all by default.
Not right and not wrong . In this case , your "firewall" just seems to be not available . But you can modify it then .
|
How can i modify it ?
because i haven't seen this appcets rule on iptables setting file  |
|
|
|
|
03-02-2006, 08:36 PM
|
#4
|
|
Senior Member
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,141
Rep:
|
Can you post your script that creates the rules? Your INPUT chain's default policy is set to DROP, but the first rule (ACCEPT all -- 0.0.0.0/0 0.0.0.0/0) looks like it accepts anything.
There are 2 main ways to modify your rules. You can have a shell script with multiple iptables rules or you can use iptables-save and iptables-restore to store/retrieve them. How to change your rules depends on which method your script is using.
|
|
|
|
|
03-02-2006, 09:39 PM
|
#5
|
|
LQ Newbie
Registered: Jan 2006
Location: Hong Kong
Distribution: Fedora 4
Posts: 22
Original Poster
Rep:
|
Quote:
|
Originally Posted by gilead
Can you post your script that creates the rules? Your INPUT chain's default policy is set to DROP, but the first rule (ACCEPT all -- 0.0.0.0/0 0.0.0.0/0) looks like it accepts anything.
There are 2 main ways to modify your rules. You can have a shell script with multiple iptables rules or you can use iptables-save and iptables-restore to store/retrieve them. How to change your rules depends on which method your script is using.
|
I have try to remove the 139, 138, 137 ports input rules.
After restart the iptables, i can't use the samba to connect to the linux.
But when i reinput these rules and restart the iptables again. the samba work fine. The result and the rule output list not same
Here is the iptable script.
Quote:
## /etc/sysconfig/iptables
## Default policy - deny all request
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
#:OUTPUT DROP [0:0]
## Pass all locally-originating packets
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
## Accept only ICMP ping echo request
#-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
## Accept all ICMP requests
-A INPUT -p icmp -j ACCEPT
## Accept traffic on port from a specific IP
## (Do NOT remove the following keywords,
## as they're needed to alter incoming IPs and ports.)
## UPDATE ##
-A INPUT -p tcp -m tcp -s 192.168.0.100 --dport 139 -j ACCEPT
-A INPUT -p tcp -m tcp -s 192.168.0.100 --dport 138 -j ACCEPT
-A INPUT -p tcp -m tcp -s 192.168.0.100 --dport 137 -j ACCEPT
## END ##
## Drop outside initiated connections
-A INPUT -m state --state NEW -j REJECT
## Allow inbound established and related outside communication
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
## Necessary for iptables-restore
COMMIT
|
|
|
|
|
|
03-02-2006, 09:58 PM
|
#6
|
|
Senior Member
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,141
Rep:
|
OK, the rules look fine. According to man iptables, the "exact rules are suppressed until you use iptables -L -v" Can you run that and post the output please?
|
|
|
|
|
03-03-2006, 10:38 PM
|
#7
|
|
LQ Newbie
Registered: Jan 2006
Location: Hong Kong
Distribution: Fedora 4
Posts: 22
Original Poster
Rep:
|
Quote:
|
Originally Posted by gilead
OK, the rules look fine. According to man iptables, the "exact rules are suppressed until you use iptables -L -v" Can you run that and post the output please?
|
Following is the output of the "iptables -L -v":
when using the -L and -v to list out the table rule,
i think the first rule is accept the location connection...
the problem may be using wrong command option to list out the rule 
Quote:
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT icmp -- any any anywhere anywhere
0 0 REJECT all -- any any anywhere anywhere state NEW reject-with icmp-port-unreachable
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any lo anywhere anywhere
|
|
|
|
|
|
03-04-2006, 05:34 AM
|
#8
|
|
Senior Member
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,141
Rep:
|
I'd say you're right - with the lo displaying in the output, it's easier to understand.
|
|
|
|
All times are GMT -5. The time now is 07:57 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
