LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 02-21-2015, 08:44 PM   #16
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: Rocky Linux
Posts: 4,786

Rep: Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216

Quote:
Originally Posted by Miati View Post
It is quite a extensive skeleton.
unfortunately, while gui's make setting up stuff more simple they also have the effect of making debugging or understanding it a nightmare.
For example,
Code:
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
This to me says, accept anything from anywhere, otherwise accept it as long as it's related or established.
What's the point of the second one if it's already accepted?
That's a result of doing the listing without the "-v" option. The interface qualifiers get lost. You will almost certainly find that the first ACCEPT rule applies only to the "lo" loopback interface. Pretty much any time someone posts "iptables -L" output, I have to tell them to go back and add "-v".
 
1 members found this post helpful.
Old 02-21-2015, 09:41 PM   #17
ardvark71
LQ Veteran
 
Registered: Feb 2015
Location: USA
Distribution: Lubuntu 14.04, 22.04, Windows 8.1 and 10
Posts: 6,282

Original Poster
Blog Entries: 4

Rep: Reputation: 842Reputation: 842Reputation: 842Reputation: 842Reputation: 842Reputation: 842Reputation: 842
Hi all...

Here's the same configuration using the additional "-v" option...

Code:
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  955  333K ufw-before-logging-input  all  --  any    any     anywhere             anywhere            
  955  333K ufw-before-input  all  --  any    any     anywhere             anywhere            
    0     0 ufw-after-input  all  --  any    any     anywhere             anywhere            
    0     0 ufw-after-logging-input  all  --  any    any     anywhere             anywhere            
    0     0 ufw-reject-input  all  --  any    any     anywhere             anywhere            
    0     0 ufw-track-input  all  --  any    any     anywhere             anywhere            

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ufw-before-logging-forward  all  --  any    any     anywhere             anywhere            
    0     0 ufw-before-forward  all  --  any    any     anywhere             anywhere            
    0     0 ufw-after-forward  all  --  any    any     anywhere             anywhere            
    0     0 ufw-after-logging-forward  all  --  any    any     anywhere             anywhere            
    0     0 ufw-reject-forward  all  --  any    any     anywhere             anywhere            
    0     0 ufw-track-forward  all  --  any    any     anywhere             anywhere            

Chain OUTPUT (policy ACCEPT 2 packets, 80 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1005 84965 ufw-before-logging-output  all  --  any    any     anywhere             anywhere            
 1005 84965 ufw-before-output  all  --  any    any     anywhere             anywhere            
  155 11800 ufw-after-output  all  --  any    any     anywhere             anywhere            
  155 11800 ufw-after-logging-output  all  --  any    any     anywhere             anywhere            
  155 11800 ufw-reject-output  all  --  any    any     anywhere             anywhere            
  155 11800 ufw-track-output  all  --  any    any     anywhere             anywhere            

Chain ufw-after-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ufw-skip-to-policy-input  udp  --  any    any     anywhere             anywhere             udp dpt:netbios-ns
    0     0 ufw-skip-to-policy-input  udp  --  any    any     anywhere             anywhere             udp dpt:netbios-dgm
    0     0 ufw-skip-to-policy-input  tcp  --  any    any     anywhere             anywhere             tcp dpt:netbios-ssn
    0     0 ufw-skip-to-policy-input  tcp  --  any    any     anywhere             anywhere             tcp dpt:microsoft-ds
    0     0 ufw-skip-to-policy-input  udp  --  any    any     anywhere             anywhere             udp dpt:bootps
    0     0 ufw-skip-to-policy-input  udp  --  any    any     anywhere             anywhere             udp dpt:bootpc
    0     0 ufw-skip-to-policy-input  all  --  any    any     anywhere             anywhere             ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  any    any     anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  any    any     anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp destination-unreachable
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp source-quench
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp time-exceeded
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp parameter-problem
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-request
    0     0 ufw-user-forward  all  --  any    any     anywhere             anywhere            

Chain ufw-before-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  390 32139 ACCEPT     all  --  lo     any     anywhere             anywhere            
  549  297K ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 ufw-logging-deny  all  --  any    any     anywhere             anywhere             ctstate INVALID
    0     0 DROP       all  --  any    any     anywhere             anywhere             ctstate INVALID
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp destination-unreachable
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp source-quench
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp time-exceeded
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp parameter-problem
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-request
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             udp spt:bootps dpt:bootpc
   16  2870 ufw-not-local  all  --  any    any     anywhere             anywhere            
   16  2870 ACCEPT     udp  --  any    any     anywhere             224.0.0.251          udp dpt:mdns
    0     0 ACCEPT     udp  --  any    any     anywhere             239.255.255.250      udp dpt:1900
    0     0 ufw-user-input  all  --  any    any     anywhere             anywhere            

Chain ufw-before-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  390 32139 ACCEPT     all  --  any    lo      anywhere             anywhere            
  460 41026 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
  155 11800 ufw-user-output  all  --  any    any     anywhere             anywhere            

Chain ufw-logging-allow (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  any    any     anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  any    any     anywhere             anywhere             ctstate INVALID limit: avg 3/min burst 10
    0     0 LOG        all  --  any    any     anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  any    any     anywhere             anywhere             ADDRTYPE match dst-type LOCAL
   16  2870 RETURN     all  --  any    any     anywhere             anywhere             ADDRTYPE match dst-type MULTICAST
    0     0 RETURN     all  --  any    any     anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
    0     0 ufw-logging-deny  all  --  any    any     anywhere             anywhere             limit: avg 3/min burst 10
    0     0 DROP       all  --  any    any     anywhere             anywhere            

Chain ufw-reject-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-reject-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-reject-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-skip-to-policy-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  any    any     anywhere             anywhere            

Chain ufw-skip-to-policy-input (7 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  any    any     anywhere             anywhere            

Chain ufw-skip-to-policy-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere            

Chain ufw-track-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-track-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-track-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   42  2520 ACCEPT     tcp  --  any    any     anywhere             anywhere             ctstate NEW
  111  9200 ACCEPT     udp  --  any    any     anywhere             anywhere             ctstate NEW

Chain ufw-user-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-user-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-user-limit (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  any    any     anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
    0     0 REJECT     all  --  any    any     anywhere             anywhere             reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere            

Chain ufw-user-logging-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-user-logging-input (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-user-logging-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-user-output (1 references)
 pkts bytes target     prot opt in     out     source               destination
Regards...
 
Old 02-22-2015, 03:39 AM   #18
haertig
Senior Member
 
Registered: Nov 2004
Distribution: Debian, Ubuntu, LinuxMint, Slackware, SysrescueCD, Raspbian, Arch
Posts: 2,331

Rep: Reputation: 357Reputation: 357Reputation: 357Reputation: 357
I never liked the output from "iptables -L -v". I prefer the output to look more like what I entered as rules. Use "iptables-save" to display things more like how they were input.

And I agree with others, that iptables framework that the GUI tool set up ... yeuch ... what a mess. They say "every baby but your own is ugly". That certainly covers that framework. Only the guy who wrote it would want to look at it. The rest of us would turn our head away in horror.

Here's the firewall on my router displayed using the two methods. First, the ugly (IMHO) iptables -L -v way, then the much nicer (IMHO) iptables-save way (in the iptables-save display, scroll down to where the filter table is displayed to see what I'm talking about "the output looks more like what I entered as rules"):

Code:
root@unknown:/tmp/home/root# iptables -L -v
Chain INPUT (policy DROP 3029 packets, 189K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 292K   32M ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:1194 
  642 38520 DROP       all  --  br0    any     anywhere             wan-ip              
  174 15616 DROP       all  --  any    any     anywhere             anywhere            state INVALID 
 114K   16M ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
   26  1889 ACCEPT     all  --  lo     any     anywhere             anywhere            
 137K   20M ACCEPT     all  --  br0    any     anywhere             anywhere            
   46  1894 ACCEPT     icmp --  any    any     anywhere             anywhere            limit: avg 1/sec burst 5 
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpts:33434:33534 limit: avg 5/sec burst 5 
33799   11M ACCEPT     udp  --  any    any     anywhere             anywhere            udp spt:bootps dpt:bootpc 
   37  1788 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:https 
 2923  169K ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:ssh 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  tun21  any     10.192.169.5         anywhere            
    0     0 ACCEPT     all  --  tun21  any     10.192.169.9         anywhere            
    0     0 ACCEPT     tcp  --  tun21  any     anywhere             Davids_computer_wired tcp dpt:32469 
 291K   13M ACCEPT     tcp  --  tun21  any     anywhere             Davids_computer_wired tcp dpt:32400 
    0     0 ACCEPT     udp  --  tun21  any     anywhere             Davids_computer_wired udp dpt:32414 
    0     0 ACCEPT     udp  --  tun21  any     anywhere             Davids_computer_wired udp dpt:32413 
    0     0 ACCEPT     udp  --  tun21  any     anywhere             Davids_computer_wired udp dpt:32412 
    0     0 ACCEPT     udp  --  tun21  any     anywhere             Davids_computer_wired udp dpt:32410 
    0     0 ACCEPT     udp  --  tun21  any     anywhere             Davids_computer_wired udp dpt:mdns 
    0     0 ACCEPT     udp  --  tun21  any     anywhere             Davids_computer_wired udp dpt:upnp 
    0     0 ACCEPT     icmp --  tun21  any     anywhere             unknown             
    0     0 ACCEPT     icmp --  tun21  any     anywhere             Davids_computer_wired 
  331 30058 DROP       all  --  tun21  any     anywhere             anywhere            
  10M 8391M            all  --  any    any     anywhere             anywhere            account: network/netmask: 10.192.168.0/255.255.255.0 name: lan 
    0     0 ACCEPT     all  --  br0    br0     anywhere             anywhere            
    0     0 DROP       all  --  any    any     anywhere             anywhere            state INVALID 
76642 4277K TCPMSS     tcp  --  any    any     anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU 
  10M 8387M ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
    0     0 wanin      all  --  vlan1  any     anywhere             anywhere            
54047 3834K wanout     all  --  any    vlan1   anywhere             anywhere            
54051 3835K ACCEPT     all  --  br0    any     anywhere             anywhere            
    0     0 upnp       all  --  vlan1  any     anywhere             anywhere            

Chain OUTPUT (policy ACCEPT 754K packets, 818M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain upnp (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain wanin (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain wanout (1 references)
 pkts bytes target     prot opt in     out     source               destination
Code:
root@unknown:/tmp/home/root# iptables-save
# Generated by iptables-save v1.3.8 on Sun Feb 22 02:39:45 2015
*nat
:PREROUTING ACCEPT [218123:34092108]
:POSTROUTING ACCEPT [2386:518195]
:OUTPUT ACCEPT [25632:2083650]
:WANPREROUTING - [0:0]
:upnp - [0:0]
-A PREROUTING -d 24.8.4.169 -j WANPREROUTING 
-A PREROUTING -d 10.192.168.0/255.255.255.0 -i vlan1 -j DROP 
-A PREROUTING -d 24.8.4.169 -j upnp 
-A POSTROUTING -o vlan1 -j MASQUERADE 
-A WANPREROUTING -p icmp -j DNAT --to-destination 10.192.168.1 
COMMIT
# Completed on Sun Feb 22 02:39:45 2015
# Generated by iptables-save v1.3.8 on Sun Feb 22 02:39:45 2015
*mangle
:PREROUTING ACCEPT [11141202:8496194443]
:INPUT ACCEPT [583302:79390600]
:FORWARD ACCEPT [10510981:8404174482]
:OUTPUT ACCEPT [753984:817838125]
:POSTROUTING ACCEPT [11264634:9221982549]
-A PREROUTING -i vlan1 -j DSCP --set-dscp 0x00 
COMMIT
# Completed on Sun Feb 22 02:39:45 2015
# Generated by iptables-save v1.3.8 on Sun Feb 22 02:39:45 2015
*filter
:INPUT DROP [3030:189175]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [753965:817829572]
:upnp - [0:0]
:wanin - [0:0]
:wanout - [0:0]
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT 
-A INPUT -d 24.8.4.169 -i br0 -j DROP 
-A INPUT -m state --state INVALID -j DROP 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -i br0 -j ACCEPT 
-A INPUT -p icmp -m limit --limit 1/sec -j ACCEPT 
-A INPUT -p udp -m udp --dport 33434:33534 -m limit --limit 5/sec -j ACCEPT 
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
-A FORWARD -s 10.192.169.5 -i tun21 -j ACCEPT 
-A FORWARD -s 10.192.169.9 -i tun21 -j ACCEPT 
-A FORWARD -d 10.192.168.2 -i tun21 -p tcp -m tcp --dport 32469 -j ACCEPT 
-A FORWARD -d 10.192.168.2 -i tun21 -p tcp -m tcp --dport 32400 -j ACCEPT 
-A FORWARD -d 10.192.168.2 -i tun21 -p udp -m udp --dport 32414 -j ACCEPT 
-A FORWARD -d 10.192.168.2 -i tun21 -p udp -m udp --dport 32413 -j ACCEPT 
-A FORWARD -d 10.192.168.2 -i tun21 -p udp -m udp --dport 32412 -j ACCEPT 
-A FORWARD -d 10.192.168.2 -i tun21 -p udp -m udp --dport 32410 -j ACCEPT 
-A FORWARD -d 10.192.168.2 -i tun21 -p udp -m udp --dport 5353 -j ACCEPT 
-A FORWARD -d 10.192.168.2 -i tun21 -p udp -m udp --dport 1900 -j ACCEPT 
-A FORWARD -d 10.192.168.1 -i tun21 -p icmp -j ACCEPT 
-A FORWARD -d 10.192.168.2 -i tun21 -p icmp -j ACCEPT 
-A FORWARD -i tun21 -j DROP 
-A FORWARD -m account --aaddr 10.192.168.0/255.255.255.0 --aname lan 
-A FORWARD -i br0 -o br0 -j ACCEPT 
-A FORWARD -m state --state INVALID -j DROP 
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -i vlan1 -j wanin 
-A FORWARD -o vlan1 -j wanout 
-A FORWARD -i br0 -j ACCEPT 
-A FORWARD -i vlan1 -j upnp 
COMMIT
# Completed on Sun Feb 22 02:39:45 2015
root@unknown:/tmp/home/root#

Last edited by haertig; 02-22-2015 at 03:51 AM.
 
1 members found this post helpful.
Old 02-22-2015, 08:43 AM   #19
ardvark71
LQ Veteran
 
Registered: Feb 2015
Location: USA
Distribution: Lubuntu 14.04, 22.04, Windows 8.1 and 10
Posts: 6,282

Original Poster
Blog Entries: 4

Rep: Reputation: 842Reputation: 842Reputation: 842Reputation: 842Reputation: 842Reputation: 842Reputation: 842
Hi...

Thank you for your thoughts.
 
Old 02-22-2015, 09:17 AM   #20
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: Rocky Linux
Posts: 4,786

Rep: Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216
Quote:
Originally Posted by haertig View Post
And I agree with others, that iptables framework that the GUI tool set up ... yeuch ... what a mess. They say "every baby but your own is ugly". That certainly covers that framework. Only the guy who wrote it would want to look at it. The rest of us would turn our head away in horror.
It was done that way to make it easy for a program to manage. Looks like it was done by a devotee of object-oriented programming, with each rule category in the GUI maintained as its own separate "class", and all the classes and sub-classes being referenced where needed. As with many o-o programs, you end up with "ravioli code" (as opposed to "spaghetti code") that is incomprehensible if you try to look at it from the top.
 
1 members found this post helpful.
  


Reply

Tags
frontend, iptables firewall block


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Understanding iptables NotionCommotion Linux - Newbie 3 03-23-2014 12:39 PM
I Need Help Understanding IPTables Bhuvana77 Linux - Networking 3 07-22-2010 06:25 AM
Understanding iptables veeruk101 Linux - Networking 4 07-25-2007 02:58 PM
understanding iptables gr00ve Linux - Networking 1 11-01-2004 12:47 PM
Understanding iptables Buckyjunior Linux - Networking 3 03-07-2004 06:18 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 11:32 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration