Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
It is quite a extensive skeleton.
unfortunately, while gui's make setting up stuff more simple they also have the effect of making debugging or understanding it a nightmare.
For example,
Code:
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
This to me says, accept anything from anywhere, otherwise accept it as long as it's related or established.
What's the point of the second one if it's already accepted?
That's a result of doing the listing without the "-v" option. The interface qualifiers get lost. You will almost certainly find that the first ACCEPT rule applies only to the "lo" loopback interface. Pretty much any time someone posts "iptables -L" output, I have to tell them to go back and add "-v".
Here's the same configuration using the additional "-v" option...
Code:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
955 333K ufw-before-logging-input all -- any any anywhere anywhere
955 333K ufw-before-input all -- any any anywhere anywhere
0 0 ufw-after-input all -- any any anywhere anywhere
0 0 ufw-after-logging-input all -- any any anywhere anywhere
0 0 ufw-reject-input all -- any any anywhere anywhere
0 0 ufw-track-input all -- any any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ufw-before-logging-forward all -- any any anywhere anywhere
0 0 ufw-before-forward all -- any any anywhere anywhere
0 0 ufw-after-forward all -- any any anywhere anywhere
0 0 ufw-after-logging-forward all -- any any anywhere anywhere
0 0 ufw-reject-forward all -- any any anywhere anywhere
0 0 ufw-track-forward all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 2 packets, 80 bytes)
pkts bytes target prot opt in out source destination
1005 84965 ufw-before-logging-output all -- any any anywhere anywhere
1005 84965 ufw-before-output all -- any any anywhere anywhere
155 11800 ufw-after-output all -- any any anywhere anywhere
155 11800 ufw-after-logging-output all -- any any anywhere anywhere
155 11800 ufw-reject-output all -- any any anywhere anywhere
155 11800 ufw-track-output all -- any any anywhere anywhere
Chain ufw-after-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:netbios-ns
0 0 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:netbios-dgm
0 0 ufw-skip-to-policy-input tcp -- any any anywhere anywhere tcp dpt:netbios-ssn
0 0 ufw-skip-to-policy-input tcp -- any any anywhere anywhere tcp dpt:microsoft-ds
0 0 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:bootps
0 0 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:bootpc
0 0 ufw-skip-to-policy-input all -- any any anywhere anywhere ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable
0 0 ACCEPT icmp -- any any anywhere anywhere icmp source-quench
0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded
0 0 ACCEPT icmp -- any any anywhere anywhere icmp parameter-problem
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
0 0 ufw-user-forward all -- any any anywhere anywhere
Chain ufw-before-input (1 references)
pkts bytes target prot opt in out source destination
390 32139 ACCEPT all -- lo any anywhere anywhere
549 297K ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 ufw-logging-deny all -- any any anywhere anywhere ctstate INVALID
0 0 DROP all -- any any anywhere anywhere ctstate INVALID
0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable
0 0 ACCEPT icmp -- any any anywhere anywhere icmp source-quench
0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded
0 0 ACCEPT icmp -- any any anywhere anywhere icmp parameter-problem
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
0 0 ACCEPT udp -- any any anywhere anywhere udp spt:bootps dpt:bootpc
16 2870 ufw-not-local all -- any any anywhere anywhere
16 2870 ACCEPT udp -- any any anywhere 224.0.0.251 udp dpt:mdns
0 0 ACCEPT udp -- any any anywhere 239.255.255.250 udp dpt:1900
0 0 ufw-user-input all -- any any anywhere anywhere
Chain ufw-before-logging-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-output (1 references)
pkts bytes target prot opt in out source destination
390 32139 ACCEPT all -- any lo anywhere anywhere
460 41026 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
155 11800 ufw-user-output all -- any any anywhere anywhere
Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- any any anywhere anywhere ctstate INVALID limit: avg 3/min burst 10
0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type LOCAL
16 2870 RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type MULTICAST
0 0 RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type BROADCAST
0 0 ufw-logging-deny all -- any any anywhere anywhere limit: avg 3/min burst 10
0 0 DROP all -- any any anywhere anywhere
Chain ufw-reject-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any anywhere anywhere
Chain ufw-skip-to-policy-input (7 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any anywhere anywhere
Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere
Chain ufw-track-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (1 references)
pkts bytes target prot opt in out source destination
42 2520 ACCEPT tcp -- any any anywhere anywhere ctstate NEW
111 9200 ACCEPT udp -- any any anywhere anywhere ctstate NEW
Chain ufw-user-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere
Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-output (1 references)
pkts bytes target prot opt in out source destination
I never liked the output from "iptables -L -v". I prefer the output to look more like what I entered as rules. Use "iptables-save" to display things more like how they were input.
And I agree with others, that iptables framework that the GUI tool set up ... yeuch ... what a mess. They say "every baby but your own is ugly". That certainly covers that framework. Only the guy who wrote it would want to look at it. The rest of us would turn our head away in horror.
Here's the firewall on my router displayed using the two methods. First, the ugly (IMHO) iptables -L -v way, then the much nicer (IMHO) iptables-save way (in the iptables-save display, scroll down to where the filter table is displayed to see what I'm talking about "the output looks more like what I entered as rules"):
Code:
root@unknown:/tmp/home/root# iptables -L -v
Chain INPUT (policy DROP 3029 packets, 189K bytes)
pkts bytes target prot opt in out source destination
292K 32M ACCEPT udp -- any any anywhere anywhere udp dpt:1194
642 38520 DROP all -- br0 any anywhere wan-ip
174 15616 DROP all -- any any anywhere anywhere state INVALID
114K 16M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
26 1889 ACCEPT all -- lo any anywhere anywhere
137K 20M ACCEPT all -- br0 any anywhere anywhere
46 1894 ACCEPT icmp -- any any anywhere anywhere limit: avg 1/sec burst 5
0 0 ACCEPT udp -- any any anywhere anywhere udp dpts:33434:33534 limit: avg 5/sec burst 5
33799 11M ACCEPT udp -- any any anywhere anywhere udp spt:bootps dpt:bootpc
37 1788 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https
2923 169K ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- tun21 any 10.192.169.5 anywhere
0 0 ACCEPT all -- tun21 any 10.192.169.9 anywhere
0 0 ACCEPT tcp -- tun21 any anywhere Davids_computer_wired tcp dpt:32469
291K 13M ACCEPT tcp -- tun21 any anywhere Davids_computer_wired tcp dpt:32400
0 0 ACCEPT udp -- tun21 any anywhere Davids_computer_wired udp dpt:32414
0 0 ACCEPT udp -- tun21 any anywhere Davids_computer_wired udp dpt:32413
0 0 ACCEPT udp -- tun21 any anywhere Davids_computer_wired udp dpt:32412
0 0 ACCEPT udp -- tun21 any anywhere Davids_computer_wired udp dpt:32410
0 0 ACCEPT udp -- tun21 any anywhere Davids_computer_wired udp dpt:mdns
0 0 ACCEPT udp -- tun21 any anywhere Davids_computer_wired udp dpt:upnp
0 0 ACCEPT icmp -- tun21 any anywhere unknown
0 0 ACCEPT icmp -- tun21 any anywhere Davids_computer_wired
331 30058 DROP all -- tun21 any anywhere anywhere
10M 8391M all -- any any anywhere anywhere account: network/netmask: 10.192.168.0/255.255.255.0 name: lan
0 0 ACCEPT all -- br0 br0 anywhere anywhere
0 0 DROP all -- any any anywhere anywhere state INVALID
76642 4277K TCPMSS tcp -- any any anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
10M 8387M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 wanin all -- vlan1 any anywhere anywhere
54047 3834K wanout all -- any vlan1 anywhere anywhere
54051 3835K ACCEPT all -- br0 any anywhere anywhere
0 0 upnp all -- vlan1 any anywhere anywhere
Chain OUTPUT (policy ACCEPT 754K packets, 818M bytes)
pkts bytes target prot opt in out source destination
Chain upnp (1 references)
pkts bytes target prot opt in out source destination
Chain wanin (1 references)
pkts bytes target prot opt in out source destination
Chain wanout (1 references)
pkts bytes target prot opt in out source destination
Code:
root@unknown:/tmp/home/root# iptables-save
# Generated by iptables-save v1.3.8 on Sun Feb 22 02:39:45 2015
*nat
:PREROUTING ACCEPT [218123:34092108]
:POSTROUTING ACCEPT [2386:518195]
:OUTPUT ACCEPT [25632:2083650]
:WANPREROUTING - [0:0]
:upnp - [0:0]
-A PREROUTING -d 24.8.4.169 -j WANPREROUTING
-A PREROUTING -d 10.192.168.0/255.255.255.0 -i vlan1 -j DROP
-A PREROUTING -d 24.8.4.169 -j upnp
-A POSTROUTING -o vlan1 -j MASQUERADE
-A WANPREROUTING -p icmp -j DNAT --to-destination 10.192.168.1
COMMIT
# Completed on Sun Feb 22 02:39:45 2015
# Generated by iptables-save v1.3.8 on Sun Feb 22 02:39:45 2015
*mangle
:PREROUTING ACCEPT [11141202:8496194443]
:INPUT ACCEPT [583302:79390600]
:FORWARD ACCEPT [10510981:8404174482]
:OUTPUT ACCEPT [753984:817838125]
:POSTROUTING ACCEPT [11264634:9221982549]
-A PREROUTING -i vlan1 -j DSCP --set-dscp 0x00
COMMIT
# Completed on Sun Feb 22 02:39:45 2015
# Generated by iptables-save v1.3.8 on Sun Feb 22 02:39:45 2015
*filter
:INPUT DROP [3030:189175]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [753965:817829572]
:upnp - [0:0]
:wanin - [0:0]
:wanout - [0:0]
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -d 24.8.4.169 -i br0 -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -p icmp -m limit --limit 1/sec -j ACCEPT
-A INPUT -p udp -m udp --dport 33434:33534 -m limit --limit 5/sec -j ACCEPT
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -s 10.192.169.5 -i tun21 -j ACCEPT
-A FORWARD -s 10.192.169.9 -i tun21 -j ACCEPT
-A FORWARD -d 10.192.168.2 -i tun21 -p tcp -m tcp --dport 32469 -j ACCEPT
-A FORWARD -d 10.192.168.2 -i tun21 -p tcp -m tcp --dport 32400 -j ACCEPT
-A FORWARD -d 10.192.168.2 -i tun21 -p udp -m udp --dport 32414 -j ACCEPT
-A FORWARD -d 10.192.168.2 -i tun21 -p udp -m udp --dport 32413 -j ACCEPT
-A FORWARD -d 10.192.168.2 -i tun21 -p udp -m udp --dport 32412 -j ACCEPT
-A FORWARD -d 10.192.168.2 -i tun21 -p udp -m udp --dport 32410 -j ACCEPT
-A FORWARD -d 10.192.168.2 -i tun21 -p udp -m udp --dport 5353 -j ACCEPT
-A FORWARD -d 10.192.168.2 -i tun21 -p udp -m udp --dport 1900 -j ACCEPT
-A FORWARD -d 10.192.168.1 -i tun21 -p icmp -j ACCEPT
-A FORWARD -d 10.192.168.2 -i tun21 -p icmp -j ACCEPT
-A FORWARD -i tun21 -j DROP
-A FORWARD -m account --aaddr 10.192.168.0/255.255.255.0 --aname lan
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i vlan1 -j wanin
-A FORWARD -o vlan1 -j wanout
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -i vlan1 -j upnp
COMMIT
# Completed on Sun Feb 22 02:39:45 2015
root@unknown:/tmp/home/root#
And I agree with others, that iptables framework that the GUI tool set up ... yeuch ... what a mess. They say "every baby but your own is ugly". That certainly covers that framework. Only the guy who wrote it would want to look at it. The rest of us would turn our head away in horror.
It was done that way to make it easy for a program to manage. Looks like it was done by a devotee of object-oriented programming, with each rule category in the GUI maintained as its own separate "class", and all the classes and sub-classes being referenced where needed. As with many o-o programs, you end up with "ravioli code" (as opposed to "spaghetti code") that is incomprehensible if you try to look at it from the top.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.