-   Linux - Software (
-   -   iptables ruleset question (

ichrispa 11-06-2009 12:41 PM

iptables ruleset question
Hi everyone.

I have a question concerning iptables. For years I used to write my rules and chains on my own. Unfortunately, most of my users don't know how to do that on their machines, so I was condemned to check out some tools.

On my machine, the firewall manager I am testing for the users in my network insists on putting an accept all to everywhere rule infront of the INPUT chain, like so:


Chain INPUT (policy DROP)
target    prot opt source              destination
ACCEPT    all  --  anywhere            anywhere
ACCEPT    all  --  anywhere            anywhere            state ESTABLISHED
ACCEPT    icmp --  anywhere            anywhere            state RELATED
input_ext  all  --  anywhere            anywhere
input_ext  all  --  anywhere            anywhere
input_ext  all  --  anywhere            anywhere
LOG        all  --  anywhere            anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-IN-ILL-TARGET '
DROP      all  --  anywhere            anywhere

I don't get it. Doesn't this make the rest of the chain obsolete? The first rule matching is the first rule in any package, the rest of the chain should never be processed. Just what idea of firewalling is this?

Please tell me if I'm wrong here.


bertl 11-06-2009 12:44 PM

You're completely right, ACCEPT without any parameters will not really be a filter. There is a chance that they are only doing this for the loopback interface, or such, though. Best check with -v and --line-numbers:


iptables -L -n -v --lin
Output without those flags doesn't show all columns.


ichrispa 11-06-2009 12:56 PM

You are right, the rule only applies to the loopback interface. My bad.

thank you bertl

All times are GMT -5. The time now is 07:53 AM.