LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 11-06-2009, 12:41 PM   #1
ichrispa
Member
 
Registered: Mar 2005
Location: Dresden, Germany
Distribution: OpenSuse 11.2/3, Debian 5.0 , Debian 1.3.1, OpenBSD
Posts: 277

Rep: Reputation: 32
iptables ruleset question


Hi everyone.

I have a question concerning iptables. For years I used to write my rules and chains on my own. Unfortunately, most of my users don't know how to do that on their machines, so I was condemned to check out some tools.

On my machine, the firewall manager I am testing for the users in my network insists on putting an accept all to everywhere rule infront of the INPUT chain, like so:

Code:
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            state RELATED
input_ext  all  --  anywhere             anywhere
input_ext  all  --  anywhere             anywhere
input_ext  all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-IN-ILL-TARGET '
DROP       all  --  anywhere             anywhere
I don't get it. Doesn't this make the rest of the chain obsolete? The first rule matching is the first rule in any package, the rest of the chain should never be processed. Just what idea of firewalling is this?

Please tell me if I'm wrong here.

thx
 
Old 11-06-2009, 12:44 PM   #2
bertl
Member
 
Registered: May 2004
Location: Amsterdam, Holland
Distribution: Ubuntu, Redhat, Angstrom (others in the past)
Posts: 36

Rep: Reputation: 22
You're completely right, ACCEPT without any parameters will not really be a filter. There is a chance that they are only doing this for the loopback interface, or such, though. Best check with -v and --line-numbers:

Code:
iptables -L -n -v --lin
Output without those flags doesn't show all columns.

-Bert
 
Old 11-06-2009, 12:56 PM   #3
ichrispa
Member
 
Registered: Mar 2005
Location: Dresden, Germany
Distribution: OpenSuse 11.2/3, Debian 5.0 , Debian 1.3.1, OpenBSD
Posts: 277

Original Poster
Rep: Reputation: 32
You are right, the rule only applies to the loopback interface. My bad.

thank you bertl
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Stealth iptables ruleset Mux Linux - Security 10 02-21-2007 02:54 AM
Problem with Arno's IPTables ruleset? slacquer Slackware 1 01-26-2004 09:06 AM
iptables ruleset for nameserver DaveL Linux - Newbie 4 01-07-2003 12:11 AM
Iptables ruleset Paul_assheton Linux - Networking 1 08-31-2002 07:01 AM
Iptables ruleset Kinstonian Linux - Security 1 04-04-2002 02:58 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 08:51 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration