[SOLVED] iptables ruleset question

ichrispa · 11-06-2009, 12:41 PM

Hi everyone.

I have a question concerning iptables. For years I used to write my rules and chains on my own. Unfortunately, most of my users don't know how to do that on their machines, so I was condemned to check out some tools.

On my machine, the firewall manager I am testing for the users in my network insists on putting an accept all to everywhere rule infront of the INPUT chain, like so:

Code:

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            state RELATED
input_ext  all  --  anywhere             anywhere
input_ext  all  --  anywhere             anywhere
input_ext  all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-IN-ILL-TARGET '
DROP       all  --  anywhere             anywhere

I don't get it. Doesn't this make the rest of the chain obsolete? The first rule matching is the first rule in any package, the rest of the chain should never be processed. Just what idea of firewalling is this?

Please tell me if I'm wrong here.

thx

bertl · 11-06-2009, 12:44 PM

You're completely right, ACCEPT without any parameters will not really be a filter. There is a chance that they are only doing this for the loopback interface, or such, though. Best check with -v and --line-numbers:

Code:

iptables -L -n -v --lin

Output without those flags doesn't show all columns.

-Bert

ichrispa · 11-06-2009, 12:56 PM

You are right, the rule only applies to the loopback interface. My bad.

thank you bertl