iptables explanation

jmicorp
jmicorp used Ask the Experts™
on
Will someone tell me in a nutshell what these entries mean?

> iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  10.191.192.0/18      anywhere            tcp
ACCEPT     tcp  --  10.12.96.0/24        anywhere            tcp
ACCEPT     tcp  --  64.39.0.0/23         anywhere            tcp
ACCEPT     tcp  --  173.203.5.128/25     anywhere            tcp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:59489
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
> iptables -L
Chain INPUT (policy ACCEPT)
*** A chain is just like a group
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
*** The above line means let traffic come back for stuff established from inside the network.
ACCEPT     icmp --  anywhere             anywhere            
*** Allow ping from anywhere
ACCEPT     all  --  anywhere             anywhere          
*** Allow traffic on all ports from anywhere (This is a disaster, anything below this will not work since the rules are read from top to bottom)
 
ACCEPT     tcp  --  10.191.192.0/18      anywhere            tcp
ACCEPT     tcp  --  10.12.96.0/24        anywhere            tcp
ACCEPT     tcp  --  64.39.0.0/23         anywhere            tcp
ACCEPT     tcp  --  173.203.5.128/25     anywhere            tcp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:59489
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Commented:

The input chain allows  traffic from all sources. The line

ACCEPT     all  --  anywhere             anywhere    

should be removed. Only then the whole input chain will make sense.

State related and Established line will allow packets through which have been established and are related. Any traffic form the four networks specified viz 10.191.192.0/18, 10.12.96.0/24, 64.39.0.0/23  and 173.203.5.128/25 will also be allowed. Other traffic from any networks with ftp,ssh,smtp,http  https and port 59849 would be allowed to pass. ICMP in particular and any other packets will be rejected.



The Chain FORWARD (policy ACCEPT), accepts all connections except rejects packets with ICMP.


The Chain OUTPUT (policy ACCEPT), accepts all packets from the internal network to the external.

Author

Commented:
Thanks for the answers guys! That was really helpful. I was seeing some problem areas and needed to know if I was missing something.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial