Solved

iptables

Posted on 2011-09-22
5
524 Views
Last Modified: 2012-06-22
Can someone explain to me what the top 3 rules in my iptables config file mean with regard the [0:0]. Also, is there any significance in their order? If i change my iptables file so that :INPUT DROP[0:0] is first then everything then changes to be under Chain INPUT (policy ACCEPT). It's just my lack of understanding but trying to understand it.

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 69 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT



[root@testbox ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:tftp
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination  
0
Comment
Question by:lolaferrari
  • 3
  • 2
5 Comments
 
LVL 21

Expert Comment

by:Papertrip
ID: 36582352
Can someone explain to me what the top 3 rules in my iptables config file mean with regard the [0:0]
They are the default chains for the filter table.  The 0:0 part is packets:bytes for each chain.  The order will match just like normal rules match in order -- they go down the list and use the first-matched rule.  So if INPUT ACCEPT is first, then INPUT DROP will never be hit... on that note I don't even know if it's possible to have 2 default rules for a chain -- this is not something that is usually done.

IMO you should only use ACCEPT during your initial rule testing setup so that you don't lock yourself out.  Once you have a complete set of working rules, change all default chain rules to DROP imo.

The best way IMO is to set DROP for everything, then create ACCEPT rules as needed... just make sure you at least open up TCP/22 before changing that, unless you have console access.
0
 

Author Comment

by:lolaferrari
ID: 36582456
OK great so below is this INPUT chain basically saying DROP everything except those mentioned underneath it's header?

Chain INPUT (policy DROP)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:tftp
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
0
 
LVL 21

Accepted Solution

by:
Papertrip earned 500 total points
ID: 36582585
Yep!  If no rules are matched in the table you pasted above, then the default rule will apply to those packets.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36582588
Excuse me I meant in the chain you pasted, not table.
0
 

Author Closing Comment

by:lolaferrari
ID: 36583308
fantastic| thanks for that
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I promised to write further about my project, and here I am.  First, I needed to setup the Primary Server.  You can read how in this article: Setup FreeBSD Server with full HDD encryption (http://www.experts-exchange.com/OS/Unix/BSD/FreeBSD/A_3660-S…
Using libpcap/Jpcap to capture and send packets on Solaris version (10/11) Library used: 1.      Libpcap (http://www.tcpdump.org) Version 1.2 2.      Jpcap(http://netresearch.ics.uci.edu/kfujii/Jpcap/doc/index.html) Version 0.6 Prerequisite: 1.      GCC …
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now