Solved

iptables

Posted on 2011-09-22
5
552 Views
Last Modified: 2012-06-22
Can someone explain to me what the top 3 rules in my iptables config file mean with regard the [0:0]. Also, is there any significance in their order? If i change my iptables file so that :INPUT DROP[0:0] is first then everything then changes to be under Chain INPUT (policy ACCEPT). It's just my lack of understanding but trying to understand it.

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 69 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT



[root@testbox ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:tftp
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination  
0
Comment
Question by:lolaferrari
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 21

Expert Comment

by:Papertrip
ID: 36582352
Can someone explain to me what the top 3 rules in my iptables config file mean with regard the [0:0]
They are the default chains for the filter table.  The 0:0 part is packets:bytes for each chain.  The order will match just like normal rules match in order -- they go down the list and use the first-matched rule.  So if INPUT ACCEPT is first, then INPUT DROP will never be hit... on that note I don't even know if it's possible to have 2 default rules for a chain -- this is not something that is usually done.

IMO you should only use ACCEPT during your initial rule testing setup so that you don't lock yourself out.  Once you have a complete set of working rules, change all default chain rules to DROP imo.

The best way IMO is to set DROP for everything, then create ACCEPT rules as needed... just make sure you at least open up TCP/22 before changing that, unless you have console access.
0
 

Author Comment

by:lolaferrari
ID: 36582456
OK great so below is this INPUT chain basically saying DROP everything except those mentioned underneath it's header?

Chain INPUT (policy DROP)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:tftp
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
0
 
LVL 21

Accepted Solution

by:
Papertrip earned 500 total points
ID: 36582585
Yep!  If no rules are matched in the table you pasted above, then the default rule will apply to those packets.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36582588
Excuse me I meant in the chain you pasted, not table.
0
 

Author Closing Comment

by:lolaferrari
ID: 36583308
fantastic| thanks for that
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
AWS EC2 HTTP & HTTPS 2 81
CLI command keep running after close 7 56
LINUX Field Separators 7 58
Equivalent of WSUS for Solaris, AIX and Cisco devices 11 78
Attention: This article will no longer be maintained. If you have any questions, please feel free to mail me. jgh@FreeBSD.org Please see http://www.freebsd.org/doc/en_US.ISO8859-1/articles/freebsd-update-server/ for the updated article. It is avail…
The purpose of this article is to demonstrate how we can use conditional statements using Python.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

697 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question