Solved

iptables

Posted on 2011-09-22
5
515 Views
Last Modified: 2012-06-22
Can someone explain to me what the top 3 rules in my iptables config file mean with regard the [0:0]. Also, is there any significance in their order? If i change my iptables file so that :INPUT DROP[0:0] is first then everything then changes to be under Chain INPUT (policy ACCEPT). It's just my lack of understanding but trying to understand it.

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 69 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT



[root@testbox ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:tftp
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination  
0
Comment
Question by:lolaferrari
  • 3
  • 2
5 Comments
 
LVL 21

Expert Comment

by:Papertrip
ID: 36582352
Can someone explain to me what the top 3 rules in my iptables config file mean with regard the [0:0]
They are the default chains for the filter table.  The 0:0 part is packets:bytes for each chain.  The order will match just like normal rules match in order -- they go down the list and use the first-matched rule.  So if INPUT ACCEPT is first, then INPUT DROP will never be hit... on that note I don't even know if it's possible to have 2 default rules for a chain -- this is not something that is usually done.

IMO you should only use ACCEPT during your initial rule testing setup so that you don't lock yourself out.  Once you have a complete set of working rules, change all default chain rules to DROP imo.

The best way IMO is to set DROP for everything, then create ACCEPT rules as needed... just make sure you at least open up TCP/22 before changing that, unless you have console access.
0
 

Author Comment

by:lolaferrari
ID: 36582456
OK great so below is this INPUT chain basically saying DROP everything except those mentioned underneath it's header?

Chain INPUT (policy DROP)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:tftp
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
0
 
LVL 21

Accepted Solution

by:
Papertrip earned 500 total points
ID: 36582585
Yep!  If no rules are matched in the table you pasted above, then the default rule will apply to those packets.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36582588
Excuse me I meant in the chain you pasted, not table.
0
 

Author Closing Comment

by:lolaferrari
ID: 36583308
fantastic| thanks for that
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Little introduction about CP: CP is a command on linux that use to copy files and folder from one location to another location. Example usage of CP as follow: cp /myfoder /pathto/destination/folder/ cp abc.tar.gz /pathto/destination/folder/ab…
Why Shell Scripting? Shell scripting is a powerful method of accessing UNIX systems and it is very flexible. Shell scripts are required when we want to execute a sequence of commands in Unix flavored operating systems. “Shell” is the command line i…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now