[Techtalk] iptables query - fairly ungent!

David Sumbler david at aeolia.co.uk
Tue Sep 28 00:29:18 EST 2004 

I've been reading the iptables HOWTO, and I think, at last, I'm
getting to understand how iptables works.

Naturally I have been looking at the firewall setup on my Fedora Core
1 system.

'ls /etc/sysconfig/iptables' shows:

# Firewall configuration written by redhat-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5801 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

However, 'iptables -L' shows:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     udp  --  clock3.redhat.com    anywhere            udp spt:ntp dpt:ntp
ACCEPT     udp  --  clock1.redhat.com    anywhere            udp spt:ntp dpt:ntp
ACCEPT     udp  --  clock2.redhat.com    anywhere            udp spt:ntp dpt:ntp
ACCEPT     udp  --  clock1.redhat.com    anywhere            udp spt:ntp dpt:ntp
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     ipv6-crypt--  anywhere             anywhere
ACCEPT     ipv6-auth--  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:5901
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:5801
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

The additional rules for clock?.redhat.com are inserted during boot,
and are OK (although there seems to be a superfluous line).

But rule 5 in the RH-Firewall-1-INPUT chain seems to me to be as
dangerous as it could be, and is an apparent misinterpretation of the
rule

-A RH-Firewall-1-INPUT -i lo -j ACCEPT

shown in /etc/sysconfig/iptables.  I would be happy with this rule.

Have I misunderstood something, or is my firewall really currently as
good as useless set up like this?

David

--

More information about the Techtalk mailing list