[Techtalk] iptables query - fairly ungent!
Hugo Chasqueira
hchasqueira at netcabo.pt
Tue Sep 28 01:25:58 EST 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tuesday 28 September 2004 00:29, David Sumbler wrote:
> I've been reading the iptables HOWTO, and I think, at last, I'm
> getting to understand how iptables works.
>
> Naturally I have been looking at the firewall setup on my Fedora Core
> 1 system.
>
> 'ls /etc/sysconfig/iptables' shows:
>
> # Firewall configuration written by redhat-config-securitylevel
> # Manual customization of this file is not recommended.
> *filter
>
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :RH-Firewall-1-INPUT - [0:0]
>
> -A INPUT -j RH-Firewall-1-INPUT
> -A FORWARD -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
> -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
> -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j
> ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport
> 5801 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp
> --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with
> icmp-host-prohibited COMMIT
>
> However, 'iptables -L' shows:
>
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> RH-Firewall-1-INPUT all -- anywhere anywhere
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> RH-Firewall-1-INPUT all -- anywhere anywhere
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain RH-Firewall-1-INPUT (2 references)
> target prot opt source destination
> ACCEPT udp -- clock3.redhat.com anywhere udp spt:ntp
> dpt:ntp ACCEPT udp -- clock1.redhat.com anywhere udp
> spt:ntp dpt:ntp ACCEPT udp -- clock2.redhat.com anywhere
> udp spt:ntp dpt:ntp ACCEPT udp -- clock1.redhat.com anywhere
> udp spt:ntp dpt:ntp ACCEPT all -- anywhere
> anywhere
> ACCEPT icmp -- anywhere anywhere icmp any
> ACCEPT ipv6-crypt-- anywhere anywhere
> ACCEPT ipv6-auth-- anywhere anywhere
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere
> state NEW tcp dpt:5901 ACCEPT tcp -- anywhere
> anywhere state NEW tcp dpt:5801 ACCEPT tcp -- anywhere
> anywhere state NEW tcp dpt:ssh REJECT all --
> anywhere anywhere reject-with icmp-host-prohibited
>
> The additional rules for clock?.redhat.com are inserted during boot,
> and are OK (although there seems to be a superfluous line).
>
> But rule 5 in the RH-Firewall-1-INPUT chain seems to me to be as
> dangerous as it could be, and is an apparent misinterpretation of the
> rule
>
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
>
> shown in /etc/sysconfig/iptables. I would be happy with this rule.
>
> Have I misunderstood something, or is my firewall really currently as
> good as useless set up like this?
Hi,
The command 'iptables -L' isn't showing you everything.
You should use the '-v' parameter (verbose), so that iptables shows you the
interface to which the rules apply.
Try:
iptables -L -v
- --
Hugo Chasqueira
Public Key:
http://www.fcee.ucp.pt/docentes/url/hbc/pubkey.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBWK+WjFeRi4vRS4IRAnSFAJ0X5bXcrVEpSsV/V5vMtipAo8teKQCfROFw
eaFmDgnB6Z8bvH221BPtZFw=
=SPGD
-----END PGP SIGNATURE-----
More information about the Techtalk
mailing list