[Techtalk] iptables query - fairly ungent!

Hugo Chasqueira hchasqueira at netcabo.pt
Tue Sep 28 01:25:58 EST 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday 28 September 2004 00:29, David Sumbler wrote:
> I've been reading the iptables HOWTO, and I think, at last, I'm
> getting to understand how iptables works.
>
> Naturally I have been looking at the firewall setup on my Fedora Core
> 1 system.
>
> 'ls /etc/sysconfig/iptables' shows:
>
> # Firewall configuration written by redhat-config-securitylevel
> # Manual customization of this file is not recommended.
> *filter
>
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :RH-Firewall-1-INPUT - [0:0]
>
> -A INPUT -j RH-Firewall-1-INPUT
> -A FORWARD -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
> -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
> -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j
> ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport
> 5801 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp
> --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with
> icmp-host-prohibited COMMIT
>
> However, 'iptables -L' shows:
>
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> RH-Firewall-1-INPUT  all  --  anywhere             anywhere
>
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> RH-Firewall-1-INPUT  all  --  anywhere             anywhere
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>
> Chain RH-Firewall-1-INPUT (2 references)
> target     prot opt source               destination
> ACCEPT     udp  --  clock3.redhat.com    anywhere            udp spt:ntp
> dpt:ntp ACCEPT     udp  --  clock1.redhat.com    anywhere            udp
> spt:ntp dpt:ntp ACCEPT     udp  --  clock2.redhat.com    anywhere          
>  udp spt:ntp dpt:ntp ACCEPT     udp  --  clock1.redhat.com    anywhere    
>        udp spt:ntp dpt:ntp ACCEPT     all  --  anywhere            
> anywhere
> ACCEPT     icmp --  anywhere             anywhere            icmp any
> ACCEPT     ipv6-crypt--  anywhere             anywhere
> ACCEPT     ipv6-auth--  anywhere             anywhere
> ACCEPT     all  --  anywhere             anywhere            state
> RELATED,ESTABLISHED ACCEPT     tcp  --  anywhere             anywhere      
>      state NEW tcp dpt:5901 ACCEPT     tcp  --  anywhere            
> anywhere            state NEW tcp dpt:5801 ACCEPT     tcp  --  anywhere    
>         anywhere            state NEW tcp dpt:ssh REJECT     all  --
>  anywhere             anywhere            reject-with icmp-host-prohibited
>
> The additional rules for clock?.redhat.com are inserted during boot,
> and are OK (although there seems to be a superfluous line).
>
> But rule 5 in the RH-Firewall-1-INPUT chain seems to me to be as
> dangerous as it could be, and is an apparent misinterpretation of the
> rule
>
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
>
> shown in /etc/sysconfig/iptables.  I would be happy with this rule.
>
> Have I misunderstood something, or is my firewall really currently as
> good as useless set up like this?


Hi,

The command 'iptables -L' isn't showing you everything.

You should use the '-v' parameter (verbose), so that iptables shows you the
interface to which the rules apply.

Try:

iptables -L -v


- --

Hugo Chasqueira

Public Key:
http://www.fcee.ucp.pt/docentes/url/hbc/pubkey.txt

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBWK+WjFeRi4vRS4IRAnSFAJ0X5bXcrVEpSsV/V5vMtipAo8teKQCfROFw
eaFmDgnB6Z8bvH221BPtZFw=
=SPGD
-----END PGP SIGNATURE-----


More information about the Techtalk mailing list