I've written a simple firewall script in the order that I thought I wanted it in, but when I do an iptables -L n, I'm seeing something that looks a little creepy.
The script is as follows:
Code:
#! /bin/bash
#
#
# My IPTABLES Chicken-Scratch
#
#
RULE="/sbin/iptables"
EXT_IF="wlan0"
# Swish!
$RULE -F
$RULE -Z
$RULE -X
# Defaults
$RULE -P INPUT DROP
$RULE -P FORWARD DROP
$RULE -P OUTPUT ACCEPT
# Something like "pass quick on lo0"
$RULE -A INPUT -i lo -j ACCEPT
$RULE -A OUTPUT -o lo -j ACCEPT
# Keep the WWW Beautiful -- ***READ MORE, ADD MORE!!!***
# No FIN, no SYN, so Service!
$RULE -A INPUT -i $EXT_IF -p tcp ! --syn -m state --state NEW -j DROP
###########################################
## BEGIN SERVICES ## ##
###################### #/
# sshd
#$RULE -A INPUT -i $EXT_IF -p tcp --dport 2299 -m state --state NEW,ESTABLISHED -j ACCEPT
# http/s
#$RULE -A INPUT -i $EXT_IF -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
#$RULE -A INPUT -i $EXT_IF -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
###################### #/
## END SERVICES ## ##
###########################################
# Something like "keep state?"
$RULE -A INPUT -i $EXT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT
###################
## LOGGING ##
###################
$RULE -N LOGGING
$RULE -A INPUT -j LOGGING
$RULE -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "DROPPED: " --log-level 7
$RULE -A LOGGING -j DROP
When I run the script, and do an iptables -l -n, it looks like the INPUT chain wants to pass everything from the get-go:
Code:
# iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcpflags:! 0x17/0x02 state NEW
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
LOGGING all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain LOGGING (1 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 2/min burst 5 LOG flags 0 level 7 prefix "DROPPED: "
DROP all -- 0.0.0.0/0 0.0.0.0/0
Under the INPUT Chain policy line, why does it say "accept all from anywhere to anywhere?" How is that dropping packets by default? Am I reading this incorrectly?
Thanks
---------- Post added at 07:22 AM ---------- Previous post was at 06:56 AM ----------
Never mind....
Code:
# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 DROP tcp -- wlan0 * 0.0.0.0/0 0.0.0.0/0 tcpflags:! 0x17/0x02 state NEW
4122 6146K ACCEPT all -- wlan0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
16 2400 LOGGING all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3219 packets, 184K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
Chain LOGGING (1 references)
pkts bytes target prot opt in out source destination
8 1200 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 2/min burst 5 LOG flags 0 level 7 prefix "DROPPED: "
16 2400 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
using the -v flag helps.
Linear Mode
