Fedora Linux Support Community & Resources Center

Go Back   FedoraForum.org > Fedora 19/20 > Security and Privacy
FedoraForum Search

Forgot Password? Join Us!

Security and Privacy Sadly, malware, spyware, hackers and privacy threats abound in today's world. Let's be paranoid and secure our penguins, and slam the doors on privacy exploits.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 27th March 2012, 12:22 PM
mchauber Offline
Registered User
 
Join Date: Jun 2010
Posts: 30
linuxfirefox
[Solved] Order of rules in IPTABLES...

I've written a simple firewall script in the order that I thought I wanted it in, but when I do an iptables -L n, I'm seeing something that looks a little creepy.

The script is as follows:

Code:
#! /bin/bash
#
#
#  My IPTABLES Chicken-Scratch
#
#

RULE="/sbin/iptables"
EXT_IF="wlan0"


# Swish!
$RULE -F
$RULE -Z
$RULE -X


# Defaults
$RULE -P INPUT DROP
$RULE -P FORWARD DROP
$RULE -P OUTPUT ACCEPT

# Something like "pass quick on lo0"
$RULE -A INPUT -i lo -j ACCEPT
$RULE -A OUTPUT -o lo -j ACCEPT

# Keep the WWW Beautiful -- ***READ MORE, ADD MORE!!!***
# No FIN, no SYN, so Service!
$RULE -A INPUT -i $EXT_IF -p tcp ! --syn -m state --state NEW -j DROP

###########################################
##  BEGIN SERVICES  ##                    ##
######################                     #/

# sshd
#$RULE -A INPUT -i $EXT_IF -p tcp --dport 2299 -m state --state NEW,ESTABLISHED -j ACCEPT

# http/s
#$RULE -A INPUT -i $EXT_IF -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
#$RULE -A INPUT -i $EXT_IF -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT

######################                     #/
##   END SERVICES   ##                    ##
###########################################

# Something like "keep state?"
$RULE -A INPUT -i $EXT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT


###################          
##    LOGGING    ##
###################

$RULE -N LOGGING
$RULE -A INPUT -j LOGGING
$RULE -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "DROPPED: " --log-level 7
$RULE -A LOGGING -j DROP
When I run the script, and do an iptables -l -n, it looks like the INPUT chain wants to pass everything from the get-go:


Code:
# iptables -L -n
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcpflags:! 0x17/0x02 state NEW
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
LOGGING    all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain LOGGING (1 references)
target     prot opt source               destination         
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 2/min burst 5 LOG flags 0 level 7 prefix "DROPPED: "
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Under the INPUT Chain policy line, why does it say "accept all from anywhere to anywhere?" How is that dropping packets by default? Am I reading this incorrectly?

Thanks

---------- Post added at 07:22 AM ---------- Previous post was at 06:56 AM ----------

Never mind....


Code:
# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       tcp  --  wlan0  *       0.0.0.0/0            0.0.0.0/0            tcpflags:! 0x17/0x02 state NEW
 4122 6146K ACCEPT     all  --  wlan0  *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
   16  2400 LOGGING    all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 3219 packets, 184K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           

Chain LOGGING (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    8  1200 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 2/min burst 5 LOG flags 0 level 7 prefix "DROPPED: "
   16  2400 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

using the -v flag helps.

Last edited by mchauber; 27th March 2012 at 12:24 PM. Reason: Brain-gas
Reply With Quote
Reply

Tags
iptables, order, rules

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
"Applying iptables firewall rules: iptables-restore: line 20 failed" colt Using Fedora 0 24th February 2012 03:17 AM
Iptables rules agriz Using Fedora 14 7th December 2011 09:25 PM
iptables rules! hermouche Security and Privacy 7 3rd November 2011 05:26 AM
iptables rules - what is wrong with my rules? duni Servers & Networking 4 30th August 2006 07:38 PM


Current GMT-time: 15:14 (Thursday, 30-10-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat
Czech Republic - Heusden Photos on Instagram - Macas Travel Photos