FedoraForum.org - Fedora Support Forums and Community
Results 1 to 1 of 1
  1. #1
    Join Date
    Jun 2010
    Posts
    30

    [Solved] Order of rules in IPTABLES...

    I've written a simple firewall script in the order that I thought I wanted it in, but when I do an iptables -L n, I'm seeing something that looks a little creepy.

    The script is as follows:

    Code:
    #! /bin/bash
    #
    #
    #  My IPTABLES Chicken-Scratch
    #
    #
    
    RULE="/sbin/iptables"
    EXT_IF="wlan0"
    
    
    # Swish!
    $RULE -F
    $RULE -Z
    $RULE -X
    
    
    # Defaults
    $RULE -P INPUT DROP
    $RULE -P FORWARD DROP
    $RULE -P OUTPUT ACCEPT
    
    # Something like "pass quick on lo0"
    $RULE -A INPUT -i lo -j ACCEPT
    $RULE -A OUTPUT -o lo -j ACCEPT
    
    # Keep the WWW Beautiful -- ***READ MORE, ADD MORE!!!***
    # No FIN, no SYN, so Service!
    $RULE -A INPUT -i $EXT_IF -p tcp ! --syn -m state --state NEW -j DROP
    
    ###########################################
    ##  BEGIN SERVICES  ##                    ##
    ######################                     #/
    
    # sshd
    #$RULE -A INPUT -i $EXT_IF -p tcp --dport 2299 -m state --state NEW,ESTABLISHED -j ACCEPT
    
    # http/s
    #$RULE -A INPUT -i $EXT_IF -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
    #$RULE -A INPUT -i $EXT_IF -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
    
    ######################                     #/
    ##   END SERVICES   ##                    ##
    ###########################################
    
    # Something like "keep state?"
    $RULE -A INPUT -i $EXT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    
    ###################          
    ##    LOGGING    ##
    ###################
    
    $RULE -N LOGGING
    $RULE -A INPUT -j LOGGING
    $RULE -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "DROPPED: " --log-level 7
    $RULE -A LOGGING -j DROP
    When I run the script, and do an iptables -l -n, it looks like the INPUT chain wants to pass everything from the get-go:


    Code:
    # iptables -L -n
    Chain INPUT (policy DROP)
    target     prot opt source               destination         
    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcpflags:! 0x17/0x02 state NEW
    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    LOGGING    all  --  0.0.0.0/0            0.0.0.0/0           
    
    Chain FORWARD (policy DROP)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
    
    Chain LOGGING (1 references)
    target     prot opt source               destination         
    LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 2/min burst 5 LOG flags 0 level 7 prefix "DROPPED: "
    DROP       all  --  0.0.0.0/0            0.0.0.0/0

    Under the INPUT Chain policy line, why does it say "accept all from anywhere to anywhere?" How is that dropping packets by default? Am I reading this incorrectly?

    Thanks

    ---------- Post added at 07:22 AM ---------- Previous post was at 06:56 AM ----------

    Never mind....


    Code:
    # iptables -L -n -v
    Chain INPUT (policy DROP 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
        0     0 DROP       tcp  --  wlan0  *       0.0.0.0/0            0.0.0.0/0            tcpflags:! 0x17/0x02 state NEW
     4122 6146K ACCEPT     all  --  wlan0  *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
       16  2400 LOGGING    all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination         
    
    Chain OUTPUT (policy ACCEPT 3219 packets, 184K bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
    
    Chain LOGGING (1 references)
     pkts bytes target     prot opt in     out     source               destination         
        8  1200 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 2/min burst 5 LOG flags 0 level 7 prefix "DROPPED: "
       16  2400 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

    using the -v flag helps.
    Last edited by mchauber; 27th March 2012 at 12:24 PM. Reason: Brain-gas

Similar Threads

  1. Replies: 0
    Last Post: 24th February 2012, 04:17 AM
  2. Iptables rules
    By agriz in forum Using Fedora
    Replies: 14
    Last Post: 7th December 2011, 10:25 PM
  3. iptables rules!
    By hermouche in forum Security and Privacy
    Replies: 7
    Last Post: 3rd November 2011, 05:26 AM
  4. iptables rules - what is wrong with my rules?
    By duni in forum Servers & Networking
    Replies: 4
    Last Post: 30th August 2006, 07:38 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •