[CLUE-Tech] iptables not allowing the ACCEPT target?

[David Anselmi]

Jed S. Baer wrote:
> Hi Folks.
> 
> Messing about with my firewall settings here, which might be just a little
> too tight. For example, not allowing an ftp data channel.
> 
> My old setting, 1 line:
> -A INPUT -i ppp+ -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP

[...]

> Seems I should be able to enter two rules in the input chain, and achieve
> the same thing, without creating another chain (I'm guessing the author
> created the 'block' chain so it could be called from both the INPUT and
> FORWARD chains).
> 
> -A INPUT -i ppp+ -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A INPUT -i ppp+ -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP

So to summarize your policy (i.e., what you want to happen) you are 
protecting this one box only and you'd like it to be able to establish 
connections to the Internet but not accept any, except for related 
connections.

What is the policy on the INPUT chain?  If it is DROP, you are probably 
ok (and your second line is extraneous).  If it is ACCEPT, your first 
line is extraneous and you are allowing everything except new TCP 
connections (e.g., UDP, ICMP).

Sadly the implementation of the state module doesn't seem to be 
documented (well, I didn't look too hard and I don't have time to read 
the source--which may be very well documented).  So it's hard to say 
what related means exactly, or what established means with UDP.

Why don't you just go with the example given?  To apply it to the INPUT 
chain only is still just 2 lines and using a DROP policy would seem to 
fail more safely than ACCEPT.

Dave