[CLUE-Tech] iptables not allowing the ACCEPT target?

Jed S. Baer thag at frii.com
Fri Nov 29 10:09:58 MST 2002 

On Fri, 29 Nov 2002 09:45:26 -0700
David Anselmi <anselmi at americanisp.net> wrote:

> Jed S. Baer wrote:
> > 
> > -A INPUT -i ppp+ -m state --state ESTABLISHED,RELATED -j ACCEPT
> > -A INPUT -i ppp+ -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP
> 
> So to summarize your policy (i.e., what you want to happen) you are 
> protecting this one box only and you'd like it to be able to establish 
> connections to the Internet but not accept any, except for related 
> connections.

Since I don't have forwarding turned on, there isn't anything I need to do
to protect other machines on the eth0 segment.

Yeah, that's the policy. Block anything incoming over ppp, unless it's
part of things like an ftp session I've started.

> What is the policy on the INPUT chain?  If it is DROP, you are probably 
> ok (and your second line is extraneous).  If it is ACCEPT, your first 
> line is extraneous and you are allowing everything except new TCP 
> connections (e.g., UDP, ICMP).

Uh, not sure I understand the question, coz there isn't any policy other
than stated above. There isn't, AFAIK, any default action anyplace. Is
that what you're hinting at with saying I don't need one or the other
lines? My understanding of how this works is if the packet falls through
the chain, it gets accepted, hence the need for the drop as the last line
in the chain.

So, you're referring to "If the end of a built-in chain is reached or a
rule in a built-in chain with target RETURN is matched, the target
specified by the chain policy determines the fate of the packet". OK, I
give up. This sounds to me like there's some "default" chain policy. Oh, I
see it now. I haven't set one. The default must be ACCEPT. And I think
it's easiest to leave it that way, for the sake of eth0 traffic, and write
the exceptions for the ppp. Either way, it results in a 2-line chain, i.e.
(with a policy of DROP):
  -A INPUT -i eth0 -j ACCEPT

> Sadly the implementation of the state module doesn't seem to be 
> documented (well, I didn't look too hard and I don't have time to read 
> the source--which may be very well documented).  So it's hard to say 
> what related means exactly, or what established means with UDP.
> 
> Why don't you just go with the example given?  To apply it to the INPUT 
> chain only is still just 2 lines and using a DROP policy would seem to 
> fail more safely than ACCEPT.

Well, I always figure that the simplest implementation is the best. If 2
lines are clear, and do what I want, why use 6?

Thanks,
jed
-- 
We're frogs who are getting boiled in a pot full of single-character
morphemes, and we don't notice. - Larry Wall; Perl6, Apocalypse 5

More information about the clue-tech mailing list