[CLUE-Tech] iptables not allowing the ACCEPT target?
David Anselmi
anselmi at americanisp.net
Fri Nov 29 12:08:17 MST 2002
Jed S. Baer wrote:
[...]
>
>>What is the policy on the INPUT chain? If it is DROP, you are probably
>>ok (and your second line is extraneous). If it is ACCEPT, your first
>>line is extraneous and you are allowing everything except new TCP
>>connections (e.g., UDP, ICMP).
[...]
>
> So, you're referring to "If the end of a built-in chain is reached or a
> rule in a built-in chain with target RETURN is matched, the target
> specified by the chain policy determines the fate of the packet". OK, I
> give up. This sounds to me like there's some "default" chain policy. Oh, I
> see it now. I haven't set one. The default must be ACCEPT.
Yes. You can see what it is with iptables -L.
> And I think it's easiest to leave it that way, for the sake of eth0 traffic, and
> write the exceptions for the ppp. Either way, it results in a 2-line
> chain, i.e. (with a policy of DROP):
> -A INPUT -i eth0 -j ACCEPT
No, this is unnecessary. Here is Rusty's example for just the input chain:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! ppp+ -j ACCEPT
This says established/related always allowed, new only allowed from
non-ppp interfaces (and covers your eth0 case). Of course you need the
policy set to drop:
iptables -P INPUT DROP
or
iptables -A INPUT -j DROP (after the above two lines).
You can argue that this is more complicated than your method, but it is
more complete as well (covers all protocols not just tcp).
If you change the policy to ACCEPT, how do you invert Rusty's rules:
iptables -A INPUT -m state --state NEW -i ppp+ -j DROP
Now you're back to one line and this is what you really meant to do.
The difference in the approaches is "drop what isn't explicitly allowed"
or "accept what isn't explicitly denied". The first might be marginally
better because if you mess up allowing things they don't work (which you
should notice). If you mess up denying things, they come through (which
you don't want and are less likely to notice). For such a simple case
neither is much of a risk--do what suits your perspective. But beware
if you start mucking with things and making them more complicated.
Dave
More information about the clue-tech
mailing list