[CLUE-Tech] iptables not allowing the ACCEPT target?

David Anselmi anselmi at americanisp.net
Fri Nov 29 12:08:17 MST 2002 

Jed S. Baer wrote:
[...]
> 
>>What is the policy on the INPUT chain?  If it is DROP, you are probably 
>>ok (and your second line is extraneous).  If it is ACCEPT, your first 
>>line is extraneous and you are allowing everything except new TCP 
>>connections (e.g., UDP, ICMP).
[...]
> 
> So, you're referring to "If the end of a built-in chain is reached or a
> rule in a built-in chain with target RETURN is matched, the target
> specified by the chain policy determines the fate of the packet". OK, I
> give up. This sounds to me like there's some "default" chain policy. Oh, I
> see it now. I haven't set one. The default must be ACCEPT.

Yes.  You can see what it is with iptables -L.

> And I think it's easiest to leave it that way, for the sake of eth0 traffic, and
> write the exceptions for the ppp. Either way, it results in a 2-line
> chain, i.e. (with a policy of DROP):
>   -A INPUT -i eth0 -j ACCEPT

No, this is unnecessary.  Here is Rusty's example for just the input chain:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! ppp+ -j ACCEPT

This says established/related always allowed, new only allowed from 
non-ppp interfaces (and covers your eth0 case).  Of course you need the 
policy set to drop:

iptables -P INPUT DROP

or

iptables -A INPUT -j DROP (after the above two lines).

You can argue that this is more complicated than your method, but it is 
more complete as well (covers all protocols not just tcp).

If you change the policy to ACCEPT, how do you invert Rusty's rules:

iptables -A INPUT -m state --state NEW -i ppp+ -j DROP

Now you're back to one line and this is what you really meant to do. 
The difference in the approaches is "drop what isn't explicitly allowed" 
or "accept what isn't explicitly denied".  The first might be marginally 
better because if you mess up allowing things they don't work (which you 
should notice).  If you mess up denying things, they come through (which 
you don't want and are less likely to notice).  For such a simple case 
neither is much of a risk--do what suits your perspective.  But beware 
if you start mucking with things and making them more complicated.

Dave

More information about the clue-tech mailing list