Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
From the man pages
[color=blue]iptables [-t table] -I chain [rulenum] rule-specification [options][/blue]
The -I options allows you to insert a rule. Suppose you have rule 2 and rule 3 and you think your new rule should come after 2 but before 3, you can use
iptables -I INPUT 3 xxxxxx
Quote:
I still don't follow what the numbers represent and how they work
Those numbers are just statistics - counters. they are the number of packets and bytes that have passed throught the chain.
You can reset these counters with the -Z option.
try this
1. do an iptables-save. note the counter values - the ones in [ : ]
2. zero the counters
iptables -t filter -Z
iptables -t nat -Z
iptables -t mangle -Z
3. iptables-save again - into another file
Now compare the counter values. These values provide statistics and in no way affect your rules.
Please let us know if you are looking for something specific about these counters.
Thanks. When you mean Rule 2 and Rule 3, are you referring to the line number within say the INPUT chain? As for the counters, how relevant are they to security?
I also noticed that my pre-configured chains have the policy DROP. When do they change from policy ACCEPT to policy DROP and vice versa?
Mandrake 10 came pre-defined with several firewall rules. Is it safe to delete them all and start from scratch since there are pre-defined chains apart from the common INPUT, OUTPUT and FORWARD? Is there a way to save both the rules and chains just to be on the safe side?
Thanks. When you mean Rule 2 and Rule 3, are you referring to the line number within say the INPUT chain? As for the counters, how relevant are they to security?
It can be the INPUT chain or any other chain that you specify e.g. iptables -I OUTPUT 3 xxx will insert the rule at position 3 of the OUTPUT chain
Quote:
Mandrake 10 came pre-defined with several firewall rules. Is it safe to delete them all and start from scratch since there are pre-defined chains apart from the common INPUT, OUTPUT and FORWARD? Is there a way to save both the rules and chains just to be on the safe side?
Pointing you back to my first response to this thread. http://www.linuxquestions.org/questi...53#post1099553
Mandrake being a RedHat/Fedora based distro, too saves iptables rules at /etc/sysconfig/iptables. So you can simply rename the existing set of rules and start afresh.
To save your new rules you can issue the command service iptables save. You can still use the iptables-save command if you wish so.
Wouldn't call myself an expert on netfilters ... will still try to help you out.
From the man page
Quote:
-P, --policy chain target
Set the policy for the chain to the given target. See the sec-
tion TARGETS for the legal targets. Only built-in (non-user-
defined) chains can have policies, and neither built-in nor
user-defined chains can be policy targets.
You can treat this as your default firewall policy -
DROP any traffic that you have not explicitly allowed in your rules. This is the best stance.
With default ACCEPT policy, you are accepting all traffic that you have not explicitly rejected/denied in your other rules.
-----------------------------------------
#quote
You can treat this as your default firewall policy -
DROP any traffic that you have not explicitly allowed in your rules. This is the best stance.
With default ACCEPT policy, you are accepting all traffic that you have not explicitly rejected/denied in your other rules.
-----------------------------------------
Now if I don't write any rules under Chain INPUT (policy DROP), will it drop everything incoming packet?
if I don't write any rules under Chain INPUT (policy DROP), will it drop everything incoming packet?
True, a default INPUT DROP with no additional rules INPUT rules to accept specific traffic will block all incoming traffic (including the traffic from your local interface lo).
Originally posted by ppuru True, a default INPUT DROP with no additional rules INPUT rules to accept specific traffic will block all incoming traffic (including the traffic from your local interface lo).
Only a bit more explanation :-) When a packet arrives, it will be checked against the rules respectively. If it matches with first one then jump to first one's target, if it matches with second one then jump to second one's target... And if there is no matching rule then `do the global policy'. So if you haven't any rule in your chain, directly, global policy will be the packets fate. You can assume the case you have a global policy and no rule, as you have only one rule as
-------------------------------------------
quote: barisdemiray
Only a bit more explanation :-) When a packet arrives, it will be checked against the rules respectively. If it matches with first one then jump to first one's target, if it matches with second one then jump to second one's target... And if there is no matching rule then `do the global policy'. So if you haven't any rule in your chain, directly, global policy will be the packets fate. You can assume the case you have a global policy and no rule, as you have only one rule as
-------------------------------------------
You mentioned assume, and I am guessing that the global policy would be to drop every packet that comes through via INPUT for example as the Chain policy is e.g. Chain INPUT (policy DROP)
Just a another question, now when it says for example Chain common (1 reference) what does that mean? Having looked at the default rules in my iptables it seems to have its own pre-configured chains. I suppose you won't know what common does but what does the numerical value of 1 reference refer to?
By the way ppuru, mandrake does not have a folder called /etc/sysconfig/iptables akin to Red Hat/Fedora.
Originally posted by Obie
Just a another question, now when it says for example Chain common (1 reference) what does that mean? Having looked at the default rules in my iptables it seems to have its own pre-configured chains. I suppose you won't know what common does but what does the numerical value of 1 reference refer to?
That means the chain named as `common' is target of a rule. Look at the commands output below:
Code:
[root@labris1 log]# iptables -N example
[root@labris1 log]# iptables -A example -j LOG
[root@labris1 log]# iptables -A INPUT -j example
[root@labris1 log]# iptables -L example
Chain example (1 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning
[root@labris1 log]# iptables -X example
iptables: Can't delete chain with references left
[root@labris1 log]#
When `common' chain is target of three rule, reference count will be 3.
2) Say for example I wish to allow icmp(ping) requests from my box, I would use the following command iptables -A OUTPUT -p icmp -s 192.168.0.1 -d 192.168.0.2 -j ACCEPT. This would allow me to send out icmp packets. What I am attempting to comprehend is that I also noticed I require an INPUT rule. Is this because (A) I must allow the packet to return with a reply (B) completely something else. Also would this be the case for every OUTPUT rule I create? How does it affect INPUT rules?
3) My next questions is on --sport and --dport. Suppose I wish to allow port my pc to access web pages which commonly utilises Port 80. How as far as my OUTPUT rule is concerned do I use --sport or --dport and also what rule do I need for INPUT
4) When do I use FOWARD and How do I use it? From what I have read so far, it when you wish to send packets to another interface on your PC assuming that I have 2.
5) How do I log every packet dropped , rejected and accepted and where are the logs kept? Would it be in /var/log/syslog? Can I have separate files for the different target policies and if so how do I do so?
6) Is it possible to comment on each rule I create and if so how?
2) Say for example I wish to allow icmp(ping) requests from my box, I would use the following command iptables -A OUTPUT -p icmp -s 192.168.0.1 -d 192.168.0.2 -j ACCEPT. This would allow me to send out icmp packets. What I am attempting to comprehend is that I also noticed I require an INPUT rule. Is this because (A) I must allow the packet to return with a reply (B) completely something else. Also would this be the case for every OUTPUT rule I create? How does it affect INPUT rules?
True, echo-request (ping) causes an echo-reply (pong).. You need to allow some of your ICMP traffic But if you're blocking icmp-echo-request packets in INPUT chain, then no need to block icmp-echo-reply in OUTPUT chain because they simply will not be created :-)
Since net traffic is bidirectional, you need to allow both INPUT and OUTPUT. You cannot you connect www.yahoo.com if you can send request packets (allow in OUTPUT) but cannot get replies (deny in INPUT) from that address..
Quote:
3) My next questions is on --sport and --dport. Suppose I wish to allow port my pc to access web pages which commonly utilises Port 80. How as far as my OUTPUT rule is concerned do I use --sport or --dport and also what rule do I need for INPUT
Allow your web traffic with --dport 80 in OUTPUT chain or --source www.etc.com in your INPUT chain.. You send to port 80, but can get the resulting reply from another port..
Quote:
4) When do I use FOWARD and How do I use it? From what I have read so far, it when you wish to send packets to another interface on your PC assuming that I have 2.
If you're configuring a firewall on a gateway for example, then you use FORWARD chain. They transmit a packet from internal network to outer network (internet for example) or vice-versa and these packets goes through the gateway computer. They do not pass through INPUT and OUTPUT chains, they come from wire, checked against the rules in FORWARD chain and goes off wire (i skipped mangle and nat tables :-))
Quote:
5) How do I log every packet dropped , rejected and accepted and where are the logs kept? Would it be in /var/log/syslog? Can I have separate files for the different target policies and if so how do I do so?
You can use the LOG target..
Code:
iptables -j LOG --help
A sample from my rc.firewall
Code:
iptables -A INPUT -p tcp --destination-port 22 -j LOG --log-prefix \
'FIREWALL: SSH req. rejected ' --log-level emerg
iptables -A INPUT -p tcp --destination-port 22 -j DROP
Quote:
6) Is it possible to comment on each rule I create and if so how?
That would be good but i don't know any way for this. May be in rc.firewall file but not visible in `iptables -L' command's output for example.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.