From the man pages
[color=blue]iptables [-t table] -I chain [rulenum] rule-specification [options][/blue]
The -I options allows you to insert a rule. Suppose you have rule 2 and rule 3 and you think your new rule should come after 2 but before 3, you can use

iptables -I INPUT 3 xxxxxx
Those numbers are just statistics - counters. they are the number of packets and bytes that have passed throught the chain.
You can reset these counters with the -Z option.
try this
1. do an iptables-save. note the counter values - the ones in [ : ]
2. zero the counters
iptables -t filter -Z
iptables -t nat -Z
iptables -t mangle -Z
3. iptables-save again - into another file

Now compare the counter values. These values provide statistics and in no way affect your rules.

Please let us know if you are looking for something specific about these counters.

ppuru,

Thanks. When you mean Rule 2 and Rule 3, are you referring to the line number within say the INPUT chain? As for the counters, how relevant are they to security?

I also noticed that my pre-configured chains have the policy DROP. When do they change from policy ACCEPT to policy DROP and vice versa?

Mandrake 10 came pre-defined with several firewall rules. Is it safe to delete them all and start from scratch since there are pre-defined chains apart from the common INPUT, OUTPUT and FORWARD? Is there a way to save both the rules and chains just to be on the safe side?

It can be the INPUT chain or any other chain that you specify e.g.
iptables -I OUTPUT 3 xxx will insert the rule at position 3 of the OUTPUT chain

Pointing you back to my first response to this thread.
http://www.linuxquestions.org/questi...53#post1099553
Mandrake being a RedHat/Fedora based distro, too saves iptables rules at /etc/sysconfig/iptables. So you can simply rename the existing set of rules and start afresh.
To save your new rules you can issue the command service iptables save. You can still use the iptables-save command if you wish so.

ppuru,

Thanks. Would you be able to help me understand the policy ACCEPT and DROP beside each chain e.g. Chain INPUT (policy DROP)

Wouldn't call myself an expert on netfilters ... will still try to help you out.

From the man page
You can treat this as your default firewall policy -
DROP any traffic that you have not explicitly allowed in your rules. This is the best stance.

With default ACCEPT policy, you are accepting all traffic that you have not explicitly rejected/denied in your other rules.

ppuru,

That makes sense. Most of the guides out there don't explain the difference and how it works apart from creating rules for specific chains.

Just one more question to your reply ppuru

-----------------------------------------
#quote
You can treat this as your default firewall policy -
DROP any traffic that you have not explicitly allowed in your rules. This is the best stance.

With default ACCEPT policy, you are accepting all traffic that you have not explicitly rejected/denied in your other rules.
-----------------------------------------

Now if I don't write any rules under Chain INPUT (policy DROP), will it drop everything incoming packet?

True, a default INPUT DROP with no additional rules INPUT rules to accept specific traffic will block all incoming traffic (including the traffic from your local interface lo).

Only a bit more explanation :-) When a packet arrives, it will be checked against the rules respectively. If it matches with first one then jump to first one's target, if it matches with second one then jump to second one's target... And if there is no matching rule then `do the global policy'. So if you haven't any rule in your chain, directly, global policy will be the packets fate. You can assume the case you have a global policy and no rule, as you have only one rule as

-------------------------------------------
quote: barisdemiray
Only a bit more explanation :-) When a packet arrives, it will be checked against the rules respectively. If it matches with first one then jump to first one's target, if it matches with second one then jump to second one's target... And if there is no matching rule then `do the global policy'. So if you haven't any rule in your chain, directly, global policy will be the packets fate. You can assume the case you have a global policy and no rule, as you have only one rule as
-------------------------------------------

You mentioned assume, and I am guessing that the global policy would be to drop every packet that comes through via INPUT for example as the Chain policy is e.g. Chain INPUT (policy DROP)

Just a another question, now when it says for example Chain common (1 reference) what does that mean? Having looked at the default rules in my iptables it seems to have its own pre-configured chains. I suppose you won't know what common does but what does the numerical value of 1 reference refer to?

By the way ppuru, mandrake does not have a folder called /etc/sysconfig/iptables akin to Red Hat/Fedora.

Check in the iptables script (should be in /etc/init.d) and look where Mandrake saves the rules .

ppuru, thanks. would you be able to help with my previous questions on "reference"?

That means the chain named as `common' is target of a rule. Look at the commands output below:

When `common' chain is target of three rule, reference count will be 3.

Thank you all for your help. I do have a couple more queries.

I flushed all my rules within iptables and have the following listed as local policy

Chain INPUT (policy DROP)
target prot opt source destination

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy DROP)
target prot opt source destination

1) What does "opt" refer to?

2) Say for example I wish to allow icmp(ping) requests from my box, I would use the following command iptables -A OUTPUT -p icmp -s 192.168.0.1 -d 192.168.0.2 -j ACCEPT. This would allow me to send out icmp packets. What I am attempting to comprehend is that I also noticed I require an INPUT rule. Is this because (A) I must allow the packet to return with a reply (B) completely something else. Also would this be the case for every OUTPUT rule I create? How does it affect INPUT rules?

3) My next questions is on --sport and --dport. Suppose I wish to allow port my pc to access web pages which commonly utilises Port 80. How as far as my OUTPUT rule is concerned do I use --sport or --dport and also what rule do I need for INPUT

4) When do I use FOWARD and How do I use it? From what I have read so far, it when you wish to send packets to another interface on your PC assuming that I have 2.

5) How do I log every packet dropped , rejected and accepted and where are the logs kept? Would it be in /var/log/syslog? Can I have separate files for the different target policies and if so how do I do so?

6) Is it possible to comment on each rule I create and if so how?

Hmm.. No idea..

True, echo-request (ping) causes an echo-reply (pong).. You need to allow some of your ICMP traffic But if you're blocking icmp-echo-request packets in INPUT chain, then no need to block icmp-echo-reply in OUTPUT chain because they simply will not be created :-)

Since net traffic is bidirectional, you need to allow both INPUT and OUTPUT. You cannot you connect www.yahoo.com if you can send request packets (allow in OUTPUT) but cannot get replies (deny in INPUT) from that address..

Allow your web traffic with --dport 80 in OUTPUT chain or --source www.etc.com in your INPUT chain.. You send to port 80, but can get the resulting reply from another port..

If you're configuring a firewall on a gateway for example, then you use FORWARD chain. They transmit a packet from internal network to outer network (internet for example) or vice-versa and these packets goes through the gateway computer. They do not pass through INPUT and OUTPUT chains, they come from wire, checked against the rules in FORWARD chain and goes off wire (i skipped mangle and nat tables :-))

You can use the LOG target..

A sample from my rc.firewall

That would be good but i don't know any way for this. May be in rc.firewall file but not visible in `iptables -L' command's output for example.