LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Some questions about the iptables (https://www.linuxquestions.org/questions/linux-security-4/some-questions-about-the-iptables-4175726125/)

Jason.nix 06-19-2023 01:22 AM
Some questions about the iptables
 
Hello,
I wrote the following iptables rules:
Code:
$ sudo iptables -L
Chain INPUT (policy DROP)
target    prot opt source              destination       
ACCEPT    all  --  127.0.0.0/8          127.0.0.0/8       
ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED
REJECT    all  --  anywhere            anywhere            reject-with icmp-port-unreachable
ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED
ACCEPT    all  --  anywhere            anywhere           
SYN_FLOOD  tcp  --  anywhere            anywhere            tcp flags:FIN,SYN,RST,ACK/SYN
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:9050

Chain FORWARD (policy DROP)
target    prot opt source              destination       
REJECT    all  --  anywhere            anywhere            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination       
ACCEPT    tcp  --  anywhere            anywhere           
ACCEPT    udp  --  anywhere            anywhere           
ACCEPT    icmp --  anywhere            anywhere           
REJECT    all  --  anywhere            anywhere            reject-with icmp-port-unreachable
ACCEPT    all  --  anywhere            anywhere           

Chain SYN_FLOOD (1 references)
target    prot opt source              destination       
RETURN    all  --  anywhere            anywhere            limit: avg 5/sec burst 10
DROP      all  --  anywhere            anywhere
And used iptables-save > /etc/sysconfig/iptables command to save it. I have two questions:

1- I use Debian and I guess by default it has not any iptables service. I installed the iptables-persistent package to have the iptables service and want to know reads it my iptables rules and when I use sudo systemctl stop iptables.service command, then all of the above rules must be disabled? If yes, then this does not happen.

2- When I use iptables -F command, then my network disconnected, why?
Code:
$ sudo iptables -F
$
$ sudo iptables-save
# Generated by iptables-save v1.8.7 on Mon Jun 19 09:50:18 2023
*filter
:INPUT DROP [14:4022]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1:76]
:SYN_FLOOD - [0:0]
COMMIT
# Completed on Mon Jun 19 09:50:18 2023
$
$ sudo iptables -L
Chain INPUT (policy DROP)
target    prot opt source              destination       

Chain FORWARD (policy DROP)
target    prot opt source              destination       

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination       

Chain SYN_FLOOD (0 references)
target    prot opt source              destination       
$
$ ping google.com
ping: google.com: Temporary failure in name resolution
Thank you.

evo2 06-19-2023 02:22 AM
Hi,

default firewall on Debian is netfilter/nftables not iptables.
See https://wiki.debian.org/nftables
Is there some particular reason you want to use iptables?

Evo2.

Jason.nix 06-19-2023 03:23 AM
Quote:
Originally Posted by evo2 (Post 6437258)
Hi,

default firewall on Debian is netfilter/nftables not iptables.
See https://wiki.debian.org/nftables
Is there some particular reason you want to use iptables?

Evo2.
Hello,
Thank you so much for your reply.
The netfilter/nftables is the next generation of the iptables. Do you mean iptables's rules don't work? It worked. My questions are why when I use systemctl stop iptables.service, then it does not apply and why when I use iptables -F command, then my network disconnected?

michaelk 06-19-2023 04:38 AM
The rules are flushed but the policy remains as drop. Without any rules to accept traffic nothing gets through.

Jason.nix 06-19-2023 05:38 AM
Quote:
Originally Posted by michaelk (Post 6437277)
The rules are flushed but the policy remains as drop. Without any rules to accept traffic nothing gets through.
Hello,
Thank you for your reply.
What should I do?

michaelk 06-19-2023 05:49 AM
Change the default policy
https://wiki.debian.org/iptables

Jason.nix 06-19-2023 07:43 AM
Quote:
Originally Posted by michaelk (Post 6437284)
Change the default policy
https://wiki.debian.org/iptables
Hello,
Thank you so much for your reply.

So, I must:
Code:
# update-alternatives --set iptables /usr/sbin/iptables-nft
# update-alternatives --set ip6tables /usr/sbin/ip6tables-nft
# update-alternatives --set arptables /usr/sbin/arptables-nft
# update-alternatives --set ebtables /usr/sbin/ebtables-nft
# iptables-save > /etc/iptables.up.rules
Then:
Code:
# nano /etc/network/if-pre-up.d/iptables
And add the following lines to it:
Code:
#!/bin/sh
/sbin/iptables-restore < /etc/iptables.up.rules
And finally:
Code:
# chmod +x /etc/network/if-pre-up.d/iptables
Am I right?

Jason.nix 06-21-2023 06:27 AM
Hello,
I did the above commands and started the nftables service:
Code:
$ systemctl status nftables.service
● nftables.service - nftables
    Loaded: loaded (/lib/systemd/system/nftables.service; enabled; vendor pres>
    Active: active (exited) since Wed 2023-06-21 13:56:04 +0330; 54min ago
      Docs: man:nft(8)
            http://wiki.nftables.org
    Process: 388 ExecStart=/usr/sbin/nft -f /etc/nftables.conf (code=exited, st>
  Main PID: 388 (code=exited, status=0/SUCCESS)
        CPU: 11ms

Warning: some journal files were not opened due to insufficient permissions.
If the nftables vs. iptables, then why my iptables rules are active:
Code:
$ sudo iptables -L
Chain INPUT (policy DROP)
target    prot opt source              destination       
ACCEPT    all  --  127.0.0.0/8          127.0.0.0/8       
ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED
REJECT    all  --  anywhere            anywhere            reject-with icmp-port-unreachable
ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED
ACCEPT    all  --  anywhere            anywhere           
SYN_FLOOD  tcp  --  anywhere            anywhere            tcp flags:FIN,SYN,RST,ACK/SYN
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:9050

Chain FORWARD (policy DROP)
target    prot opt source              destination       
REJECT    all  --  anywhere            anywhere            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination       
ACCEPT    tcp  --  anywhere            anywhere           
ACCEPT    udp  --  anywhere            anywhere           
ACCEPT    icmp --  anywhere            anywhere           
REJECT    all  --  anywhere            anywhere            reject-with icmp-port-unreachable
ACCEPT    all  --  anywhere            anywhere           

Chain SYN_FLOOD (1 references)
target    prot opt source              destination       
RETURN    all  --  anywhere            anywhere            limit: avg 5/sec burst 10
DROP      all  --  anywhere            anywhere
Any idea welcomed?

JJJCR 06-26-2023 09:30 PM
Just my 2 cents, Reject should be at the last line in: Chain INPUT (policy DROP)
I believe the process is some sort of a water flow, if you put Reject at the top then whatever comes with it will be ignored or rejected.

Quote:
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
But what is the status right now after the iptables is active?

Jason.nix 07-03-2023 05:40 AM
Quote:
Originally Posted by JJJCR (Post 6438731)
Just my 2 cents, Reject should be at the last line in: Chain INPUT (policy DROP)
I believe the process is some sort of a water flow, if you put Reject at the top then whatever comes with it will be ignored or rejected.



But what is the status right now after the iptables is active?
Hello,
Thank you so much for your reply.
Must I remove the iptables package?

Please take a look at my nftables rules:
Code:
$ sudo nft list ruleset
table inet filter {
        chain input {
                type filter hook input priority filter; policy accept;
        }

        chain forward {
                type filter hook forward priority filter; policy accept;
        }

        chain output {
                type filter hook output priority filter; policy accept;
        }
}
table ip filter {
        chain INPUT {
                type filter hook input priority filter; policy drop;
                iifname "lo" ip saddr 127.0.0.0/8 ip daddr 127.0.0.0/8 counter packets 178007 bytes 220243413 accept
                ct state related,established counter packets 1453983 bytes 1679227858 accept
                counter packets 86970 bytes 10375889 reject
                ct state related,established counter packets 0 bytes 0 accept
                iifname "lo" counter packets 0 bytes 0 accept
                meta l4proto tcp tcp flags & (fin|syn|rst|ack) == syn counter packets 0 bytes 0 jump SYN_FLOOD
                meta l4proto tcp tcp dport 9050 counter packets 0 bytes 0 accept
        }

        chain FORWARD {
                type filter hook forward priority filter; policy drop;
                counter packets 0 bytes 0 reject
        }

        chain OUTPUT {
                type filter hook output priority filter; policy accept;
                meta l4proto tcp counter packets 1162086 bytes 359674226 accept
                meta l4proto udp counter packets 8813 bytes 1542432 accept
                meta l4proto icmp counter packets 287 bytes 40339 accept
                counter packets 6 bytes 240 reject
                oifname "lo" counter packets 0 bytes 0 accept
        }

        chain SYN_FLOOD {
                limit rate 5/second burst 10 packets counter packets 0 bytes 0 return
                counter packets 0 bytes 0 drop
        }
}

JJJCR 07-06-2023 08:12 PM
Quote:
Must I remove the iptables package?
if iptables is disabled or the service is not running and everything else looks fine, no need to remove the package.


All times are GMT -5. The time now is 04:01 PM.