Learning iptables

Learning iptables

[Leonardo Carneiro]

Hi everyone,

I'm have a avarage-to-good linux knowlegde, but i'm quite noob when it 
comes about iptables, so i decided to study about.
I'm reading a lot of articles and blogs, and testing some rules, so far 
it's all going well.
Right now i'm running a server with tons of rules written by the admin 
that worked here before me, and in the policies session of the script 
i've found theses rules:

    $IPTABLES -P INPUT ACCEPT
    $IPTABLES -P OUTPUT ACCEPT
    $IPTABLES -P FORWARD ACCEPT
    $IPTABLES -F
    $IPTABLES -t nat -F
    $IPTABLES -t mangle -F
    $IPTABLES -X

    $IPTABLES -A INPUT -s $LO_IP -j ACCEPT
    $IPTABLES -A OUTPUT -d $LO_IP -j ACCEPT
    $IPTABLES -A INPUT -s $LAN_IP -j ACCEPT
    $IPTABLES -A OUTPUT -d $LAN_IP -j ACCEPT
    $IPTABLES -A INPUT -s $INET_IP_DIN -j ACCEPT
    $IPTABLES -A OUTPUT -d $INET_IP_DIN -j ACCEPT

    $IPTABLES -P INPUT DROP
    $IPTABLES -P OUTPUT ACCEPT
    $IPTABLES -P FORWARD DROP

Is there any good reason why someone would set an ACCEPT policy for all 
chains first to withdraw some later? What the benefit of doing this?

Sorry about my poor english.

Tks in advance
-- 

*Leonardo de Souza Carneiro*
*Veltrac - Tecnologia em Logística.*
lscarneiro@veltrac.com.br <mailto:lscarneiro@veltrac.com.br>
http://www.veltrac.com.br <http://www.veltrac.com.br/>
/Fone Com.: (43)2105-5600/
/Av. Higienópolis 1601 Ed. Eurocenter Sl. 803/
/Londrina- PR/
/Cep: 86015-010/

	

Re: Learning iptables

[Brian Austin - Standard Universal]

Hi,

the only reason I would think is to allow packets through for the 
milliseconds it takes the script to run.

regards

Brian


Leonardo Carneiro wrote:
> Hi everyone,
>
> I'm have a avarage-to-good linux knowlegde, but i'm quite noob when it 
> comes about iptables, so i decided to study about.
> I'm reading a lot of articles and blogs, and testing some rules, so 
> far it's all going well.
> Right now i'm running a server with tons of rules written by the admin 
> that worked here before me, and in the policies session of the script 
> i've found theses rules:
>
>    $IPTABLES -P INPUT ACCEPT
>    $IPTABLES -P OUTPUT ACCEPT
>    $IPTABLES -P FORWARD ACCEPT
>    $IPTABLES -F
>    $IPTABLES -t nat -F
>    $IPTABLES -t mangle -F
>    $IPTABLES -X
>
>    $IPTABLES -A INPUT -s $LO_IP -j ACCEPT
>    $IPTABLES -A OUTPUT -d $LO_IP -j ACCEPT
>    $IPTABLES -A INPUT -s $LAN_IP -j ACCEPT
>    $IPTABLES -A OUTPUT -d $LAN_IP -j ACCEPT
>    $IPTABLES -A INPUT -s $INET_IP_DIN -j ACCEPT
>    $IPTABLES -A OUTPUT -d $INET_IP_DIN -j ACCEPT
>
>    $IPTABLES -P INPUT DROP
>    $IPTABLES -P OUTPUT ACCEPT
>    $IPTABLES -P FORWARD DROP
>
> Is there any good reason why someone would set an ACCEPT policy for 
> all chains first to withdraw some later? What the benefit of doing this?
>
> Sorry about my poor english.
>
> Tks in advance

Re: Learning iptables

[Thomas Jacob]

On Sat, Apr 18, 2009 at 09:32:58AM -0300, Leonardo Carneiro wrote:
> Is there any good reason why someone would set an ACCEPT policy for all  
> chains first to withdraw some later? What the benefit of doing this?

If I'd have to guess at the ruleset authors intentions, I'd say
s/he wanted to prevent service disruptions when reloading the
firewall scripts.

Loading a lot of rules without iptables-restore can take quite some time,
and if you have a DROP policy during the rule loading time,
some packets that your final ruleset would pass thru will be dropped.
Also, if your scripts terminate prematurely, you might not be able
to remote access your machine anymore.

But then again, you should load your ruleset before you bring up
your network, so the first reason should be irrelevant. And the
second shouldn't really matter after the initial testing phase.

Re: Learning iptables

[Leonardo Carneiro]

Tks Thomas and Brian. It was very helpful.
Now i'll follow with my jorney _o/

tks again! =)

Thomas Jacob escreveu:
> On Sat, Apr 18, 2009 at 09:32:58AM -0300, Leonardo Carneiro wrote:
>   
>> Is there any good reason why someone would set an ACCEPT policy for all  
>> chains first to withdraw some later? What the benefit of doing this?
>>     
>
> If I'd have to guess at the ruleset authors intentions, I'd say
> s/he wanted to prevent service disruptions when reloading the
> firewall scripts.
>
> Loading a lot of rules without iptables-restore can take quite some time,
> and if you have a DROP policy during the rule loading time,
> some packets that your final ruleset would pass thru will be dropped.
> Also, if your scripts terminate prematurely, you might not be able
> to remote access your machine anymore.
>
> But then again, you should load your ruleset before you bring up
> your network, so the first reason should be irrelevant. And the
> second shouldn't really matter after the initial testing phase.
>
>   


-- 

*Leonardo de Souza Carneiro*
*Veltrac - Tecnologia em Logística.*
lscarneiro@veltrac.com.br <mailto:lscarneiro@veltrac.com.br>
http://www.veltrac.com.br <http://www.veltrac.com.br/>
/Fone Com.: (43)2105-5600/
/Av. Higienópolis 1601 Ed. Eurocenter Sl. 803/
/Londrina- PR/
/Cep: 86015-010/

	

Re: Learning iptables

[Bruno Moreira Guedes]

2009/4/18 Leonardo Carneiro <lscarneiro@veltrac.com.br>:
> Hi everyone,
>
> I'm have a avarage-to-good linux knowlegde, but i'm quite noob when it comes
> about iptables, so i decided to study about.
> I'm reading a lot of articles and blogs, and testing some rules, so far it's
> all going well.
> Right now i'm running a server with tons of rules written by the admin that
> worked here before me, and in the policies session of the script i've found
> theses rules:
>
>   $IPTABLES -P INPUT ACCEPT
>   $IPTABLES -P OUTPUT ACCEPT
>   $IPTABLES -P FORWARD ACCEPT
>   $IPTABLES -F
>   $IPTABLES -t nat -F
>   $IPTABLES -t mangle -F
>   $IPTABLES -X
>
>   $IPTABLES -A INPUT -s $LO_IP -j ACCEPT
>   $IPTABLES -A OUTPUT -d $LO_IP -j ACCEPT
>   $IPTABLES -A INPUT -s $LAN_IP -j ACCEPT
>   $IPTABLES -A OUTPUT -d $LAN_IP -j ACCEPT
>   $IPTABLES -A INPUT -s $INET_IP_DIN -j ACCEPT
>   $IPTABLES -A OUTPUT -d $INET_IP_DIN -j ACCEPT
>
>   $IPTABLES -P INPUT DROP
>   $IPTABLES -P OUTPUT ACCEPT
>   $IPTABLES -P FORWARD DROP

The main thing I couldn't understand is why add just three ACCEPT
rules on a chain, and after set this chains default policy to ACCEPT.
And also, why set OUTPUT to ACCEPT twice!! Is the iptables deaf??

>
> Is there any good reason why someone would set an ACCEPT policy for all
> chains first to withdraw some later? What the benefit of doing this?
>
> Sorry about my poor english.
>
> Tks in advance
> --
>
> *Leonardo de Souza Carneiro*
> *Veltrac - Tecnologia em Logística.*
> lscarneiro@veltrac.com.br <mailto:lscarneiro@veltrac.com.br>
> http://www.veltrac.com.br <http://www.veltrac.com.br/>
> /Fone Com.: (43)2105-5600/
> /Av. Higienópolis 1601 Ed. Eurocenter Sl. 803/
> /Londrina- PR/
> /Cep: 86015-010/
>
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Anymore, be careful when trusting in the old admins script, get
ensured your firewall is safe by reviewing it.

[]'s

Re: Learning iptables

[Amos Jeffries]

Leonardo Carneiro wrote:
> Tks Thomas and Brian. It was very helpful.
> Now i'll follow with my jorney _o/
> 
> tks again! =)

People rarely mention this but I've found it extremely helpful for 
groking some of the tutorials:
   http://l7-filter.sourceforge.net/PacketFlow.png

AYJ

> 
> Thomas Jacob escreveu:
>> On Sat, Apr 18, 2009 at 09:32:58AM -0300, Leonardo Carneiro wrote:
>>  
>>> Is there any good reason why someone would set an ACCEPT policy for 
>>> all  chains first to withdraw some later? What the benefit of doing 
>>> this?
>>>     
>>
>> If I'd have to guess at the ruleset authors intentions, I'd say
>> s/he wanted to prevent service disruptions when reloading the
>> firewall scripts.
>>
>> Loading a lot of rules without iptables-restore can take quite some time,
>> and if you have a DROP policy during the rule loading time,
>> some packets that your final ruleset would pass thru will be dropped.
>> Also, if your scripts terminate prematurely, you might not be able
>> to remote access your machine anymore.
>>
>> But then again, you should load your ruleset before you bring up
>> your network, so the first reason should be irrelevant. And the
>> second shouldn't really matter after the initial testing phase.
>>
>>   
> 
> 


-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14
   Current Beta Squid 3.1.0.7