[ale] Gory-detail Q: iptables rule not obvious when listed

Bob Toxen bob at verysecurelinux.com
Tue Oct 28 00:17:37 EST 2003 

On Sat, Oct 25, 2003 at 01:05:49PM -0400, John Mills wrote:
> ALErs -
> 
>  Environment: Slackware-9.1
>  Objective: drop packets from NEW connections that originate at ppp*
>  Approach: fragment of iptables setup script _almost_ straight from 
> HOWTO...
> 
>  echo "Creating filter chain"
>  # Create chain which blocks new connections, except if coming from inside
>  iptables -N block
>  iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
>  iptables -A block -m state --state NEW -i ! ppp+ -j ACCEPT
>  iptables -A block -j DROP
> 
>  echo "Linking blocking chain to INPUT and FORWARD"
>  # Jump to that chain from INPUT and FORWARD chains.
>  iptables -I INPUT 1 -j block
>  iptables -I FORWARD 1 -j block
> 
>  Result displayed by 'iptables -L':
> 
>  Chain INPUT (policy ACCEPT)
>  target     prot opt source               destination         
>  block      all  --  anywhere             anywhere           
> 
>  Chain FORWARD (policy ACCEPT)
>  target     prot opt source               destination         
>  block      all  --  anywhere             anywhere           
> 
>  Chain OUTPUT (policy ACCEPT)
>  target     prot opt source               destination         
> 
>  Chain block (2 references)
>  target     prot opt source               destination         
>  ACCEPT     all  --  anywhere             anywhere           state \
>    RELATED,ESTABLISHED 
>  ACCEPT     all  --  anywhere             anywhere           state NEW 
>  DROP       all  --  anywhere             anywhere           
> 
> Questions:
>  Q1) In the second-to-last line of the listing, I expected to see a 
>      reflection to my source qualifier "-s ! ppp+". Should I see something
>      like that?
Yup.  That is the problem.  Enter the line by hand and see if an
error is generated.  Check the order of parameters.  Try adding that
rule (just for testing) directly to the FORWARD chain and see if it
appears correct.  Send some packets around and then do:

     iptables -L -n -v --line-numbers

and check the packet counts for each rule.  Analyze.

>  Q2) I set up my script to "Insert" (-I) my filter 'block' as the first 
>      line of the targets INPUT and FORWARD, but the HOWTO used "Append"
>      (-A). Was I right to use '-I'?
That depends on what order you want the rules in.  The default is to
use -A to add rules to the end of the list and generally to put in blocking
rules before allow rules.

> TIA.
> 
>  - John Mills
>    john.m.mills at alum.mit.edu

Bob Toxen
bob at verysecurelinux.com               [Please use for email to me]
http://www.verysecurelinux.com        [Network&Linux/Unix security consulting]
http://www.realworldlinuxsecurity.com [My book:"Real World Linux Security 2/e"]
Quality Linux & UNIX security and SysAdmin & software consulting since 1990.

Stuck in New Jersey working for the week.

More information about the Ale mailing list