Find the answer to your Linux question:
Results 1 to 5 of 5
Hi, I was wondering what this rule does in my iptables: Code: ACCEPT all -- anywhere anywhere I ask because I have been told my server is very susceptible to ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Sep 2008
    Posts
    3

    [SOLVED] Iptables Rule Question


    Hi,

    I was wondering what this rule does in my iptables:

    Code:
    ACCEPT     all  --  anywhere             anywhere
    I ask because I have been told my server is very susceptible to DOS attacks and I need to remedy the problem immediately. Here is my whole iptable output:

    Code:
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:webcache 
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https 
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:radan-http 
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pcsync-https 
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http 
    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
    ACCEPT     icmp --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere            
    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
    REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http 
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    To me, it looks like that line will accept any protocol from any address on any port. I think this might be the reason for the susceptibility to DOS attacks.

    Thanks for any help
    Last edited by Redman; 09-24-2008 at 09:43 PM.

  2. #2
    Linux Enthusiast
    Join Date
    Oct 2004
    Posts
    609
    Configuring Iptables by hand can be nerve breaking.
    You could, more easily, use a graphical application to configure it.
    For example Firestarter.

  3. #3
    Just Joined!
    Join Date
    Sep 2008
    Posts
    3
    Using firestarter is not really an option as I config the system through ssh. I guess I'll just back up the current config and give deleting it a try

  4. #4
    Just Joined! bclark4444's Avatar
    Join Date
    Dec 2003
    Posts
    55
    Looks like you have an 'open door' policy going on. The input chain is handled sequentially until it finds a rule that fits, and your rule "ACCEPT all -- anywhere anywhere " without any previous REJECTS fits everything. So, basically, you could save some CPU cycles by turning off your firewall because its not blocking anything right now anyway.

    I strongly agree with Redman that configuring a firewall by hand is both daunting and i would also add that its error prone, especially for someone without a high level of knowledge on how it works. Judging by that ALLOW policy, im assuming that you have limited experience with iptables. With that being said, if you are still determined to do this manually, then here are some guidelines.

    1) make sure you last rule in the INPUT chain is
    REJECT all -- anywhere anywhere
    This blocks everything unless a previous rule allows it through. I have found this to be the least error prone way.

    2) add in specific rules before that final REJECT to allow only what you want through. For example, add an ACCEPT for port 80 if you want to allow in http traffic, etc.

  5. #5
    Just Joined!
    Join Date
    Sep 2008
    Posts
    3
    Hi,

    Thanks for the helpful response. That is exactly what I suspected but I just want confirmation from another source.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •