IPtables, backwards?

[thllgo]

Hello,

I'm new to IPTables and am setting it up on my Linux box. As I read more on it I'm getting confused about the basic operation. Most of the rule sets I've examined have the following three lines at the top

input ACCEPT
forward ACCEPT
output ACCEPT

followed by various other rules also with lines that ACCEPT. I am guessing I'm missing something basic here. I would think that the first lines should be all DENY and then specific ACCEPT lines. The basic premise would be to deny eveything and then open holes as necessary. What am I missing, why aren't the first three lines like bellow?

input DENY
forward DENY
output DENY

Thank you for any help.

[jasonlambert]

Hello,

I'm new to IPTables and am setting it up on my Linux box. As I read more on it I'm getting confused about the basic operation. Most of the rule sets I've examined have the following three lines at the top

input ACCEPT
forward ACCEPT
output ACCEPT

followed by various other rules also with lines that ACCEPT. I am guessing I'm missing something basic here. I would think that the first lines should be all DENY and then specific ACCEPT lines. The basic premise would be to deny eveything and then open holes as necessary. What am I missing, why aren't the first three lines like bellow?

input DENY
forward DENY
output DENY

Thank you for any help.

because you have not set deny as your default policy.

For each chain, you can have either ACCEPT or DENY as the "default" (as shown in the first 3 lines of iptables -L).

To set the default, use:
iptables -P INPUT <option>
iptables -P OUTPUT <option>
iptables -P FORWARD <option>

where <option> is either ACCEPT or DENY.

Becareful of just denying everything without allowing stuff out, as you will totally block your connection, and you wont even be able to access websites etc. (if this happens, iptables -P <table> ACCEPT for each, until you get it sorted).

Jason

[thllgo]

I guess what I'm asking is, if for example you only wanted to allow browsing and nothing else, couldn't your rules file be simply the following 4 lines?

iptables -P INPUT DENY
iptables -P OUTPUT DENY
iptables -P FORWARD DENY
-A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT

This would deny all in-comming and out-going except for port 80? If you wanted to allow other protocols all you would need to do is add an ACCEPT line for each protocol? What would be the need for any further DENYs?

[jasonlambert]

I would do it like this:

Code:

iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -P INPUT DENY
iptables -P OUTPUT DENY 
iptables -P FORWARD DENY 
iptables -A INPUT -s 127.0.0.0/24 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --destination-port 80 -j ACCEPT

That *Should* do the trick, and yes, from that point forward, you only need "allow" statements.

Jason

[thllgo]

Thanks,

That makes sense to me.