Find the answer to your Linux question:
Results 1 to 5 of 5
Hello, I'm new to IPTables and am setting it up on my Linux box. As I read more on it I'm getting confused about the basic operation. Most of the ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Sep 2003
    Location
    Laurel, MD
    Posts
    27

    IPtables, backwards?


    Hello,

    I'm new to IPTables and am setting it up on my Linux box. As I read more on it I'm getting confused about the basic operation. Most of the rule sets I've examined have the following three lines at the top

    input ACCEPT
    forward ACCEPT
    output ACCEPT

    followed by various other rules also with lines that ACCEPT. I am guessing I'm missing something basic here. I would think that the first lines should be all DENY and then specific ACCEPT lines. The basic premise would be to deny eveything and then open holes as necessary. What am I missing, why aren't the first three lines like bellow?

    input DENY
    forward DENY
    output DENY

    Thank you for any help.

  2. #2
    Linux Guru
    Join Date
    Apr 2003
    Location
    London, UK
    Posts
    3,284

    Re: IPtables, backwards?

    Quote Originally Posted by thllgo
    Hello,

    I'm new to IPTables and am setting it up on my Linux box. As I read more on it I'm getting confused about the basic operation. Most of the rule sets I've examined have the following three lines at the top

    input ACCEPT
    forward ACCEPT
    output ACCEPT

    followed by various other rules also with lines that ACCEPT. I am guessing I'm missing something basic here. I would think that the first lines should be all DENY and then specific ACCEPT lines. The basic premise would be to deny eveything and then open holes as necessary. What am I missing, why aren't the first three lines like bellow?

    input DENY
    forward DENY
    output DENY

    Thank you for any help.
    because you have not set deny as your default policy.

    For each chain, you can have either ACCEPT or DENY as the "default" (as shown in the first 3 lines of iptables -L).

    To set the default, use:
    iptables -P INPUT <option>
    iptables -P OUTPUT <option>
    iptables -P FORWARD <option>

    where <option> is either ACCEPT or DENY.

    Becareful of just denying everything without allowing stuff out, as you will totally block your connection, and you wont even be able to access websites etc. (if this happens, iptables -P <table> ACCEPT for each, until you get it sorted).

    Jason

  3. #3
    Just Joined!
    Join Date
    Sep 2003
    Location
    Laurel, MD
    Posts
    27
    I guess what I'm asking is, if for example you only wanted to allow browsing and nothing else, couldn't your rules file be simply the following 4 lines?

    iptables -P INPUT DENY
    iptables -P OUTPUT DENY
    iptables -P FORWARD DENY
    -A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT

    This would deny all in-comming and out-going except for port 80? If you wanted to allow other protocols all you would need to do is add an ACCEPT line for each protocol? What would be the need for any further DENYs?

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Guru
    Join Date
    Apr 2003
    Location
    London, UK
    Posts
    3,284
    I would do it like this:

    Code:
    iptables -F INPUT
    iptables -F OUTPUT
    iptables -F FORWARD
    iptables -P INPUT DENY
    iptables -P OUTPUT DENY 
    iptables -P FORWARD DENY 
    iptables -A INPUT -s 127.0.0.0/24 -j ACCEPT
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -p tcp --destination-port 80 -j ACCEPT
    That *Should* do the trick, and yes, from that point forward, you only need "allow" statements.

    Jason

  6. #5
    Just Joined!
    Join Date
    Sep 2003
    Location
    Laurel, MD
    Posts
    27
    Thanks,

    That makes sense to me.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •