IPtables, backwards?

Printable View

09-18-2003
thllgo

IPtables, backwards?

Hello,

I'm new to IPTables and am setting it up on my Linux box. As I read more on it I'm getting confused about the basic operation. Most of the rule sets I've examined have the following three lines at the top

input ACCEPT
forward ACCEPT
output ACCEPT

followed by various other rules also with lines that ACCEPT. I am guessing I'm missing something basic here. I would think that the first lines should be all DENY and then specific ACCEPT lines. The basic premise would be to deny eveything and then open holes as necessary. What am I missing, why aren't the first three lines like bellow?

input DENY
forward DENY
output DENY

Thank you for any help.
09-18-2003
jasonlambert

Re: IPtables, backwards?

Quote:

Originally Posted by thllgo

Hello,

I'm new to IPTables and am setting it up on my Linux box. As I read more on it I'm getting confused about the basic operation. Most of the rule sets I've examined have the following three lines at the top

input ACCEPT
forward ACCEPT
output ACCEPT

followed by various other rules also with lines that ACCEPT. I am guessing I'm missing something basic here. I would think that the first lines should be all DENY and then specific ACCEPT lines. The basic premise would be to deny eveything and then open holes as necessary. What am I missing, why aren't the first three lines like bellow?

input DENY
forward DENY
output DENY

Thank you for any help.

because you have not set deny as your default policy.

For each chain, you can have either ACCEPT or DENY as the "default" (as shown in the first 3 lines of iptables -L).

To set the default, use:
iptables -P INPUT <option>
iptables -P OUTPUT <option>
iptables -P FORWARD <option>

where <option> is either ACCEPT or DENY.

Becareful of just denying everything without allowing stuff out, as you will totally block your connection, and you wont even be able to access websites etc. (if this happens, iptables -P <table> ACCEPT for each, until you get it sorted).

Jason
09-18-2003
thllgo

I guess what I'm asking is, if for example you only wanted to allow browsing and nothing else, couldn't your rules file be simply the following 4 lines?

iptables -P INPUT DENY
iptables -P OUTPUT DENY
iptables -P FORWARD DENY
-A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT

This would deny all in-comming and out-going except for port 80? If you wanted to allow other protocols all you would need to do is add an ACCEPT line for each protocol? What would be the need for any further DENYs?
09-18-2003
jasonlambert

I would do it like this:

Code:

iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD iptables -P INPUT DENY iptables -P OUTPUT DENY iptables -P FORWARD DENY iptables -A INPUT -s 127.0.0.0/24 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p tcp --destination-port 80 -j ACCEPT

That *Should* do the trick, and yes, from that point forward, you only need "allow" statements.

Jason
09-19-2003
thllgo

Thanks,

That makes sense to me.