You are not logged in.
- Topics: Active | Unanswered
#1 2023-02-27 09:51:59
- bepa77
- Member
- Registered: 2023-02-27
- Posts: 2
iptables traffic rules
Hi.
I am trying to get my head around how iptables work. From what I have read online it seems that the default setting for iptables is allow in both directions, instead of the typical allow outgoing deny incoming. Is this true?
Also I am trying to get my head around incoming traffic if a linux clients firewall is set to allow all incoming. Does that mean that all ports on the client are reachable from the outside, or do you have to have a service or application listening on a specific port on the client for that port (and only that port) to be reachable for others?
Offline
#2 2023-02-27 13:40:43
- seth
- Member
- Registered: 2012-09-03
- Posts: 51,046
Re: iptables traffic rules
From what I have read online
https://wiki.archlinux.org/title/Iptables
the default setting for iptables is
… to be inert.
instead of the typical allow outgoing deny incoming
"Typical" for what? Windows personal firewalls?
There's a bunch of high level abstractions (ufw, firewalld and others, listed in the wiki)
Does that mean that all ports on the client are reachable from the outside
Are you behind a NAT'ing router?
or do you have to have a service or application listening on a specific port on the client for that port (and only that port) to be reachable for others?
If nothing is listening on a specific port, you can't do anything w/ it. WAN, LAN or localhost. Doesn't matter.
Offline
#3 2023-02-27 15:46:38
- mpan
- Member
- Registered: 2012-08-01
- Posts: 1,206
- Website
Re: iptables traffic rules
Unlike with some other systems, where you must run a specific service or install third-party software, in Linux the firewall framework is built-in and always running. This should explain to you, why the default is allowing all traffic.
All ports are reachable from the outside. Until you start using the firewall: the first step of which usually involves setting the default policy to DROP. This is equivalent of enabling firewall in systems, where firewall is not constantly running.
Being behind NAT does not guarantee blocking access to your machine. NAT is not a firewall. While widely deployed implementations coincidentally prevent traffic from reaching your machine, they are never designed with that protection in mind. As such NAT should not be relied upon, if you need actual protection.
A packet arriving at an unbound port⁽¹⁾ with no firewall is merely causing an ICMP type 3 packet to be sent back.
____
⁽¹⁾ That is a narrower condition than what Seth mentioned with “listening”! Packets may also arrive at non-TCP and ephemeral ports.
Sometimes I seem a bit harsh — don’t get offended too easily!
Offline
#4 2023-03-17 10:00:46
- bepa77
- Member
- Registered: 2023-02-27
- Posts: 2
Re: iptables traffic rules
From what I have read online
https://wiki.archlinux.org/title/Iptables
the default setting for iptables is
… to be inert.
instead of the typical allow outgoing deny incoming
"Typical" for what? Windows personal firewalls?
There's a bunch of high level abstractions (ufw, firewalld and others, listed in the wiki)Typical for most firewalls. I use ufw.
Does that mean that all ports on the client are reachable from the outside
Are you behind a NAT'ing router?
Yes, I use NAT'ing and I am behind a Pfsense firewall with block all incoming.
or do you have to have a service or application listening on a specific port on the client for that port (and only that port) to be reachable for others?
If nothing is listening on a specific port, you can't do anything w/ it. WAN, LAN or localhost. Doesn't matter.
Offline