You are not logged in.

#1 2023-02-27 09:51:59

bepa77
Member
Registered: 2023-02-27
Posts: 2

iptables traffic rules

Hi.

I am trying to get my head around how iptables work. From what I have read online it seems that the default setting for iptables is allow in both directions, instead of the typical allow outgoing deny incoming. Is this true?

Also I am trying to get my head around incoming traffic if a linux clients firewall is set to allow all incoming. Does that mean that all ports on the client are reachable from the outside, or do you have to have a service or application listening on a specific port on the client for that port (and only that port) to be reachable for others?

Offline

#2 2023-02-27 13:40:43

seth
Member
Registered: 2012-09-03
Posts: 53,337

Re: iptables traffic rules

From what I have read online

https://wiki.archlinux.org/title/Iptables

the default setting for iptables is

… to be inert.

instead of the typical allow outgoing deny incoming

"Typical" for what? Windows personal firewalls?

There's a bunch of high level abstractions (ufw, firewalld and others, listed in the wiki)

Does that mean that all ports on the client are reachable from the outside

Are you behind a NAT'ing router?

or do you have to have a service or application listening on a specific port on the client for that port (and only that port) to be reachable for others?

If nothing is listening on a specific port, you can't do anything w/ it. WAN, LAN or localhost. Doesn't matter.

Offline

#3 2023-02-27 15:46:38

mpan
Member
Registered: 2012-08-01
Posts: 1,230
Website

Re: iptables traffic rules

Unlike with some other systems, where you must run a specific service or install third-party software, in Linux the firewall framework is built-in and always running. This should explain to you, why the default is allowing all traffic.

All ports are reachable from the outside. Until you start using the firewall: the first step of which usually involves setting the default policy to DROP. This is equivalent of enabling firewall in systems, where firewall is not constantly running.

Being behind NAT does not guarantee blocking access to your machine. NAT is not a firewall. While widely deployed implementations coincidentally prevent traffic from reaching your machine, they are never designed with that protection in mind. As such NAT should not be relied upon, if you need actual protection.

A packet arriving at an unbound port⁽¹⁾ with no firewall is merely causing an ICMP type 3 packet to be sent back.
____
⁽¹⁾ That is a narrower condition than what Seth mentioned with “listening”! Packets may also arrive at non-TCP and ephemeral ports.


Sometimes I seem a bit harsh — don’t get offended too easily!

Offline

#4 2023-03-17 10:00:46

bepa77
Member
Registered: 2023-02-27
Posts: 2

Re: iptables traffic rules

seth wrote:

From what I have read online

https://wiki.archlinux.org/title/Iptables

the default setting for iptables is

… to be inert.

instead of the typical allow outgoing deny incoming

"Typical" for what? Windows personal firewalls?
There's a bunch of high level abstractions (ufw, firewalld and others, listed in the wiki)

Typical for most firewalls. I use ufw.

Does that mean that all ports on the client are reachable from the outside

Are you behind a NAT'ing router?

Yes, I use NAT'ing and I am behind a Pfsense firewall with block all incoming.

or do you have to have a service or application listening on a specific port on the client for that port (and only that port) to be reachable for others?

If nothing is listening on a specific port, you can't do anything w/ it. WAN, LAN or localhost. Doesn't matter.

Offline

Board footer

Powered by FluxBB