You are not logged in.
Hi,
I was just reviewing my iptables rules, and saw that a rule exists on the INPUT chain that grants access to everything.
ACCEPT all -- anywhere anywhere
I have chased it down to this part of my script:
iptables -A INPUT -i lo -j ACCEPT
Anyone know why this happens?
My script is listed below
#!/bin/sh
IPTABLES=/usr/sbin/iptables
# start by flushing the rules
$IPTABLES -F
# Delete all chains
$IPTABLES -X
# set default policy
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
# allow packets coming from the machine
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
# allow outgoing traffic (not really necessary)
$IPTABLES -A OUTPUT -o eth0 -j ACCEPT
# allow established and related connections
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
Listing the rules gives me this
[root@archer ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Everywhere I look on the Internet, it just states that the loopback rule is necessary for some programs to run. I can't find anything about the behaviour I am seeing here.
Last edited by madeye (2009-07-19 16:02:01)
MadEye | Registered Linux user #167944 since 2000-02-28 | Homepage
Offline
Run 'iptables -nvL' and it will have a column for the 'in' and 'out' interfaces. You will see 'lo' listed under the 'in' column for that rule.
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
Thanks a lot for the help.
You know I even have the pocket reference for iptables, but didn't find anything about that in there.
OK, I also wasn't sure what I should look after.
Is there a decent book that describes IPtables thoroughly?
Last edited by madeye (2009-07-17 08:49:52)
MadEye | Registered Linux user #167944 since 2000-02-28 | Homepage
Offline
man iptables
btw: possibly ill get a simple iptables script and upload it for next weekend..
Last edited by quarkup (2009-07-19 10:57:55)
If people do not believe that mathematics is simple, it is only because they do not realize how complicated life is.
Simplicity is the ultimate sophistication.
Offline
Yes there is the man page, but it is not very decent at describing iptables. What I mean is, it's a fine command overview but not very educational. You have to know exactly what to look for to find what you need.
I'd like to see your script. Then I can compare it to my other script that I use sometimes. It's a little larger than the one I've shown in this thread.
MadEye | Registered Linux user #167944 since 2000-02-28 | Homepage
Offline
If people do not believe that mathematics is simple, it is only because they do not realize how complicated life is.
Simplicity is the ultimate sophistication.
Offline
okay its in the wiki now (http://wiki.archlinux.org/index.php/Sim … wall_HOWTO)
If people do not believe that mathematics is simple, it is only because they do not realize how complicated life is.
Simplicity is the ultimate sophistication.
Offline
Thank you for the wiki, this is great!
I especially liked the 'Protection against common attacks' section. I always liked to setup my own rules but was not aware of these things.
For my own scripts I use iptables-save / iptables-restore. So as an alternative to calling iptables something like this is possible also
#!/bin/sh
LoopbackInterface=lo
TheRules=\
"*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:InputProtection - [0:0]
-A INPUT -j InputProtection
-A INPUT -i $LoopbackInterface -j ACCEPT
-A OUTPUT -o $LoopbackInterface -j ACCEPT
-A InputProtection -p tcp ! --syn -m state --state NEW -j DROP
COMMIT"
echo "$TheRules" | sudo iptables-restore
echo "$TheRules" | sudo ip6tables-restore
Offline