View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions iptables firewall
Log in to Ask a Question

iptables firewall

networking

Hi. I'm new to linode and although I have been playing with GNU/Linux since circa 1992 I am by no means an expert.

I followed the iptables guide at http://www.linode.com/wiki/index.php/Ne … to#Scripts">http://www.linode.com/wiki/index.php/NetfilterIPTablesMini_Howto#Scripts and all went well. However, my iptables -nL looks like this, and I'm not sure if I'm good to go or not.

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             anywhere            udp spt:domain dpts:1024:65535 
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:65535 dpt:22 state NEW 
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:65535 dpt:www state NEW 
ACCEPT     tcp  --  anywhere             anywhere            state RELATED,ESTABLISHED 
DROP       all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             anywhere            udp spts:1024:65535 dpt:domain 
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED multiport dports www,https multiport sports 1024:65535 
DROP       all  --  anywhere             anywhere

I'm basically worried about the `ACCEPT all' rules in the filter tables and I'm wondering if they are what they appears to be - and if so why?

Should I be worried?

5 Replies

@davejones:

Should I be worried?

Probably not. If you are using the script from the wiki then that rule is accepting packets from loopback (your own machine). Run your iptables list with a "-v" so it shows the interfaces and packet counts so you can see if everything is hitting that first rule or not.

Ah brilliant. Thanks for that explanation jsr!

The default policy for all your chains is ACCEPT, so the ACCEPT rules make no difference really ;)

You need to change your default policy to REJECT or DROP for the rules to actually matter:

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

Forgive me if I'm telling you something you already know, but you didn't mention it in your post, so I figured I better say something…

The final rule is to drop everything, which basically accomplishes the same thing as setting the default.

@jsr:

The final rule is to drop everything, which basically accomplishes the same thing as setting the default.
Ah, yes… Ignore me :oops:

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct